This policy explains what personal data Brazilian Beauty Index collects when you visit the site, why we collect it, how long we keep it, who we share it with, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Plain English wherever possible; legal references where we have to be precise.
1. Who is the data controller
The data controller for personal data collected through brazilianbeautyindex.com is:
[Operator address — TBD], United Kingdom
Email: privacy@brazilianbeautyindex.com
ICO registration: [pending]
BM Supplier Ltd is the UK importer and distributor that operates Brazilian Beauty Index as an editorial reference site alongside its trade and retail operations (Keratin & Care, Braé UK, KAC Pro, BM Supplier B2B). All five sites share the same controller for privacy purposes.
2. What data we collect
We try to collect as little personal data as we can. The categories below cover everything the site touches.
| Category | What it is | When we collect it |
|---|---|---|
| Email address | The email you type into a form. | Newsletter signup, exit-intent popup, hair damage assessment tool, contact requests. |
| Name (optional) | First name only, when you give it. | Newsletter signup (optional field) and contact requests. |
| Quiz / assessment answers | Your replies about hair type, concerns and routine. | When you complete the hair damage assessment or any on-site quiz. |
| Technical data | IP address (truncated for analytics), browser type and version, operating system, device type, referring URL, pages viewed, time on page. | Automatically, every time you load a page. |
| Cookie identifiers | Anonymous session IDs and analytics cookies. See our Cookie Policy for the full list. | On first visit, and only for non-essential cookies after you give consent. |
We do not knowingly collect special category data (health, ethnicity, political views, etc.). Hair condition answers are kept at a general level (e.g. "chemically treated", "frizz-prone") and are not treated as health data.
3. Lawful basis for processing
Under Article 6 of the UK GDPR, we rely on the following lawful bases:
Consent — Article 6(1)(a)
- Newsletter and marketing emails. We only send these after you tick the opt-in box on the signup form. You can withdraw consent at any time using the unsubscribe link in every email, or by emailing privacy@brazilianbeautyindex.com.
- Non-essential cookies (analytics, functional). Only set after you accept on the cookie banner. See the Cookie Policy.
Legitimate interests — Article 6(1)(f)
- Aggregated analytics to understand which articles readers find useful and to fix broken pages. Our interest is editorial improvement; the impact on you is minimal because IPs are truncated and the data is reported in aggregate.
- Site security — short-lived logs of requests to detect abuse, scraping and attacks.
- Responding to enquiries you send us by email or contact form.
You can object to processing based on legitimate interests at any time — see Your rights.
Legal obligation — Article 6(1)(c)
- Where we have to keep records to comply with UK tax, accounting or consumer protection law (mostly relevant to the sister retail sites rather than this editorial site).
4. How long we keep your data
| Data | Retention period |
|---|---|
| Newsletter subscriber email and name | Until you unsubscribe, then deleted within 30 days. |
| Quiz / assessment answers tied to your email | 24 months from your last interaction, then deleted or anonymised. |
| Contact form / enquiry emails | 24 months from the last reply, then deleted unless we need to keep them for a legal claim. |
| Analytics data (Google Analytics 4) | 14 months, then deleted automatically by Google. |
| Server access logs | 30 days. |
| Cookie consent record | 12 months, then the banner asks again. |
5. Who we share data with
We do not sell your data and we do not share it for third-party advertising. The only third parties that touch your data are the suppliers we use to run the site:
| Recipient | What for | Where they process |
|---|---|---|
| Supabase Inc. | Storing newsletter subscribers and quiz answers in our database. | United States |
| Resend | Sending the newsletter and transactional emails. | United States |
| Vercel Inc. | Hosting the website and serving pages. | United States / EU edge network |
| Google LLC (Google Analytics 4) | Aggregated traffic analytics, only if you accept analytics cookies. | United States / EU |
| Cloudflare (where applicable) | CDN and bot/DDoS protection. | Global edge network |
We may also share data where we are legally required to — for example, in response to a valid court order or regulatory request — or where it is needed to defend a legal claim.
6. International transfers
Some of the suppliers above process data outside the UK, mainly in the United States. For each transfer we rely on one of the safeguards permitted by Article 46 of the UK GDPR:
- Standard Contractual Clauses (UK International Data Transfer Addendum) with the supplier; and
- where applicable, the supplier's certification under the UK Extension to the EU–US Data Privacy Framework.
You can ask us for a copy of the relevant safeguards using the contact details below.
7. Your rights
Under the UK GDPR you have the following rights over your personal data. They are free to exercise (we can charge a reasonable fee only if a request is clearly unfounded or excessive).
- Right of access — ask for a copy of the personal data we hold about you.
- Right to rectification — ask us to correct data that is wrong or incomplete.
- Right to erasure ("right to be forgotten") — ask us to delete your data where there is no good reason for us to keep it.
- Right to restriction — ask us to pause processing while a dispute is sorted out.
- Right to data portability — ask for a machine-readable copy of data you have given us, where we process it by consent or under a contract.
- Right to object — object to processing based on legitimate interests, or to direct marketing (we will always honour a marketing objection).
- Right to withdraw consent — at any time, for any processing based on your consent. Withdrawal does not affect the lawfulness of processing before you withdrew.
- Rights related to automated decision-making — we do not make decisions about you using purely automated processing.
To exercise any of these rights, email privacy@brazilianbeautyindex.com. We aim to respond within 30 days, as required by Article 12(3) of the UK GDPR.
8. Security
We use HTTPS across the whole site, encrypt data in transit, and rely on suppliers who hold recognised security certifications (SOC 2, ISO 27001). Access to subscriber data inside our team is limited to staff who need it for editorial or operational reasons. No system is perfect; if we ever suffer a personal data breach that is likely to affect your rights, we will notify the ICO within 72 hours as required by Article 33, and contact you directly where Article 34 applies.
9. Children
This site is intended for adults (16+). We do not knowingly collect data from children under 13. If you believe a child has signed up to our newsletter, email us and we will delete the record.
10. Changes to this policy
We may update this policy from time to time — to reflect new features, new suppliers or new legal guidance. The "Last updated" date at the top will change, and material changes will be highlighted at the top of the page for at least 30 days. Where the change affects the basis on which we process your data, we will ask for fresh consent if required.
11. Contact and complaints
Get in touch about your data
Privacy queries, data subject requests, deletions:
privacy@brazilianbeautyindex.com
General editorial contact:
hello@brazilianbeautyindex.com
Postal address:
BM Supplier Ltd, [Operator address — TBD], United Kingdom
If you think we have mishandled your data and you are not satisfied with our response, you can complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Web: ico.org.uk/make-a-complaint
This policy was last reviewed on 27 May 2026. Version 2.0.