Cookie Policy of Zala

This document informs Users about the technologies that help this Application to achieve the purposes described below. Such technologies allow the Owner to access and store information (for example by using a Cookie) or use resources (for example by running a script) on a User’s device as they interact with this Application.

For simplicity, all such technologies are defined as "Trackers" within this document – unless there is a reason to differentiate.
For example, while Cookies can be used on both web and mobile browsers, it would be inaccurate to talk about Cookies in the context of mobile apps as they are a browser-based Tracker. For this reason, within this document, the term Cookies is only used where it is specifically meant to indicate that particular type of Tracker.

Some of the purposes for which Trackers are used may also require the User's consent. Whenever consent is given, it can be freely withdrawn at any time following the instructions provided in this document.

This Application uses Trackers managed directly by the Owner (so-called “first-party” Trackers) and Trackers that enable services provided by a third-party (so-called “third-party” Trackers). Unless otherwise specified within this document, third-party providers may access the Trackers managed by them.
The validity and expiration periods of Cookies and other similar Trackers may vary depending on the lifetime set by the Owner or the relevant provider. Some of them expire upon termination of the User’s browsing session.
In addition to what’s specified in the descriptions within each of the categories below, Users may find more precise and updated information regarding lifetime specification as well as any other relevant information – such as the presence of other Trackers - in the linked privacy policies of the respective third-party providers or by contacting the Owner.

How this Application uses Trackers

Necessary

This Application uses so-called “technical” Cookies and other similar Trackers to carry out activities that are strictly necessary for the operation or delivery of the Service.

Trackers managed by third parties

• Google Tag Manager

  Google Tag Manager is a tag management service provided by Google LLC or by Google Ireland Limited, depending on how the Owner manages the Data processing.

  Personal Data processed: Trackers and Usage Data.

  Place of processing: United States – Privacy Policy; Ireland – Privacy Policy.

• Cloudflare (Cloudflare Inc.)

  Cloudflare is a traffic optimisation and distribution service provided by Cloudflare Inc. The way Cloudflare is integrated means that it filters all the traffic through this Application, i.e., communication between this Application and the User's browser, while also allowing analytical data from this Application to be collected.

  Personal Data processed: Trackers and various types of Data as specified in the privacy policy of the service.

  Place of processing: United States – Privacy Policy.

  Trackers duration:

  • _cfuvid: indefinite
  • cf_clearance: 30 minutes

• Google reCAPTCHA (Google LLC)

  Google reCAPTCHA is a SPAM protection service provided by Google LLC. The use of reCAPTCHA is subject to the Google privacy policy and terms of use.

  In order to understand Google's use of Data, consult their partner policy and their Business Data page.

  Personal Data processed: answers to questions, clicks, keypress events, motion sensor events, mouse movements, scroll position, touch events, Trackers and Usage Data.

  Place of processing: United States – Privacy Policy.

  Trackers duration:

  • _GRECAPTCHA: duration of the session
  • rc::a: indefinite
  • rc::b: duration of the session
  • rc::c: duration of the session
  • rc::f: indefinite

• PayPal (PayPal Inc.)

  PayPal is a payment service provided by PayPal Inc., which allows Users to make online payments.

  Personal Data processed: email address, payment info, Trackers and Usage Data.

  Place of processing: See the PayPal privacy policy – Privacy Policy.

  Trackers duration:

  • LANG: 8 hours
  • __paypal_storage__: indefinite
  • akavpau_ppsd: duration of the session
  • enforce_policy: duration of the session
  • l7_az: duration of the session
  • nsid: duration of the session
  • ts: duration of the session
  • tsrce: duration of the session
  • x-cdn: duration of the session
  • x-pp-s: duration of the session

• New Relic (New Relic)

  New Relic is a monitoring service provided by New Relic Inc. The way New Relic is integrated means that it filters all traffic of this Application, i.e., communication between the Application and the User's browser or device, while also allowing analytical data on this Application to be collected.

  Personal Data processed: browsing history, device information, device logs, number of sessions, session duration, session statistics, Trackers and Usage Data.

  Place of processing: United States – Privacy Policy.

  Trackers duration:

  • NRBA_SESSION: duration of the session
  • NRREFL: 3 months
  • NRREFP: 2 months
  • _newrelic_ui_session: 1 day
  • login_service_login_newrelic_com_tokens: 21 years
  • nr_secure: 1 day
  • nr_zd_logged_in: 1 day

Functionality

This Application uses Trackers to enable basic interactions and functionalities, allowing Users to access selected features of the Service and facilitating the User's communication with the Owner.

Trackers managed by third parties

• Pinterest OAuth (Pinterest, Inc.)

  Pinterest OAuth is a registration and authentication service provided by Pinterest, Inc. and is connected to the Pinterest social network.

  Personal Data processed: Trackers and Usage Data.

  Place of processing: United States – Privacy Policy.

  Trackers duration:

  • _pinterest_ct_ua: duration of the session

Experience

This Application uses Trackers to improve the quality of the user experience and enable interactions with external content, networks and platforms.

Trackers managed by third parties

• Google Fonts (Google LLC)

  Google Fonts is a typeface visualisation service provided by Google LLC that allows this Application to incorporate content of this kind on its pages.

  Personal Data processed: Trackers and Usage Data.

  Place of processing: United States – Privacy Policy.

• Mailchimp widget (Intuit Inc.)

  The Mailchimp widget is a service for interacting with the Mailchimp email address management and message sending service provided by Intuit Inc.

  Personal Data processed: email address, Trackers and Usage Data.

  Place of processing: United States – Privacy Policy.

  Trackers duration:

  • cookies.js: duration of the session

• Pinterest account access (Pinterest, Inc.)

  This service allows this Application to connect with the User's account on Pinterest, provided by Pinterest, Inc.

  Personal Data processed: device information, Email, Trackers, unique device identifiers for advertising (Google Advertiser ID or IDFA, for example), Usage Data and User ID.

  Place of processing: United States – Privacy Policy.

  Trackers duration:

  • _pinterest_ct_ua: duration of the session

Measurement

This Application uses Trackers to measure traffic and analyze User behavior to improve the Service.

Trackers managed by third parties

• Google Analytics (Universal Analytics) with anonymised IP

  Google Analytics (Universal Analytics) is a web analysis service provided by Google LLC or by Google Ireland Limited, depending on how the Owner manages the Data processing, (“Google”). Google utilises the Data collected to track and examine the use of this Application, to prepare reports on its activities and share them with other Google services.
  Google may use the Data collected to contextualise and personalise the ads of its own advertising network.
  This integration of Google Analytics anonymises your IP address. It works by shortening Users' IP addresses within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the complete IP address be sent to a Google server and shortened within the US.

  In order to understand Google's use of Data, consult Google's partner policy.

  Personal Data processed: Trackers and Usage Data.

  Place of processing: United States – Privacy Policy – Opt Out; Ireland – Privacy Policy – Opt Out.

  Trackers duration:

  • AMP_TOKEN: 1 hour
  • _ga: 2 years
  • _gac*: 3 months
  • _gat: 1 minute
  • _gid: 1 day

• Google Analytics (Universal Analytics)

  Google Analytics (Universal Analytics) is a web analysis service provided by Google LLC or by Google Ireland Limited, depending on how the Owner manages the Data processing, (“Google”). Google utilises the Data collected to track and examine the use of this Application, to prepare reports on its activities and share them with other Google services.
  Google may use the Data collected to contextualise and personalise the ads of its own advertising network.

  In order to understand Google's use of Data, consult Google's partner policy.

  Personal Data processed: Trackers and Usage Data.

  Place of processing: United States – Privacy Policy – Opt Out; Ireland – Privacy Policy – Opt Out.

  Trackers duration:

  • AMP_TOKEN: 1 hour
  • _ga: 2 years
  • _gac*: 3 months
  • _gat: 1 minute
  • _gid: 1 day

• Google Analytics 4 (Google LLC)

  Google Analytics 4 is a web analysis service provided by Google LLC (“Google”). Google utilizes the Data collected to track and examine the use of this Application, to prepare reports on its activities and share them with other Google services. Google may use the Data collected to contextualize and personalize the ads of its own advertising network. In Google Analytics 4, IP addresses are used at collection time and then discarded before Data is logged in any data center or server. Users can learn more by consulting Google’s official documentation.

  In order to understand Google's use of Data, consult their partner policy and their Business Data page.

  Personal Data processed: number of Users, session statistics, Trackers and Usage Data.

  Place of processing: United States – Privacy Policy – Opt Out.

  Trackers duration:

  • _ga: 2 years
  • _ga_*: 2 years

• Google Analytics Advertising Reporting Features (Google LLC)

  Google Analytics on this Application has Advertising Reporting Features activated, which collects additional information from the DoubleClick cookie (web activity) and from device advertising IDs (app activity). It allows the Owner to analyse specific behaviour and interests Data (traffic Data and Users' ads interaction Data) and, if enabled, demographic Data (information about the age and gender).

  Users can opt out of Google's use of cookies by visiting Google's Ads Settings.

  In order to understand Google's use of Data, consult their partner policy and their Business Data page.

  Personal Data processed: Trackers, unique device identifiers for advertising (Google Advertiser ID or IDFA, for example) and various types of Data as specified in the privacy policy of the service.

  Place of processing: United States – Privacy Policy – Opt Out.

  Trackers duration:

  • IDE: 2 years
  • _gcl_*: 3 months
  • test_cookie: 15 minutes

• Meta Events Manager (Meta Platforms, Inc.)

  Meta Events Manager is an analytics service provided by Meta Platforms, Inc. By integrating the Meta pixel, Meta Events Manager can give the Owner insights into the traffic and interactions on this Application.

  Personal Data processed: billing address, browser information, browsing history, city, clicks, country, Data communicated while using the service, data relating to the point of sale, order ID, page views, Trackers, Usage Data and User ID.

  Place of processing: United States – Privacy Policy – Opt out.

  Trackers duration:

  • _fbp: 3 months
  • lastExternalReferrer: duration of the session
  • lastExternalReferrerTime: duration of the session

Marketing

This Application uses Trackers to deliver personalised ads or marketing content, and to measure their performance.

Trackers managed by third parties

• Klaviyo (Klaviyo Inc.)

  Klaviyo is an email address management and message sending service provided by Klaviyo Inc.

  To take advantage of the service provided by Klaviyo, the Owner typically shares information about (purchasing) Users, such as for example contact details and shopping histories. Check the indication at “Personal Data processed“ below for an explanation of the extent of the sharing.

  Personal Data processed: email address, purchase history, Trackers and Usage Data.

  Place of processing: United States – Privacy Policy – Opt out.

  Trackers duration:

  • __kla_id: 3 years

• Taboola (Taboola Inc.)

  Taboola is an advertising service provided by Taboola Inc.

  Personal Data processed: Trackers and Usage Data.

  Place of processing: United States – Privacy Policy – Opt Out.

  Trackers duration:

  • *:session-data: indefinite
  • COu: 1 month
  • __tbwt: indefinite
  • _data: 1 day
  • _tb_sess_r: 30 minutes
  • _tb_t_ppg: 30 minutes
  • abLdr: 3 hours
  • abMbl: 3 hours
  • br: 30 minutes
  • cnx_roi: 1 month
  • datadome: 1 year
  • eng_mt.crossSessionsData.SessionsHistory: indefinite
  • eng_mt.numOfTimesMetricsSent: indefinite
  • eng_mt.scrollDepth: indefinite
  • eng_mt.sessionDepth: indefinite
  • eng_mt.sessionStartTime: indefinite
  • eng_mt.timeOnSite: indefinite
  • eng_mt.ver: indefinite
  • receive-cookie-deprecation: 1 year
  • redirect_data: 1 month
  • rng: 1 day
  • roi_cookie: 1 month
  • sessionid: 1 day
  • t_gid: 1 year
  • t_pt_gid: 1 year
  • taboola global:last-external-referrer: indefinite
  • taboola global:local-storage-keys: indefinite
  • taboola global:lspb: indefinite
  • taboola global:tblci: indefinite
  • taboola global:user-id: indefinite
  • taboola_fp_td_user_id: 1 year
  • taboola_select: 1 year
  • taboola_session_id: duration of the session
  • tb_click_param: 50 seconds
  • tbl-exm-apperance: indefinite
  • tbl-exm-history: indefinite
  • tbl-session-referrer: indefinite
  • tbl_rtus_id: indefinite
  • trc_cache: indefinite
  • trc_cache_by_placement: indefinite
  • trc_cookie_storage: 1 year

• Criteo (Criteo SA)

  Criteo is an advertising service provided by Criteo SA.

  As part of the operation of this Application, the Owner and Criteo SA are joint controllers for the Criteo advertising service.

  For this purpose, the Owner has entered into a Data Processing Agreement (DPA) with Criteo SA which can be reviewed here.

  Users may at any time withdraw their consent to the processing of their Personal Data by Criteo and opt out of personalised advertising by clicking the “Disable Criteo services” button in Criteo’s privacy policy.

  Personal Data processed: Trackers and Usage Data.

  Place of processing: France – Privacy Policy – Opt Out.

  Trackers duration:

  • criteo_fast_bid: 7 days
  • criteo_fast_bid_expires: 7 days
  • cto_bundle: 2 years
  • cto_bundle: indefinite
  • cto_optout: 2 years
  • cto_optout: indefinite
  • optout: 2 years
  • uid: 2 years

• Microsoft Advertising (Microsoft Corporation)

  Microsoft Advertising is an advertising service provided by Microsoft Corporation.

  Personal Data processed: Trackers and Usage Data.

  Place of processing: United States – Privacy Policy – Opt Out.

  Trackers duration:

  • MUID: 2 years
  • _uetmsclkid: 3 months
  • _uetmsclkid: indefinite
  • _uetsid: 1 day
  • _uetsid: indefinite
  • _uetvid: 2 years
  • _uetvid: indefinite

• LiveIntent (Liveintent Inc.)

  LiveIntent is an advertising service provided by Liveintent Inc.

  Personal Data processed: Trackers and Usage Data.

  Place of processing: United States – Privacy Policy – Opt Out.

  Trackers duration:

  • _lc2_fpi: 2 years
  • _lc2_fpi: indefinite
  • _lc2_fpi_exp: indefinite
  • _liChk: 10 seconds
  • _liChk: indefinite
  • _li_ci: 5 minutes
  • _li_ci: indefinite
  • _li_ci__exp: indefinite
  • _li_cim: 1 month
  • _li_cim: indefinite
  • _li_cim__exp: indefinite
  • _li_dcdm_c: duration of the session
  • _li_duid: indefinite
  • _li_ld: 1 month
  • _li_ld: indefinite
  • _li_ld__exp: indefinite
  • _li_ss: 1 month
  • _li_ss: indefinite
  • _li_ss__exp: indefinite
  • bh2: 7 months
  • c: 2 years
  • csrf: 2 hours
  • lidid: 2 years
  • tuuid: 2 years
  • tuuid_lu: 2 years

• Momento (Momento, Inc.)

  Momento is an advertising service provided by Momento, Inc.

  Personal Data processed: Trackers and Usage Data.

  Place of processing: Korea, Republic of – Privacy Policy.

  Trackers duration: indefinite

• Amazon Mobile Ads (Amazon)

  Amazon Mobile Ads is an advertising service provided by Amazon.

  Personal Data processed: Trackers and Usage Data.

  Place of processing: United States – Privacy Policy.

  Trackers duration:

  • *sessionMarker/marker: indefinite
  • ad-id: 10 months
  • amzn-token: 7 days
  • vendor-id: 1 month

• TikTok conversion tracking (TikTok Inc.)

  TikTok conversion tracking is an analytics and behavioural targeting service provided by TikTok Inc. that connects data from the TikTok advertising network with actions performed on this Application. The TikTok pixel tracks conversions that can be attributed to TikTok ads and enables to target groups of Users on the base of their past use of this Application.

  Personal Data processed: device information, Trackers, unique device identifiers for advertising (Google Advertiser ID or IDFA, for example) and Usage Data.

  Place of processing: United States – Privacy Policy.

  Trackers duration:

  • _tt_enable_cookie: 2 years
  • _ttp: 2 years
  • tt_appInfo: indefinite
  • tt_pixel_session_index: indefinite
  • tt_sessionId: indefinite

• Meta ads conversion tracking (Meta pixel) (Meta Platforms, Inc.)

  Meta ads conversion tracking (Meta pixel) is an analytics service provided by Meta Platforms, Inc. that connects data from the Meta Audience Network with actions performed on this Application. The Meta pixel tracks conversions that can be attributed to ads on Facebook, Instagram and Meta Audience Network.

  Personal Data processed: Trackers and Usage Data.

  Place of processing: United States – Privacy Policy – Opt out.

  Trackers duration:

  • _fbc: 3 months
  • _fbp: 3 months
  • fr: 3 months
  • lastExternalReferrer: duration of the session
  • lastExternalReferrerTime: duration of the session

• Amazon Omakase (Amazon)

  Amazon Omakase is a banner commercial affiliation service provided by Amazon.com Inc.

  Personal Data processed: Trackers and Usage Data.

  Place of processing: United States – Privacy Policy.

How to manage preferences on this Application

Users can set or update their preferences via the relevant privacy choices panel available on this Application.

With regard to any third-party Trackers, Users can manage their preferences via the related opt-out link (where provided), by using the means indicated in the third party's privacy policy, or by contacting the third party.

How to control or delete Cookies and similar technologies via your device settings

Users may use their own browser settings to:

• See what Cookies or other similar technologies have been set on the device;
• Block Cookies or similar technologies;
• Clear Cookies or similar technologies from the browser.

The browser settings, however, do not allow granular control of consent by category.

Users can, for example, find information about how to manage Cookies in the most commonly used browsers at the following addresses:

• Google Chrome
• Mozilla Firefox
• Apple Safari
• Microsoft Internet Explorer
• Microsoft Edge
• Brave
• Opera

Users may also manage certain categories of Trackers used on mobile apps by opting out through relevant device settings such as the device advertising settings for mobile devices, or tracking settings in general (Users may open the device settings and look for the relevant setting).

How to opt out of interest-based advertising

Notwithstanding the above, Users may follow the instructions provided by YourOnlineChoices (EU), the Network Advertising Initiative (US) and the Digital Advertising Alliance (US), DAAC (Canada), DDAI (Japan) or other similar services. Such initiatives allow Users to select their tracking preferences for most of the advertising tools. The Owner thus recommends that Users make use of these resources in addition to the information provided in this document.

The Digital Advertising Alliance offers an application called AppChoices that helps Users to control interest-based advertising on mobile apps.

Consequences of denying consent

Users are free to decide whether or not to grant consent. However, please note that Trackers help this Application to provide a better experience and advanced functionalities to Users (in line with the purposes outlined in this document). Therefore, in the absence of the User's consent, the Owner may be unable to provide related features.

Owner and Data Controller

Beauty Industry Group and its Affiliates
1250 N. Flyer Way, Suite 100
Salt Lake City, UT 84116
Affiliates include: Bellami, Beauty Works, Babe, Zala, Luxy, Glam Seamless, Donna Bella, Halo, Hairtalk, Hidden Crown, and Hotheads

Owner contact email: support@zalahair.com

Since the use of third-party Trackers through this Application cannot be fully controlled by the Owner, any specific references to third-party Trackers are to be considered indicative. In order to obtain complete information, Users are kindly requested to consult the privacy policies of the respective third-party services listed in this document.

Given the objective complexity surrounding tracking technologies, Users are encouraged to contact the Owner should they wish to receive any further information on the use of such technologies by this Application.