Privacy Policy

LUSHNESS CORP.

PRIVACY POLICY

Effective Date: May 18, 2026

Last Updated: May 18, 2026

This Privacy Policy describes how Lushness Corp. (“Lushness,” “we,” “us,” or “our”) collects, uses, and discloses your personal information when you visit, use our services, or make a purchase from lushness.com (the “Site”) or otherwise communicate with us (collectively, the “Services”). For purposes of this Privacy Policy, “you” and “your” means you as the user of the Services, whether you are a customer, website visitor, or another individual whose information we have collected pursuant to this Privacy Policy.

Please read this Privacy Policy carefully. By using and accessing any of the Services, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree to this Privacy Policy, please do not use or access any of the Services.

This Privacy Policy is designed to comply with the New York SHIELD Act (as amended December 2024), applicable federal law, the California Consumer Privacy Act (CCPA/CPRA), and the EU General Data Protection Regulation (GDPR) to the extent applicable.

1. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time, including to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will post the revised Privacy Policy on the Site, update the “Last Updated” date, and take any other steps required by applicable law. Where changes are material, we will provide prominent notice on our Site or via email to registered users prior to the changes taking effect. Your continued use of the Services after any update constitutes your acceptance of the revised Privacy Policy.

2. PERSONAL INFORMATION WE COLLECT

The types of personal information we obtain about you depend on how you interact with our Site and use our Services. When we use the term “personal information,” we refer to information that identifies, relates to, describes, or can be associated with you. The following sections describe the categories and specific types of personal information we collect.

2.1 Information You Provide Directly

Information that you directly submit to us through our Services may include:

• Basic contact details including your name, address, phone number, and email address.
• Order information including your name, billing address, shipping address, payment confirmation, email address, and phone number.
• Account information including your username, password, and security questions.
• Shopping information including items you view, place in your cart, or add to your wishlist.
• Customer support communications, including any information you choose to include in messages to us.
• Product reviews, testimonials, or other user-generated content you submit.
• Marketing preferences, survey responses, or contest entries.

Some features of the Services may require you to provide certain information. You may elect not to provide this information, but doing so may prevent you from using or accessing those features.

2.2 Information Collected Automatically

We automatically collect certain information about your interaction with the Services (“Usage Data”). To do this, we may use cookies, pixels, web beacons, software developer kits, and similar technologies (“Cookies”). Usage Data may include:

• Device information (device type, operating system, browser type and version).
• Network connection information and IP address.
• Pages visited, links clicked, and time spent on pages.
• Referring URLs and exit pages.
• Geographic location (city/region level, derived from IP address).
• Purchase history and browsing behavior on our Site.

2.3 Information Obtained from Third Parties

We may obtain information about you from third parties, including:

• Shopify, our e-commerce platform provider, which may collect information on our behalf.
• Payment processors who collect payment information (e.g., credit or debit card information, billing address) to process your payment and fulfill orders.
• Advertising and analytics partners who help us understand how users interact with our Services and advertisements.
• Social media platforms, if you interact with us through social features or log in via a third-party social account.
• Data enrichment providers who help us maintain the accuracy of our records.

Any information we obtain from third parties will be treated in accordance with this Privacy Policy. We are not responsible for the accuracy of information provided by third parties or their policies or practices.

2.4 SMS Marketing

By providing your phone number and opting in to receive SMS messages from Lushness Corp., you consent to receive automated marketing text messages including cart reminders, exclusive offers, event invitations and wellness updates. Message frequency varies. Message and data rates may apply. You can opt out at any time by replying STOP to any message. Reply HELP for help. For more information contact hello@lushness.com. Lushness Corp. will not sell or share your phone number with third parties for their marketing purposes.

2.5 Sensitive Personal Information

We do not intentionally collect sensitive personal information such as Social Security numbers, government-issued ID numbers, biometric identifiers, health or medical information, racial or ethnic origin, religious beliefs, sexual orientation, or precise geolocation data through the Services. If you voluntarily provide such information (e.g., in a customer support message), we will treat it with heightened protection and use it only to the extent necessary to address your inquiry. We do not use or disclose sensitive personal information for the purpose of inferring characteristics about you.

3. HOW WE USE YOUR PERSONAL INFORMATION

We use your personal information for the following purposes:

• Providing Products and Services: To process your payments, fulfill orders, send order confirmations and shipping notifications, manage your account, arrange returns and exchanges, and enable product reviews.
• Marketing and Advertising: To send marketing, advertising, and promotional communications by email, text message, or postal mail; to show you advertisements for our products or services on our Site and other websites; and to better tailor the Services and advertising to your interests.
• Security and Fraud Prevention: To detect, investigate, and take action regarding possible fraudulent, illegal, or malicious activity. If you register an account, you are responsible for keeping your credentials secure and should contact us immediately if you believe your account has been compromised.
• Customer Support: To respond to your inquiries and improve our Services.
• Legal Compliance: To comply with applicable legal obligations, respond to lawful requests from government authorities, and enforce our Terms of Service.
• Business Operations: To conduct data analytics, improve our Site and Services, conduct research, and manage our business relationships.
• Communications: To send transactional emails related to your account or orders, and—with your consent where required—marketing communications.

4. COOKIES AND TRACKING TECHNOLOGIES

Like many websites, we use Cookies on our Site. For specific information about cookies used by Shopify, see https://www.shopify.com/legal/cookies. We use Cookies to:

• Power and improve our Site and Services (including remembering your actions and preferences).
• Run analytics and better understand user interaction with the Services.
• Deliver personalized advertising on our Site and other websites.
• Enable social media features and integrations.

We may also permit third parties and service providers to use Cookies on our Site to tailor services, products, and advertising to you.

Most browsers automatically accept Cookies by default. You can choose to set your browser to remove or reject Cookies through your browser controls. However, removing or blocking Cookies can negatively impact your user experience and may cause some features to work incorrectly or become unavailable. Additionally, blocking Cookies may not completely prevent how we share information with advertising partners.

If you visit our Site with the Global Privacy Control (GPC) opt-out preference signal enabled, and depending on where you are located, we will treat this as a request to opt out of the “sale” or “sharing” of your information for that device and browser.

5. HOW WE DISCLOSE PERSONAL INFORMATION

We may disclose your personal information to third parties in the following circumstances:

• Service Providers: With vendors and other third parties who perform services on our behalf, including IT management, payment processing, data analytics, customer support, cloud storage, fulfillment, and shipping.
• Business and Marketing Partners: Including Shopify, to provide services and advertise to you. Our business and marketing partners will use your information in accordance with their own privacy notices.
• With Your Consent: When you direct, request, or consent to disclosure, such as when shipping products or using social media widgets or login integrations.
• Corporate Affiliates: Within our corporate group, in our legitimate interests to run a successful business.
• Business Transactions: In connection with a merger, acquisition, bankruptcy, or similar transaction, your information may be transferred to the relevant third party, subject to appropriate protections.
• Legal Compliance: To comply with applicable legal obligations, including responding to subpoenas, search warrants, and similar requests from law enforcement or government authorities.
• Protection of Rights: To enforce our Terms of Service and protect the rights, property, or safety of Lushness Corp., our users, or others.

5.1 Categories Disclosed – Summary Table

Category of Personal Information	Categories of Recipients
Identifiers (name, email, address, account info)	Service providers, marketing partners, affiliates
Commercial information (order history, shopping data)	Service providers, marketing partners, affiliates
Internet/network activity (usage data, cookies)	Service providers, advertising partners, analytics providers
Payment information (card type, billing address)	Payment processors only
User-generated content (reviews, submissions)	Publicly accessible; service providers for moderation

We have “sold” and “shared” (as those terms are defined in applicable law) personal information over the preceding 12 months for the purpose of engaging in advertising and marketing activities. The categories shared include identifiers, commercial information, and internet/network activity, shared with business and marketing partners.

We do not sell or share the personal information of individuals we know to be under 16 years of age.

6. USER-GENERATED CONTENT

The Services may enable you to post product reviews and other user-generated content. If you submit user-generated content to any public area of the Services, this content will be public and accessible by anyone. We do not control who will have access to the information that you make publicly available. We are not responsible for the privacy, security, accuracy, use, or misuse of any information you disclose or receive from third parties in such contexts.

7. THIRD-PARTY WEBSITES AND LINKS

Our Site may provide links to websites or other online platforms operated by third parties. If you follow links to sites not affiliated or controlled by us, you should review their privacy and security policies and other terms and conditions. We do not guarantee and are not responsible for the privacy or security of such sites. Our inclusion of such links does not imply any endorsement of the content on such platforms or of their owners or operators, except as disclosed on the Services.

8. CHILDREN’S DATA

The Services are not intended for use by children under the age of 13, and we do not knowingly collect personal information about children under 13. If you are the parent or guardian of a child who has provided us with their personal information without your consent, please contact us using the contact details below to request that it be deleted. If we learn that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information promptly.

We do not have actual knowledge that we “share” or “sell” personal information of individuals under 16 years of age, as those terms are defined in applicable law.

9. SECURITY AND RETENTION OF YOUR INFORMATION

9.1 Security Safeguards

Lushness Corp. is committed to protecting your personal information. In compliance with the New York SHIELD Act and applicable best practices, we maintain a comprehensive data security program that includes:

• Administrative safeguards: Designation of a person responsible for data security oversight; regular employee training on data privacy and security; risk assessments; and vendor due diligence procedures.
• Technical safeguards: Network and software security measures, including firewalls, encryption, access controls, and monitoring for unauthorized access or attacks.
• Physical safeguards: Controls over physical access to data storage facilities and secure disposal of physical records containing personal information.

Please be aware that no security measures are perfect or impenetrable, and we cannot guarantee absolute security. We recommend that you do not use unsecure channels to communicate sensitive or confidential information to us.

9.2 Data Breach Notification

In the event of a data breach affecting your personal information, Lushness Corp. will comply with the New York SHIELD Act (as amended effective December 21, 2024) and all other applicable breach notification laws. This includes:

• Notifying affected New York residents within thirty (30) days of discovering a breach of their private information.
• Notifying the New York State Attorney General, the New York Department of Financial Services (NYDFS), the New York Department of State, and the New York State Police as required by law.
• Notifying consumer reporting agencies where required.

If you believe your account or personal information may have been compromised, please contact us immediately at retail@lushness.com.

9.3 Data Retention

How long we retain your personal information depends on different factors, such as whether we need the information to maintain your account, provide the Services, comply with legal obligations, resolve disputes, or enforce applicable contracts and policies. In general:

• Account and order information is retained for as long as your account is active and for a reasonable period thereafter to support customer service and comply with legal obligations.
• Marketing and advertising data is retained until you opt out or request deletion, subject to any applicable legal retention requirements.
• Financial and transaction records may be retained for up to seven (7) years to comply with tax and accounting laws.
• Where we no longer have a legitimate need to process your personal information, we will delete or anonymize it.

10. YOUR RIGHTS AND CHOICES

Depending on where you live, you may have some or all of the rights listed below in relation to your personal information. These rights are not absolute and may apply only in certain circumstances. In certain cases, we may decline your request as permitted by law.

10.1 General Rights (All Users)

• Right to Access / Know: You may request access to the personal information we hold about you, including how we use and share it.
• Right to Delete: You may request that we delete personal information we maintain about you, subject to certain exceptions.
• Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
• Right of Portability: You may request a copy of your personal information in a portable format, where applicable.
• Right to Opt Out of Sale or Sharing: You may direct us not to “sell” or “share” your personal information or opt out of targeted advertising, as defined in applicable privacy laws.
• Right to Limit Sensitive Information: You may direct us to limit our use and/or disclosure of sensitive personal information to only what is necessary to provide the Services.
• Restriction of Processing: You may ask us to stop or restrict our processing of personal information in certain circumstances.
• Withdrawal of Consent: Where we rely on your consent to process your personal information, you may withdraw that consent at any time.
• Appeal: You may appeal our decision if we decline to process your request.
• Managing Communications: You may opt out of marketing emails at any time using the unsubscribe link in any email we send. If you opt out of marketing communications, we may still send non-promotional communications such as order confirmations and account notifications.

10.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). These include all rights listed above, as well as:

• The right to know what categories of personal information we have collected, disclosed, or sold about you in the preceding 12 months.
• The right to opt out of the “sale” and “sharing” of your personal information by visiting our “Do Not Sell or Share My Personal Information” link on our Site.
• The right not to be discriminated against for exercising your CCPA rights.

To submit a CCPA request, contact us at retail@lushness.com or use the designated request form on our Site. We will respond within 45 days, with a possible extension of an additional 45 days where necessary.

10.3 European/International Users (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) or equivalent laws, including:

• Right to access, rectify, or erase your personal data.
• Right to restrict or object to processing.
• Right to data portability.
• Right to lodge a complaint with your local data protection authority.

Where we transfer your personal information outside of Europe, we rely on recognized transfer mechanisms such as the European Commission’s Standard Contractual Clauses or any equivalent contracts issued by the relevant competent authority of the UK.

Our legal bases for processing personal data under GDPR include: (a) performance of a contract with you; (b) our legitimate interests in operating and improving our business; (c) compliance with legal obligations; and (d) your consent, where specifically requested.

10.4 How to Exercise Your Rights

You may exercise any of these rights by contacting us at retail@lushness.com or through the designated link or form on our Site. We may need to verify your identity before fulfilling your request. We will not discriminate against you for exercising any of your rights. You may designate an authorized agent to make requests on your behalf, provided that we may require proof of authorization.

We use Shopify’s ad services such as Shopify Audiences to help personalize the advertising you see on third-party websites. To restrict Shopify merchants that use these ad services from using your personal information for such services, visit https://privacy.shopify.com/en.

11. INTERNATIONAL USERS

Lushness Corp. is based in New York, United States. Your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. If you are accessing our Services from outside the United States, please be aware that your information may be transferred to the U.S., which may have different data protection laws than your country of residence.

If we transfer personal information out of Europe, we will rely on recognized transfer mechanisms such as the European Commission’s Standard Contractual Clauses, or any equivalent contracts issued by the relevant competent authority of the UK, unless the data transfer is to a country that has been determined to provide an adequate level of protection.

12. COMPLAINTS

If you have complaints about how we process your personal information, please contact us using the contact details provided below. If you are not satisfied with our response, you may have the right to appeal our decision by contacting us, or to lodge your complaint with your local data protection authority. For New York residents, you may also contact the New York State Attorney General’s Office.

13. CONTACT INFORMATION

Should you have any questions about our privacy practices or this Privacy Policy, or if you would like to exercise any of the rights available to you, please contact us:

LUSHNESS CORP.

Email: hello@lushness.com

1280 Avenue of the Americas, Suite 2

New York, NY 10019, United States

© 2026 Lushness Corp. All rights reserved. This Privacy Policy was last revised June 1, 2026.