Your Data Rights In The EU and UK

01 — Data Controller

Who Is Responsible For Your Data

For the purposes of the GDPR (Regulation (EU) 2016/679) and the UK GDPR, the data controller for personal information collected through hairlevelup.com is Hair Level Up, with editorial offices located at [Street Address], Brooklyn, NY 11201, United States. All data protection inquiries from EU, EEA, UK, and Swiss readers should be directed to our privacy team at privacy@hairlevelup.com with the subject line “GDPR Request.”

02 — Lawful Basis for Processing

Why We Are Allowed To Process Your Data

Under Article 6 of the GDPR, we may only process your personal data when we have a valid legal basis. We rely on the following bases:

Consent (Article 6(1)(a)). We rely on your explicit consent for sending newsletter emails, placing non‑essential cookies, and using analytics tools. You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Legitimate Interests (Article 6(1)(f)). We rely on legitimate interests for purposes such as preventing fraud and abuse, securing the Site, responding to reader emails, and conducting basic anonymized analytics. We have balanced these interests against your rights and freedoms before relying on this basis.

Legal Obligation (Article 6(1)(c)). We process certain data when required to comply with U.S. or EU law, including responding to lawful requests from public authorities.

Contractual Necessity (Article 6(1)(b)). Where you have entered into an agreement with us (such as a contributor agreement or a brand partnership), we process the minimum data needed to fulfill that contract.

03 — What We Collect

The Data We Process

For full details, please see our Privacy Policy. In summary, the personal data we collect from EU, EEA, UK, and Swiss readers is limited to: name and email address (when you subscribe to our newsletter or contact us), comment content (if you leave a comment on an article), reader‑submitted photos and stories (only when you actively share them), IP address and approximate location at city level, browser and device information, pages viewed and time spent, and cookie identifiers (only with your consent for non‑essential cookies). We do not process special categories of personal data (Article 9 GDPR) such as health data, biometric data, racial or ethnic origin, religious beliefs, or sexual orientation.

05 — Consent and Withdrawal

Consent Is Always Yours To Withdraw

When we rely on consent as our legal basis (such as for newsletter subscriptions or non‑essential cookies), we will ask for it clearly and in plain language, never bundled with other terms. You can withdraw consent at any time, and the process for withdrawing is as easy as the process for granting it. To unsubscribe from the newsletter, click the unsubscribe link in any email we send. To withdraw cookie consent, use the cookie banner settings or your browser’s cookie controls. To withdraw consent for any other processing, email privacy@hairlevelup.com. Withdrawing consent does not affect the lawfulness of processing we carried out before you withdrew it.

06 — International Data Transfers

When Your Data Travels To The U.S.

Hair Level Up is operated from the United States. Our servers and most of our service providers (newsletter platform, hosting, analytics) are also located in the U.S. This means that when you use our Site, your personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States. The U.S. is not deemed by the European Commission to provide an “adequate” level of data protection in all cases.

To safeguard your data during these transfers, we rely on the following mechanisms under Chapter V of the GDPR:

— EU‑U.S. Data Privacy Framework (DPF). Where applicable, we work with U.S. service providers certified under the EU‑U.S. Data Privacy Framework, the UK Extension to the DPF, and the Swiss‑U.S. Data Privacy Framework.
— Standard Contractual Clauses (SCCs). Where service providers are not DPF‑certified, we put in place the European Commission’s Standard Contractual Clauses (Decision 2021/914) as our safeguard for international transfers.
— Supplementary Measures. We use SSL/TLS encryption in transit, encryption at rest where supported, access controls, and contractual data‑processing agreements with all providers.

You can request a copy of the relevant transfer mechanism by emailing privacy@hairlevelup.com.

07 — Data Retention

How Long We Keep Your Data

In line with the storage limitation principle (Article 5(1)(e) GDPR), we keep personal data only as long as necessary for the purposes for which it was collected, or as required by law. Specifically, newsletter subscriber data is retained until you unsubscribe (and removed from active lists within 30 days thereafter); contact form messages are retained for up to 24 months for editorial follow‑up; comment data remains attached to articles until you request deletion; server logs and IP addresses are kept for up to 14 months for security and analytics; and reader‑submitted photos and stories are retained for as long as they remain published, then removed promptly upon takedown request.

08 — Data Security

Technical and Organizational Measures

In line with Article 32 of the GDPR, we implement appropriate technical and organizational measures to protect your personal data, including SSL/TLS encryption for all data in transit, two‑factor authentication on staff accounts, role‑based access controls limiting subscriber and contact data to a small editorial team, regular software and security plugin updates, periodic security audits of our hosting infrastructure, and signed data‑processing agreements with all third‑party processors. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected readers without undue delay, in accordance with Articles 33 and 34 of the GDPR.

09 — Cookies and Tracking

ePrivacy and Your Cookie Choices

Under the EU ePrivacy Directive (2002/58/EC, as amended) and the UK Privacy and Electronic Communications Regulations (PECR), non‑essential cookies (such as analytics and embed cookies) require your prior, explicit, opt‑in consent. When you visit Hair Level Up from the EU, EEA, UK, or Switzerland, our cookie banner will ask for your consent before placing any non‑essential cookies. You can grant, decline, or selectively manage your cookie preferences at any time through the cookie banner or your browser settings. Strictly necessary cookies (which keep the Site secure and functional) are exempt from consent under the ePrivacy Directive but are still disclosed in our Privacy Policy.

10 — Third‑Party Processors

The Companies That Help Us Operate

We share limited personal data with carefully selected third‑party processors who help us run the Site. Each processor is bound by a Data Processing Agreement (Article 28 GDPR) that requires them to process your data only on our instructions and to apply appropriate safeguards. Categories of processors include the email service provider (Mailchimp, ConvertKit, or Kit) used to deliver the newsletter; web hosting and infrastructure providers; analytics platforms (such as Google Analytics 4, configured with IP anonymization); spam protection (such as Akismet); and embed providers (Pinterest, Instagram, YouTube, TikTok). A current list of sub‑processors is available on request from privacy@hairlevelup.com.

11 — Children

Protecting Younger Readers In The EU

Hair Level Up is intended for an adult audience. Under Article 8 of the GDPR, the digital age of consent ranges from 13 to 16 depending on your EU member state. We do not knowingly process personal data of children below the applicable age of consent in your country without parental authorization. Newsletter subscriptions, comments, and reader photo submissions are restricted to users 18 and older. If you believe a child has provided personal data to us without parental consent, please email privacy@hairlevelup.com and we will delete it promptly.

13 — Changes to This Statement

Updates To This Page

We may update this GDPR Compliance Statement from time to time to reflect changes in EU or UK data protection law, our practices, or our technology. The “Last Updated” date at the top and bottom of this page will always show when the most recent revision took effect. Material changes that affect your rights will be highlighted at the top of this page for at least 30 days. Your continued use of the Site after the effective date constitutes your acceptance of the revised Statement.

Last Updated — march, 2026