Supplemental State Privacy Notice
H&M Hennes & Mauritz GBC AB (“H&M Sweden”) and H&M Fashion USA, Inc. (“H&M USA”) (collectively, “H&M,” “us,” “we,” and “our") provides this supplemental privacy notice (the “Supplemental State Privacy Policy”) for visitors, users, and others who reside in the States of California, Virginia, Connecticut, Colorado, and Utah (the “Supplemental States”). The Supplemental State Privacy Policy supplements the information contained in the Privacy Notice (available by clicking here) and applies solely to visitors, users, and others who reside in the Supplemental States. To the extent any provision in this Supplemental State Privacy Policy conflicts with a provision of the Privacy Notice, the Supplemental State Privacy Policy shall govern with respect to visitors, users, and others who reside in the Supplemental States. This Supplemental State Privacy Notice is provided in accordance with California Consumer Privacy Act, the Virginia Consumer Data Protection Act, the Connecticut Data Privacy Act, the Colorado Privacy Act, or the Utah Consumer Privacy Act (the “State Privacy Laws”).
Collection of Personal Information
We may collect the personal information categories listed in the table below. We do not collect sensitive personal information. The table also lists, for each category, our expected retention period, how we obtain the personal information, and whether we sell the information or share it with third parties for cross-context behavioral advertising.
Personal Information Category (per the CPRA) |
Retention Period |
Source |
Sold or Shared |
Identifiers, such as real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, or other similar identifiers. |
For as long as necessary to fulfill our legitamate business purposes |
Directly from you. For example, from forms you complete or products and services you purchase. |
We may sell and/or share. |
Categories of personal information described in Cal. Civ. Code § 1798.80(e), such as name, signature, physical characteristics or description, address, telephone number, bank account number, credit card number, debit card number, or any other financial information. |
For as long as necessary to fulfil our legitimate business purposes. |
Directly from you. For example, from forms you complete or products and services you purchase. |
We may sell and/or share certain identifying information such as name and zip code. We do not sell or share signature, bank account number, credit card number, debit card number, or any other financial information. |
Commercial information, such as records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. |
For as long as necessary to fulfil our legitimate business purposes. |
Directly from you. For example, from forms you complete or products and services you purchase. Indirectly from you. For example, from observing your purchase history on our Site. |
We may sell and/or share your buying history. |
Internet or other electronic network activity information, such as browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement. |
For as long as necessary to fulfil our legitimate business purposes. |
Indirectly from you. For example, from observing your actions on our Site. |
We may share this information. |
Geolocation data |
For as long as necessary to fulfil our legitimate business purposes. |
|
We do not sell or share this information. |
Audio, electronic, visual, thermal, olfactory, or similar information. |
For as long as necessary to fulfil our legitimate business purposes. |
|
Not sold or shared. |
Inferences drawn from other personal information to create a profile about a consumer reflecting a consumer’s preferences, characteristics, and trends. |
For as long as necessary to fulfil our legitimate business purposes. |
Indirectly from you. For example, we may combine various piece of personal information to develop inferences. |
We may sell and/or share this information. |
Personal information does not include: publicly available information lawfully made available from government records, deidentified or aggregated consumer information, or information excluded from the State Privacy Laws (as applicable).
Use of Personal Information
We may use or disclose the personal information collected for one or more of the following business or commercial purposes:
· To fulfill or meet the reason for which the information is provided. For example, to create your personal account at hm.com or to process your orders.
· To provide you with information, products, or services that you request from us, including answering your queries and to notify winners in promotions.
· To provide you with phone calls, text message notifications, email alerts, and other notices concerning our products or services. For example, to notify you of delivery status, to be able to send you relevant marketing offers and information such as newsletters and our catalogues, to contact you in the event of a problem with delivery of your items, and to inform you of new or changed services.
· To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection and managing your account by carrying our credit checks.
· To be able to analyze your personal data to provide you with relevant marketing offers and information.
· To be able to validate that you are of legal age for shopping online.
· To improve our website.
· Testing, research, analysis, and product and service development.
· As necessary or appropriate to protect the rights, property, or safety of us, our employees, our customers, or others.
· To respond to law enforcement requests and as required by applicable law, court order, or government regulations.
· As described to you when collecting your personal information.
We will not collect additional categories of personal information or use the personal information we collect for material different, unrelated, or incompatible purposes without providing you with notice.
Your Rights
Residents of the Supplemental States have certain rights. Please note that the below rights are not absolute, and we may be entitled to refuse requests, wholly or in part, where exceptions under applicable law apply.
Right to Access
You have the right to access personal information that we may collect or retain about you. If requested, we shall provide you with a copy of your personal information which we collected as permitted by the State Privacy Laws.
You also have the right to receive your personal information in a structured and commonly used format so that it can be transferred to another entity (“data portability”).
Right to Know
You have the right to request that we disclose the following about your personal information, as defined by the applicable State Privacy Law:
· The specific personal information we have collected;
· The categories of personal information we have collected;
· The categories of sources from which we have collected your personal information;
· The business purpose(s) for collecting or sharing your personal information;
· The categories of personal information we disclosed for business purposes; and
· The categories of third parties to whom we disclosed your personal information.
Right to Opt-Out/Do Not Sell My Personal Information
You have the right to opt-out of sharing your personal information with third parties for some purposes, including sharing that may be defined as a sale under applicable laws. You can opt-out of this sharing by clicking HERE or clicking on the “Do Not Sell My Information” link at the bottom of our homepage and submitting a request via the authorized methods.
You also may have a right to opt-out of the use of curtained automated decision-making technology.
Do Not Share or Disclose My Sensitive Personal Information
You have the right to limit how your sensitive personal information is disclosed or share with third parties, as defined in the CPRA. At this time, we do not collect any sensitive personal information.
Right to Deletion
In certain circumstances, you have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (instructions and description below), we will delete, and, as applicable, direct our service providers to delete, your personal information from our records, unless an exception applies.
We may deny your request to delete your personal information if retaining the information is necessary for us or our service providers, subject to certain exemptions based on your state of residence.
Right to Correct/Right to Rectification
In certain circumstances, you have the right to request correction of any inaccurate personal information. Upon verifying the validity of a valid consumer correction request, we will use commercially reasonable efforts to correct your personal information as directed, taking into account the nature of the personal information and the purposes of maintaining your personal information.
Right to Non-Discrimination
We will not discriminate against you for exercising any of your rights under the applicable State Privacy Law. Unless permitted by the applicable State Privacy Law, we will not:
· Deny you goods or services;
· Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
· Provide you with a different level or quality of goods or services; or
· Suggest that you receive a different price or rate for goods or services or a different level or quality of goods or services.
California Shine the Light Law
California Civil Code Section 1798.83 permits our visitors who are California residents to request certain information regarding our disclosure of personal data to third parties for their direct marketing purposes. To make such a request, please contact Customer Service.
Exercising Your Rights
If you are a resident of the Supplemental States, you can exercise any of your rights as described in this Notice and under applicable State Privacy Laws by.
If you have an account or are a member of a loyalty program, you can exercise your right to access, portability and rectification under your account pages, where you also can delete your account.
You can contact us at any time if you wish to exercise your rights as set out above, or if you have any questions regarding our privacy policy or the processing of your data by sending an email to dataprotection.us@hstories.com
We also have a toll free number: 1-855-HNM-SHOP [855-466-7467 (Toll-free).
Except as provided for under applicable privacy laws, there is no charge to exercise any of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may (as permitted under applicable State Privacy Law):
· Charge a reasonable fee taking in account the administrative costs of providing the information or taking the action requested; or
· Refuse to act on the request and notify you of the reason for refusing the request.
What Personal Information Do I Provide to Verify My Identity?
We take the privacy of your personal information seriously and want to ensure that we provide only you or your authorized agent with your personal information. Applicable law also requires that we verify the identity of each person who makes a request to know what personal information we have about you or to delete the personal information we have about you. To verify your identity, we ask you to provide your:
· First name*
· Last name*
· Middle initial
· Email address
· Phone number
· Order number
· *required field
How Do You Verify My Identity?
We may verify your identity in a few different ways in order to balance the requirements of state law and our obligation to keep your information private. When you make your request, you will be asked to answer a few questions about yourself to help us validate your identity. This is a two-step process using information unique to you, such as an order number, a product in an order, an address or email address, etc. If you chose to make the request online, it can be made by logging into your account, going to “My Account,” then “Settings” and then “Leave H&M.” Depending on your cache settings, device and operating system, you may have to enter your password a second time.
In some instances, we may ask you to provide other documentation to verify your identity. If this happens, we will reach out to you directly with this request.
What If You Can’t Verify My Identity?
If we can’t verify your identity, we will not be able to process your request to know what personal information we have about you or to delete the personal information we have about you. If we are unable to verify your identity with a high degree of certainty, we will only be able to provide a report with category-level information and we may not be able to delete some of your information.
How to Submit a Request Using an Authorized Agent
An authorized agent is a person or business who has authorization to request to know what personal information we have about you, to delete the personal information we have about you, or to opt out of the sale of personal information on behalf of a Supplemental State resident. Authorized agents use the same links described above to submit requests.
If you are submitting a request on behalf of another person, we require a valid power of attorney or other documentation demonstrating your authority to submit this request. This can be a letter or other documentation signed by the Supplemental State resident authorizing you to submit this request. You can download a sample letter from the request form.
How Do I Send You My Documentation?
If you submit a request via email at dataprotection.us@stories.com, you must include the appropriate above listed documentation in order for us to act on your request. If you submit your request over the phone by calling us at 855-HNM-SHOP [855-466-7467 (Toll-free)], you will also be asked to email your forms to dataprotection.us@stories.com.
Response Timing and Format
We will confirm receipt of a request within 10 days and provide information about how we will process the request. We endeavor to substantively respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosure we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
If you wish to appeal our decision, please submit your appeal to the above contact information. Please clearly denote that it is an appeal.
Last Updated: January 2023