Our Privacy Policy

Data controller

This Privacy Notice applies to individuals who purchase products of “KIKO MILANO” brand from KIKO S.p.A. and/or register in Mexico for the KIKO ME Loyalty Program (the “Loyalty Program”) within the territory of the United Mexican States (the “Privacy Notice”).

In accordance with the Federal Law on the Protection of Personal Data Held by Private Parties, its Regulations, and the Privacy Notice Guidelines (together, the “Mexican Data Protection Law”), this document constitutes your Privacy Notice and is made available to you by KIKO and the Company, as those terms are defined in the following section.

For the purposes of this Privacy Notice, the applicable legislation governing the processing of your personal data is the Mexican Data Protection Law

KIKO S.p.A., with its registered office in Bergamo, via Giorgio e Guido Paglia 1/D ("Data Controller"), informs you pursuant to Regulation (EU) 679/2016 ("GDPR") and to the Federal Law on the Protection of Personal Data Held by Private Parties that your data, collected through cookie, will be processed by means and for the purposes indicated in this policy.

KIKO COS RETAIL MEXICO, S. de R.L. de C.V., with registered office at 11000, PASEO DE LAS PALMAS 405,1702, COL.: LOMAS DE CHAPULTEPEC I SECCION, MIGUEL HIDALGO, CIUDAD DE MEXICO, tax identification /VAT registration numberKCR240425HV1 (the "Company")

Data Protection Officer

KIKO S.p.A. has appointed a Data Protection Officer (“DPO”). The DPO may be contacted at the following email address: dpo.kiko@kikocosmetics.com.

Personal data processed

"Data" refers to personal data as defined in the Mexican Data Protection Act. For the purposes of this Privacy Notice, the Company and/or KIKO will process your first name, surname, date of birth, email address, and financial or asset-related data, which will be required when you purchase and pay for the Company’s products and/or services, and/or when you register for the Loyalty Programme. In addition, you may be asked to provide your telephone number. If you place an order for home delivery, you will also be asked to provide your address for the delivery of the products and/or provision of the services. When you register and create a personal account, you will be asked to enter a username and password, which will serve as your login details for accessing your account. Before completing the registration form to create an account, the system will ask you to enter your email address and the OTP (One-Time Password) sent to the email address you provided, in order to verify that the email address is valid. Once you have entered the OTP, you can continue filling in the form.

Furthermore, the term “Data” also includes browsing data when you use the KIKO website: this category includes the source IP address, the URL, the type of user agent (e.g. Chrome, Firefox, Safari) and the time of access. This information, collected by the computer systems and software procedures responsible for the functioning of the website during its normal operations, is not collected with the intention of being linked to identified individuals; however, through processing and cross-referencing with third-party data, it could potentially enable the identification of the user.

Furthermore, in accordance with the Mexican Data Protection Act, no sensitive personal data will be collected or processed for the purposes of data processing set out in this Privacy Notice.

Purpose of the processing

The Company is the Data Controller for the following necessary purposes:

A) Contractual purposes: booking beauty services, purchasing products or services, and payment for and delivery of the Company’s products.

B) Compliance with administrative/accounting obligations established by applicable national legislation.

C) Legal proceedings or defence in court: to establish, exercise or defend the Company’s rights in legal proceedings.

The Company is the Data Controller for the following secondary purposes:

D) Contacting and inviting customers to take part in local events, provided they have given their consent for the purposes set out in sections H) and J) of this Privacy Notice.

KIKO is the Data Controller for the following secondary purposes:

E) Website browsing: The source IP address and other data mentioned above are used to ensure a smooth connection and browsing experience, to enable you to use all the website’s features properly, and to assess the security and stability of the system.

Cookies: With regard to the use of cookies and similar technologies to process your Data, please note that these cookies can be disabled, where applicable, via the cookie settings in the browser or internet service you use. For more information on the use of cookies and similar technologies (non-essential technical cookies), please refer to the cookie policy available in the footer of the KIKO website or app.

F) Legal proceedings or defence in court: to establish, exercise or defend KIKO's rights in legal proceedings.

G) Soft Spam: sending limited communications to those who are already customers, with the aim of directly promoting or selling products or services similar to those already purchased/used by the user, using the email addresses provided in such cases, without prejudice to the right to object at any time in the manner indicated at the bottom of the communication and via the contact details provided in the second section of this Privacy Notice, for the exercise of the rights provided for in the Mexican Data Protection Act.

H) Joining the Loyalty Programme (for those aged 18 and over): joining the Loyalty Programme allows you to earn points on each purchase made until you reach the minimum points threshold for each of the three loyalty tiers, with the opportunity to request and receive exclusive rewards as set out in the KIKO ME Loyalty Programme Terms and Conditions.

I) Profiling: you consent to receiving personalised marketing communications, based on your preferences, purchasing habits, related behaviour or interests, via automated channels (email, SMS and push notifications) or through advertising material, newsletters and promotional and marketing communications relating to KIKO products or events, as well as the carrying out of market research and statistical analysis.

By giving your consent to the processing of your Data for this purpose, you acknowledge and agree that your encrypted email address may be shared with certain third-party social media and advertising platforms (e.g. Google, Meta, Amazon, Snapchat). This information will be used to provide you with more relevant and personalised adverts, based on your interests, behaviour and purchase history, by processing data and interactions within these platforms.

J) Direct marketing purposes: you consent to receiving, via automated means of communication (email, SMS and push notifications), advertising material, newsletters and promotional and commercial communications relating to KIKO products or events, as well as the carrying out of market research and statistical analysis.

Refusal to give consent to the processing of your Data for these purposes will not affect your ability to browse the website and/or purchase KIKO products or services. However, this will prevent you from joining the Loyalty Programme to earn points on each purchase made and receive rewards at each tier of the programme, receive automated communications and newsletters about KIKO events and promotions, and receive personalised communications from KIKO based on your purchasing habits, preferences and related behaviour.

Purposes H), I) and J) are secondary; you may therefore object to the processing of your Data for one or more of these purposes. If applicable, please send an email indicating the above to the following address: dpo.kiko@kikocosmetics.com. Alternatively, you can enter your email address and click the "Send" button on the website’s "Newsletter" form, or tick the checkbox to consent to the processing of your Data for these purposes.

Legal base for the processing

In accordance with the Mexican Data Protection Act, the legal basis for the processing of your Data is consent. Through this Privacy Notice, we obtain your consent to process your Data in accordance with the terms set out herein. Consent is deemed to have been given for the purposes set out in the Privacy Notice.

Transfer of personal data to countries outside the European union

The Data may be transferred to external entities acting as independent Data Controllers pursuant to Articles 35 and 36 of the Federal Law on the Protection of Personal Data Held by Private Parties (“LFPDPPP”), including, but not limited to, competent authorities, as well as, in general, public or private entities legally authorised to receive your Data.

The Data may also be disclosed to third parties who process it on behalf of the Company or KIKO, acting as external Data Processors appointed in accordance with Articles 49, 50 and 51 of the LFPDPPP, and who are provided with appropriate operational instructions regarding the proper processing of your Data. These third parties fall into the following categories: companies providing email delivery services; companies offering website maintenance and development services; companies providing market research support; companies providing customer and after-sales support; shipping and transport companies; companies providing postal services and other marketing activities; KIKO Group companies for the provision of intra-group services and the management of purchases made in the stores of each company within that Group; and consulting companies, individual professionals or professional firms, such as law firms, tax advisors and insurance companies.

With regard to the transfers mentioned in the first paragraph of this section, as well as the disclosure of Data to Data Processors, your consent will not be required to carry them out.

In addition, the Company and KIKO will also transfer your Data to third parties that operate social media platforms (including Instagram, Facebook, Twitter, YouTube, Snapchat and TikTok).

For more information on the purposes and methods used by social media platforms to process your Data, please refer to their privacy policies:

Meta (Instagram and Facebook): https://www.facebook.com/privacy/policy/

Twitter or X: https://twitter.com/es/privacy;

YouTube:https://www.youtube.com/intl/es_es/howyoutubeworks/our commitments/protecting-user-data/;

Snapchat: https://values.snap.com/privacy/privacy-policy?lang=es-MX; y

TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/es.

With regard to the processing of your Data for profiling purposes, including when carried out through customer audiences and advertising on social networks, please consult the privacy policies of the following third parties:

Amazon Ads: https://www.amazon.com.mx/gp/help/customer/display.html/?nodeId=468496&ref_=a20m_us_fnav_l_prvcy_mx.

Google Ads: https://safety.google/intl/en_ALL/safety/ads-data/

Snapchat Ads: https://safety.google/intl/es_us/privacy/ads-and-data/

Meta: KIKO and Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland (“Meta Ireland”), act as joint Data Controllers in accordance with a specific data-sharing agreement entered into for this purpose. For more information on how Meta Ireland processes personal data, please refer to the privacy policy available at the following link: https://www.facebook.com/legal/terms/businesstools, and to the data processing addendum available here: https://www.facebook.com/legal/controller_addendum

TikTok: KIKO and TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, act as joint Data Controllers in accordance with a specific data-sharing agreement entered into for this purpose. For more information on how TikTok Technology Limited processes personal data, please refer to the privacy policy available at the following link: https://www.tiktok.com/legal/page/global/partner-privacy-policy/en, and to the TikTok Business Products Terms and Conditions (Data) here: https://ads.tiktok.com/i18n/official/policy/business-products-terms

In addition, if you have registered for an account, this will be authenticated using your email address and password via an "identity provider" service provided by Google. For information on the transfer and processing of your IP address and email address by Google, please refer to the following privacy policy:

Google: https://policies.google.com/privacy?hl=en-en.

Please note that the transfer of personal data to social media platforms for profiling purposes does require your consent. If you accept this Notice via physical or electronic means and do not object to such transfers, KIKO and the Company will assume that you have given your consent. In any case, you may withdraw your consent at any time, free of charge, by sending an email to dpo.kiko@kikocosmetics.com, in accordance with the procedure set out in section 7 of this Notice.

Your right as data subject - complaint with a supervisory authority

In accordance with the LFPDPPP, by contacting KIKO or the Company and the DPO at the email address dpo.kiko@kikocosmetics.com, you have the right to access your personal data (Article 22 of the LFPDPPP), to request its rectification (Article 23 of the LFPDPPP), its cancellation (Article 24 of the LFPDPPP) or to object to its processing (Article 26 of the LFPDPPP).You have the right, at any time, to withdraw your consent to the processing of your Data, as well as to request the limitation of its use and disclosure, provided that this is not prevented by a legal provision and/or that your request is not inadmissible under the terms of Mexican Data Protection Act, by sending an email to dpo.kiko@kikocosmetics.com. The withdrawal of your consent or the restriction of the use and disclosure of your Data will in no way affect the lawfulness of the processing of your Data based on the consent given prior to such withdrawal and/or restriction, in accordance with the Mexican Data Protection Act.

The right to restrict the use and disclosure of your Data, in accordance with the Mexican Data Protection Act, in addition to what is described in the preceding paragraph, involves registering such Data on exclusion lists for advertising and marketing purposes, namely the Public Registry to Avoid Advertising (Registro Público para Evitar Publicidad), managed by the Federal Consumer Protection Agency (Procuraduría Federal del Consumidor). Furthermore, under the Mexican Data Protection Act, you have the right to withdraw your consent for all purposes of data processing by KIKO and/or the Company, and you may exercise this right at any time. Please also note that Data Portability does not apply in Mexico.

To exercise any of your rights regarding your Data, please follow the procedure below: send a written request addressed to KIKO or the Company via the following email address dpo.kiko@kikocosmetics.com, which must contain the following information: (a) your full nameand, where applicable, that of your legal representative, as well as your email address or other suitable means by which to send the response to your request; (b) documents proving your identity or, where applicable, that of your legal representative; (c) a clear and precise description of the Personal Data for which you wish to exercise any of your rights, unless you intend to exercise the right of access; (d) a description of the right you wish to exercise, or the nature of your request; and (e) any other details or information that may assist in locating such Data, as well as any other documents required by the regulations in force at the time the request is sent. You may also request further information on how to exercise your rights via this email address.

KIKO or the Company will process your requests in accordance with the terms, conditions and timeframes set out in the Mexican Data Protection Act.

Finally, you have the right to lodge a complaint with the competent data protection authority in Mexico.

Update of the information notice

The Data Controllers reserve the right to amend or update this Privacy Notice at any time. Any changes to this Privacy Notice will be communicated through publication on the KIKO website.

Last updated: 1 April 2026.