Privacy policy
1. INTRODUCTION
GALENIC respects your privacy and attaches great importance to the protection of your personal data. This Privacy and Cookies Policy, accessible from every page of the GALENIC website (at: https://galenic.com/policies/privacy-policy), informs you about how we collect, use and protect your personal data.
This policy applies to any individual who visits the GALENIC website, subscribes to the newsletter, orders GALENIC products or creates an account on the GALENIC website.
Our website and the products it offers are reserved for persons who have reached the age of majority in their country of residence. Purchases must be made by an adult or, where applicable, by a minor acting with the consent and under the responsibility of their parent or legal guardian.
We do not knowingly collect personal data about minors who have not reached the applicable legal age. If we discover that an account has been created without the necessary authorisations, we will delete it and any associated data.
When registering, we rely on the age information provided. In case of doubt, we may request proof of parental authority. Furthermore, we do not carry out marketing campaigns specifically targeted at minors.
2. DATA CONTROLLER
Personal data relating to your use of the GALENIC website (the "Site") is collected by:
GALENIC Cosmetics Laboratory
Simplified Joint Stock Company
Share capital: €7,958,323
Head office: 3, rue du Colonel Moll, 75017 Paris
RCS Paris: 889 310 108
GALENIC is a company belonging to the YATSEN group.
As data controller, GALENIC determines the purposes and means of processing personal data.
Contact: You can send your questions about personal data using the contact form available here or by contacting the following email address: contact@galenic.com
Data Protection Officer: dpo@galenic.com
The DPO ensures GALENIC's compliance with the GDPR and is your primary contact in the event of any questions or complaints.
3. PURPOSES OF PROCESSING YOUR PERSONAL DATA
3.1 Purposes related to your use of the Website
GALENIC processes your personal data to enable you to:
- Place online orders for GALENIC products available on the Website
- Create your account to reuse your data, benefit from loyalty programmes and receive promotional material
- Leave comments on our products
- Receive the GALENIC newsletter
- Browse the GALENIC Website or our social media pages
- Receive personalised advertising on our Website, on third-party websites or on social media, via your prior acceptance of non-essential cookies or according to the profiles established on our Website
- Receive marketing materials and information by email, whether personalised or not, based on user profiles created on our Website (age, gender, skin type, requests for cosmetic advice)
- Contact our customer service department
- Interact with our social media pages (Facebook, YouTube and Instagram)
Processing is based on the performance of a contract or, depending on the case, on your explicit consent or our legitimate interest.
3.2 Purposes related to our commercial activities
GALENIC also processes your personal data in order to:
- Generate statistics on the use of our Website and our products, as well as to conduct audits related to the security, compliance and existence of GALENIC
- Provide you with personalised advertising on other third-party websites based on your preferences and previous browsing behaviour, particularly when you have previously interacted with GALENIC, based on these interactions and your profile
- Evaluate the performance of our advertising and marketing communications and our interactions with you
- Combat and prevent fraud, ensure the security of the Site and your data
- Comply with our legal obligations, particularly in terms of pharmacovigilance
- Improve our Site, our products and services, and our communication with you
- Manage and transfer GALENIC's assets
- Manage pre-litigation and litigation matters
Each processing operation is documented in our internal register and accompanied by a clearly identified legal basis (contract, legal obligation, consent or legitimate interest).
4. CATEGORIES OF DATA COLLECTED
The personal data collected on our Website is as follows:
4.1 Order and delivery data
Surname, first name, e-mail address, physical address, delivery address if different, mobile telephone number
4.2 Account data
Email address and password (password compliant with security requirements: combination of upper-case letters, lower-case letters, numbers and special characters)
Surname, first name, date of birth
4.3 Communication data
Customer e-mails provided for the purpose of receiving the newsletter
Reviews of products ordered or user experience on the website
4.4 Payment details
Payment details (credit card: MasterCard, Visa or American Express)
IP address used during payment
Payment data is processed via PCI DSS-certified service providers. The security code (CVV) is never stored.
4.5 Browsing data
Browsing data from the GALENIC website (clicks, pages viewed, visit duration, history)
Technical data relating to the browser and device used, IP address, time and date of connection, browsing history including entry, exit and consultation pages on the Website
This data is collected via cookies subject to consent (except for strictly necessary cookies).
4.6 Cookies
Cookies strictly necessary for the functioning of the Website (e.g. shopping basket, session, security)
Audience measurement cookies (e.g. Google Analytics, Shopify)
Advertising and social media cookies, subject to your explicit consent and managed via our cookie management banner.
5. LEGAL BASIS AND RETENTION PERIOD
All processing of your personal data is based on a legal basis provided by the GDPR (performance of a contract, legal obligation, consent, legitimate interest) and a limited retention period.
We apply a strict policy of limiting retention periods, in accordance with the recommendations of the CNIL.
| Purpose of processing | Data concerned | Legal basis | Retention period |
|---|---|---|---|
| Product orders and fulfilment (including customer service relations, payment management, satisfaction surveys by email) | Surname, first name, e-mail address, billing and delivery addresses, payment details | Execution of the contract | Duration of the contractual relationship, then interim archiving for legal obligations (e.g. accounting: 10 years) |
| Account creation (including loyalty programs, competition suggestions) | Surname, first name, email address, date of birth | Contract performance and consent (for competition suggestions) | Until the account is deleted by the user, or 3 years after last use (order, click on our emails). For inactive accounts: 2 years of inactivity then automatic deletion |
| Comments and reviews | Surname, first name, e-mail address, IP address | Legal obligation | Retention of surnames, first names and email addresses for as long as the comment is accessible; IP address: 1 year from the date of publication online |
| Newsletter | Consent | Until unsubscribing from the newsletter | |
| Customer marketing | Customer data used for prospecting purposes | Legitimate interest (for customers and for a similar product) or consent | Duration of the commercial relationship + 3 years from the end of the relationship (last purchase, end of warranty, termination of contract, last customer contact) |
| Prospect marketing | Non-customer prospect data | Consent | 3 years from collection or last contact from the prospect (request for documentation, click on an email link – opening alone excluded) |
| Browsing the Website | IP address, browsing data, cookies | Consent for non-essential cookies or legitimate interest | Cookies: maximum 13 months, cookie refusal: 6 months. No automatic renewal upon new visits |
| Personalised advertising | Account data, advertising cookies | Consent | Until consent for cookies is withdrawn or account is deleted |
| Customer service communication | Surname, first name, email address, content of the request | Consent | 3 years from the last interaction with customer service |
| Exercice of GDPR rights | Request data, supporting identity documents (if reasonable doubt exists) | Legal obligation | Until the request is processed, then 1 year for the response for evidence purposes. Identity documents: immediate deletion after verification (except in cases of exceptional litigation risk) |
| Fraud prevention | Payment data, browsing data | Legitimate interest | 13 months from the date of debit from the bank card, 15 months for deferred debit cards |
| Legal accounting obligations | Invoices, accounting data | Legal obligation | 10 years for accounting documents (in accordance with the Commercial Code) |
| Credit card security code | Visual cryptogram (CVV) | Execution of the contract | Immediate deletion after payment completion |
| Pharmacovigilance | Notifications of adverse effects | Legal obligation | 70 years from the date of notification |
| Opposition archives (blocking list) | Data on objections to marketing | Legitimate interest | Minimum 3 years to prevent re-marketing |
| Anonymised statistics | Anonymised data | Legitimate interest | Unlimited retention (as the data is no longer personal after anonymisation) |
| Litigation | Data necessary for litigation | Legitimate interest | 5 years after the end of the pre-litigation or litigation case |
All retention periods begin from the last interaction with GALENIC (purchase, click, contact, etc.).
6. YOUR RIGHTS REGARDING YOUR PERSONAL DATA
In accordance with the amended French Data Protection Act of 6 January 1978 and European Regulation No. 2016/679 of 27 April 2016 (GDPR), you have the following rights with regard to all data concerning you:
6.1 Recognised rights
- Right to access your data
- Right to update your data
- Right to erase your data
- Right to object to the processing of your data, including profiling
- Right to request data portability
- Right to restrict the processing of your personal data
- Right to withdraw your consent to the use of your contact details for sending offers and promotions by e-mail
- Right to withdraw your consent for the storage and reading of cookies on your device
- Right to object to the use of non-essential cookies
- Right to determine the future of your personal data after your death
6.2 Exercising your rights
You can exercise your rights using the contact form available here.
GALENIC reserves the right to verify your identity before processing your request. You can also contact GALENIC's Data Protection Officer at dpo@galenic.com
We will respond to your requests to exercise your rights (access, rectification, deletion, etc.) within one month of receiving them in full.
This period may be extended by two months if the request is complex or if we receive a large number of requests. In this case, you will be informed of the extension and the reasons for it within one month of your request.
If we are unable to respond favourably to your request, we will explain the reasons within the same time frame, indicating the possible remedies (in particular with the CNIL or before a court).
Finally, if we have reasonable doubts about your identity, we may ask you for additional information to verify it.
6.3 Appeals
If you do not receive a satisfactory response, you can also submit a request on the CNIL website: www.cnil.fr or lodge a complaint with this supervisory authority at the following address: CNIL – 3 Place de Fontenoy, 75007 Paris.
7. RECIPIENTS OF YOUR DATA
7.1 Internal recipients
Access to your personal data is strictly limited to GALENIC employees who are authorised by virtue of their duties and are subject to compliance with the applicable regulations on personal data protection, namely:
- Customer service
- Billing department
- Technical support
Access is also granted to the DPO, legal departments and management in the event of litigation or legal obligations.
In the event of international transfers (e.g. to Yatsen Global – Singapore), we apply the European Commission's Standard Contractual Clauses.
Your data may be transmitted to GALENIC's management for the processing of pre-litigation and litigation matters and for the purposes of pharmacovigilance obligations.
In particular, it may be transferred to the Chairman of GALENIC Cosmetics Laboratory SAS and to Yatsen Global PTE LTD (Singapore). The European Commission's Standard Contractual Clauses of 4 June 2021 provide a framework for the protection of personal data in accordance with the GDPR rules.
7.2 Service providers
The data collected will be transmitted to our service providers who are contractually committed to ensuring the proper functioning of the Site and the security of processing, in particular:
- Customer service provider
- Customer management service provider
- Satisfaction survey provider
- Social media management provider
- Hosting provider
- Cloud service provider
- Email service provider
- Technical service providers
- Payment service provider (PCI DSS compliant)
- User behaviour analysis provider
- Social networks on which GALENIC has created a dedicated page
- Logistics carriers
- Accountants, auditors and legal advisors
- Ministry of Health (pharmacovigilance reporting)
- Asset purchasers in the event of a sale
Each service provider is contractually bound to respect the confidentiality and security of your data. Under no circumstances may they use it for their own purposes.
8. DATA SECURITY
GALENIC implements all appropriate technical and organizational measures to ensure the security and confidentiality of your personal data, in order to prevent any breach of its integrity, loss, disclosure or compromise of its availability.
8.1 Technical measures
- Encryption of sensitive data
- Securing servers and databases
- Strict access controls
- Continuous monitoring of systems
- Two-factor authentication for administrator accounts
- Regular security testing and infrastructure audits
8.2 Organisational measures
- Staff training in data protection
- Documented security procedures
- Regular security audits
- Incident response plans
- Notification to the CNIL and data subjects in the event of a data breach, within the legal timeframe of 72 hours
9. DATA TRANSFERS OUTSIDE THE EU
Your personal data is processed by GALENIC in France, but also in countries where the protection of personal data is deemed sufficient by the European Union, such as Canada.
Some of your personal data may be transferred to service providers outside the European Union (United States, Singapore, China).
For transfers to the United States, if the service provider is certified under the EU-US Data Privacy Framework (DPF) (e.g. Google LLC), the transfer is based on an adequacy decision by the European Commission.
For other countries (such as Singapore or China), we use the European Commission's Standard Contractual Clauses or binding internal rules approved by a data protection authority (such as the CNIL).
In all cases, appropriate safeguards and additional security measures are put in place to protect your data.
Safeguards applied:
– European Commission Standard Contractual Clauses (SCCs) (version of 4 June 2021)
– Transfer Impact Assessment
– Additional security measures if the third country presents risks of unregulated access (encryption, pseudonymisation, data separation, etc.).
GALENIC ensures that your data benefits from a level of protection equivalent to that imposed by the GDPR, even outside the European Economic Area (EEA).
10. COOKIES AND SIMILAR TECHNOLOGIES
10.1 Definition
Cookies are files that may be stored on your device (computer, mobile phone) and then read by GALENIC or third parties when you visit the Website using your browser.
Cookies do not directly identify you, but may be linked to a pseudonymous identifier.
10.2 Types of cookies used
Mandatory functional cookies (Shopify)
These cookies, which are necessary for the functioning of the Website and for ordering products, are not subject to consent. Deleting them may disrupt your experience of the Website.
| Name | Purpose | Duration |
|---|---|---|
| cart | Shopping basket management | 2 weeks |
| cart_sig | Basket integrity (checkout) | 2 weeks |
| cart_currency | Basket currency | 2 weeks |
| _tracking_consent | Tracking preferences | 1 year |
| __cf_bm | Anti-bot protection | 30 minutes |
| cookieconsent_status | Global consent status | 12 months |
| cookieconsent_preferences_disabled | Cookie preference status | 1 day |
| keep_alive | Client session maintenance checkout | Session |
| localisation | Language selection | 2 weeks |
| _merchant_essential | Essential cookie Shopify merchant session | 20 days |
| _shopify_essential | Shopify essential cookie (security/integrity) | 12 months |
| checkout_session_lookup | Payment session lookup | 3 weeks |
| checkout_session_token_<dyn> | Checkout session token | 3 weeks |
| master_device_id | Shop Pay device ID | 12 months |
| skip_shop_pay | Indicates whether the user ignores Shop Pay | 12 months |
| __cf_bm (hcaptcha.com) | hCaptcha anti-bot protection | 30 minutes |
| __Secure-ENID | Google security/authentication | 13 months |
| AEC | Google query security | 6 months |
| SOCS | Google consent choices | 13 months |
Statistical cookies (Shopify and Google)
These cookies enable us to analyse the use of the Website (traffic, performance, etc.). Your consent is required.
Maximum duration: 13 months, without automatic extension during new visits (CNIL recommendation).
| Name | Purpose | Duration |
|---|---|---|
| _ga | Google statistical analyses | 13 months |
| _gid | Google statistical analyses | 24 hours |
| _gat | Google request rate limitation | 1 minute |
| _landing_page | Landing page tracking (Shopify) | 2 weeks |
| _orig_referrer | Referrer page tracking (Shopify) | 2 weeks |
| __kla_id | Klaviyo email click analytics | 13 months |
| _shopify_s | Shopify analytics (session) | 30 minutes |
| _shopify_y | Shopify Analytics (user) | 12 months |
Advertising cookies
These cookies allow us to personalise advertisements according to your interests. Your consent is also required.
| Name | Purpose | Duration |
|---|---|---|
| IDE | DoubleClick cookies Targeted marketing | 13 months |
| DV | Google advertising personalisation | 24 hours |
| test_cookie | DoubleClick permission verification | 15 minutes |
| _gcl_au | Google ad conversion rate measurement | 3 months |
| _fbp | Facebook-Meta advertising/retargeting | 3 months |
| _pin_unauth | Pinterest statistics/retargeting | 12 months |
10.3 Managing your preferences
Your consent is required for the storage and reading of cookies that are not essential to the functioning of the Website. You can configure our consent tool to modify or withdraw your consent or refuse the storage of these cookies.
You can also disable/delete non-essential cookies via the settings of each browser on your devices (computer, smartphone, tablet, etc.).
Consent management tool: Accessible from every page of the Website, this tool allows you to manage or withdraw your consent at any time.
Consent to cookies is valid for 6 months, after which you will be asked to give your consent again.
11. SPECIAL PROVISIONS
11.1 Account creation
When creating an account on our Website, you must create a strong password that includes upper-case letters, lower-case letters, numbers and special characters. An automatic check helps you to assess its strength.
Here are some examples of acceptable passwords:
– 12 characters with upper-case letters, lower-case letters, numbers and special characters;
– 14 characters with upper-case letters, lower-case letters and numbers;
– A 7-word passphrase in English.
Two-factor authentication is also recommended to enhance security.
This password must remain confidential and must never be shared.
If you suspect fraudulent use of your account, you must inform GALENIC immediately by email: contact@galenic.com.
11.2 Inactive accounts
GALENIC applies an automatic deletion policy for customer accounts that are no longer in use. An account is considered inactive after 2 years without any login, order or interaction with our communications (in accordance with CNIL recommendations).
Users are notified 30 days before automatic deletion to give them the opportunity to reactivate their account. This policy applies to natural people of legal age and legal capacity. GALENIC does not knowingly collect personal data concerning minors under the age of 16.
12. COMMERCIAL DATA AND POLICY UPDATES
In accordance with the CNIL guidelines on the management of commercial activities:
https://www.cnil.fr/sites/cnil/files/atoms/files/referentiel_traitements-donnees-caractere-personnel_gestion-activites-commerciales.pdf
- For customers: Your data may be used for marketing purposes for the duration of the commercial relationship, then for 3 years after the end of the relationship (last purchase, expiry of warranty, end of contract or last contact from you).
- For prospects: Your data may be kept for 3 years from the date of collection or the last contact from you (request for documentation, click on a link in an email). Simply opening an email does not constitute "contact from the prospect".
- Opt-out list: If you object to commercial prospecting, we will retain this information for a minimum of 3 years to avoid contacting you again.
This privacy policy may be updated at any time. Please refer to the version number and date. Each update will be notified on the Website.
13. CONTACT AND INFORMATION
If you have any questions about this privacy policy or the exercise of your rights, you can contact us:
By form: https://galenic.com/pages/contact
By email: contact@galenic.com
Data Protection Officer: dpo@galenic.com
Postal address:
GALENIC Cosmetics Laboratory
3, rue du Colonel Moll
75017 Paris, France
Version 2.0 dated 23 September 2025
GALENIC – 3 rue du Colonel Moll, 75017 Paris