Data Protection

Data Protection Supplement

If you utilize the Glamiti services, this Data Protection Supplement (DPS) becomes a part of and is incorporated into the Glamiti Partner Terms of Business and/or any other agreement entered into between the Partner and Glamiti (referred to as the "Agreement").
This Data Protection Supplement outlines the requirements for Glamiti's processing of personal data on behalf of the Partner in order to provide the Glamiti services.
These supplementary terms become effective on the date the Partner enters into the Agreement. In case of any conflict between the terms of this Data Protection Supplement and the Agreement, the terms (including definitions) of this Data Protection Supplement shall take precedence as far as the processing of personal data is concerned.

Terminology Explanations

In addition to the specific meanings outlined in the Glamiti Partner Terms of Business, certain words and phrases will hold unique interpretations within this agreement.
An "Adequate Country" refers to a region or territory acknowledged for providing a sufficient level of data protection. This can be determined by either the Information Commissioner's Office in the UK or by the European Commission under the GDPR.
An "Affiliate" refers to any corporate entity that shares a controlling relationship with another party. This can be in the form of holding a majority of voting rights, having the power to remove key decision makers, having a dominant influence, or being controlled by the same entity. Essentially, an Affiliate is any entity that is closely linked to the main party.
The "Data Protection Laws" encompass a range of regulations and directives, including:
  • The European Union's General Data Protection Regulation 2016/679, also known as the GDPR.
  • In the UK, the implementation of the GDPR through the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and 2020, known as the UK GDPR. This also includes the Data Protection Act 2018 and the Privacy and Electronic Communications Directive 2002/58/EC, which may be replaced by the ePrivacy Regulation in the future.
A "Data Subject Request" refers to a request made by or on behalf of an individual, seeking to exercise their rights regarding their personal information as specified by data protection laws.
The term "EEA" refers to the European Economic Area and Switzerland combined.
The Elite Squad
Refers to the carefully selected employees and agents of our Partner, who have been handpicked and granted access to the ultimate fashion experience. These fashion aficionados are empowered to explore the Glamiti Services, delve into the Glamiti Marketplace and flaunt their style with the Glamiti Widget.
The Data Guardians
Refers to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, which acts as the watchful protector of personal data transfers to third countries. This comprehensive decision, available at, is based on Regulation (EU) 2016/679 of the European Parliament and of the Council and includes the necessary modules and appendices to ensure the safe transfer of sensitive information.
The Data Transfer Trustees
Refers to the model clauses for the secure transfer of personal information to processors in third countries, approved by the European Commission in its Decision 2010/87/EU of 5 February 2010. These clauses, available at, are an integral part of the Agreement and include the Appendices listed in appendix 1 to the Data Protection Addendum.
The Confidential Keepers
Means, in the context of this Data Protection Addendum, all Partner Client personal data uploaded into the Glamiti Services by the Partner or directly by a Partner Client and managed, stored, or processed by Glamiti as a responsible processor.
The Data Defenders
Refers to any security breaches that may result in the accidental or unauthorized destruction, loss, alteration, or disclosure of Confidential Keepers. This can be caused by actions or inactions by Glamiti, its sub-processors, or any other identified or unidentified third party.
Guardian of Privacy
In Britain, this mantle is donned by the Information Commissioner's Office ("ICO"), who, in some cases, works in tandem with the Secretary of State or the government. Within the European Economic Area, the watchdog for data protection is an autonomous public entity, founded under the General Data Protection Regulation.
Land of the British
This term refers to the majestic United Kingdom.
Data Controllers
"Individuals at the Heart of the Matter", "Confidential Information", and "Data Handlers" - These terms embody the pivotal roles described in the laws that protect personal information.

Duties and Adherence to Privacy Legislation

Protector of Privacy
Partner holds the reins of their client's confidential information, while Glamiti acts as the steward of this precious data.
Compliant Collaboration
Both entities vow to uphold the laws that safeguard personal data. The responsibility of ensuring the accuracy, legitimacy, and source of the information rests solely with Partner, while Glamiti acts only as the facilitator of the processing.
Data Advocates
Each organization will appoint a designated champion, a guardian of privacy, to answer any questions regarding the personal data. Quick and efficient responses to such inquiries are a top priority for both parties. The contact information of these data ambassadors will be shared between the entities.

Encompassing Explanation of Data Handling

Empowerment of Privacy Processing
Partner gives Glamiti the green light to handle their customers' confidential information, as outlined in the Privacy Policy. Glamiti will only process the personal data:
  • To deliver their services, or
  • In accordance with Partner's written directives.
Data Refinement
Nothing in this agreement will prevent Glamiti from improving their products and services by utilizing anonymous data, so long as they abide by the terms of this agreement. If the data is considered personal data, Glamiti will handle it with utmost care, in accordance with the Data Protection Laws.
Details of Data Processing
Let's dive into the specifics.
Data Processing Focus
Glamiti will provide their services, their marketplace, and their widget to Partner, including the processing of personal data, as agreed upon in this agreement.
Data Processing Nature and Purpose
The data will be collected, stored, duplicated, deleted, analyzed, and pseudonymized, with the goal of providing the services to Partner and executing Partner's written instructions.
Duration of Data Processing
Glamiti will process the personal data for the duration of this agreement, or until the processing is no longer necessary for the purposes outlined in this agreement.
Data Types
The personal data that Partner uploads into the Glamiti services will be processed according to this agreement. Partner must not upload or process sensitive information, such as health data. The data of Partner's staff may include: first name, last name, contact information, job/role title, services provided/qualified for, and access permissions. The data of the customers may include: first name, last name, contact information, booking data.
Data Subjects Categories
The individuals whose personal data is processed via the Glamiti services may include customers, Partner staff, or any other relevant individuals.
Data Processing Notice
Glamiti will inform Partner (unless prohibited by law) if they are legally required to process personal data other than as per Partner's instructions. In case Partner's instructions violate the GDPR or any local data protection laws, Glamiti will promptly inform Partner.

Fortified Technical and Structured Organizational Safeguards

At Glamiti, the safety of your personal data is our top priority. We've got you covered with cutting-edge security measures designed to safeguard against any accidental or malicious mishaps. Our team of experts is committed to providing a level of protection that's proportionate to the potential risks involved in processing your data.
Only authorized personnel will have access to your personal information, and we'll make sure they're sworn to keep it confidential. If you ever want to learn more about our security measures, just send us a written request, and we'll provide you with a comprehensive summary. Trust us, we've got your back!

Defending Against Security Breaches, Responding to Data Subject Requests, and Providing Additional Support

Protection is our Priority At Glamiti, we are dedicated to ensuring the safety of all Personal Data processed through our services. In the unlikely event of a security breach, we promise to notify you without delay and within 72 hours of becoming aware of the situation.
Data Subject Requests, Handled with Care Should Glamiti receive a request from a Data Subject, we will promptly notify you. Our services include features that allow you to manage such requests directly. If, however, you need our help, we will provide reasonable assistance to facilitate your response, but the costs incurred may be at your expense.
Going Above and Beyond We want to make sure you have everything you need to comply with Data Protection Laws. Whether it's conducting a data protection impact assessment, making required notifications to the Supervisory Authority or ensuring the security of processing, Glamiti is here to help. Just let us know what you need and we'll be there to support you.


At Glamiti, we believe in keeping our partners' data secure. That's why we've partnered with some of the industry's leading data center operators, cloud-based software providers, and other support services to ensure that your personal information is always protected.
We understand that change can be unsettling, so we'll give you a heads up 30 days before we add any new sub-processors to our list. If you have any concerns about the new addition, we'll listen and work with you to find a solution. And if all else fails, you have the option to terminate the agreement without penalty.
Rest assured that we take our sub-processors just as seriously as we take ourselves. Each sub-processor must sign a contract that protects your data just as much as we do. And if there's ever a breach, we'll take full responsibility for the mistake. At Glamiti, we believe in putting our partners' interests first.

International transfers

Glamiti and its partner embark on a journey of data transfer and processing across borders. Personal information may be moved to locations beyond the UK and EEA to ensure seamless support. Fear not, as Glamiti promises to abide by all Data Protection Laws during this transfer.
For transfers governed by UK GDPR, the 2010 SCCs will be put into action, making Glamiti the "data importer" and the partner the "data exporter". The 2010 SCCs will be equipped with information from Annexes 1 and 2, and the partner has the right to conduct audits. Glamiti may also appoint sub-processors subject to certain conditions.
In the case of transfers governed by EU GDPR, the EU SCCs, along with Module 2 and its appendices, will be implemented by both parties. Glamiti reserves the right to replace the EU SCCs or 2010 SCCs with any alternative transfer mechanism approved by the relevant Supervisory Authority. In case of any updates, Partner will be notified.
Glamiti will make sure that any transfers of Personal Data to its sub-processors comply with Data Protection Laws. To achieve this, Glamiti has been mandated to sign the relevant standard contractual clauses on Partner's behalf.
Embrace the adventure of data transfer and processing with Glamiti and its partner, as they navigate the seas of Data Protection Laws together.

Inspection and Documentation

Discovering the Truth: An Audit Adventure!
At Glamiti, transparency is key. That's why we've made it easy for our valued Partner to exercise their right to inspect and verify our compliance with Data Protection Laws. By providing all necessary information and access to our records, we aim to demonstrate our commitment to keeping your data safe and secure.
We understand the importance of ensuring that our data protection measures are up-to-date and in line with industry standards. That's why we've taken the extra step of getting an independent audit report from a registered auditor to confirm our technical and organizational measures are sufficient.
However, if there's ever a need for further confirmation, our Partner is welcome to review any third-party certifications, audits or reports that we provide. But if even that's not enough, Glamiti is happy to open its doors and allow for a personal inspection of our premises and operations.
Just remember to give us reasonable notice, conduct the audit during regular business hours, have your auditors sign a confidentiality agreement, and be prepared to bear the cost. With these simple steps, together, we can uncover the truth and continue to provide a safe and secure data protection experience.

Purging or retrieval of information

With the conclusion of our agreement or completion of the Glamiti Services, you have a window of thirty days to retrieve your Partner Client Data through our convenient export function. After this period, we reserve the right to erase this information.
However, we understand the importance of compliance with laws and regulations, and in such cases, may keep some Personal Data even after the termination of our partnership. The length of time will depend on the requirement of the applicable law.

Cap on responsibility

At Glamiti, we take responsibility for our actions seriously. However, it's important to note that our total accountability for any damages caused in connection with this Data Protection Addendum cannot exceed the maximum amount of liability outlined in our agreement with you. Rest assured, in case of any incidents causing personal harm or death, our liability will not be restricted by this agreement or any applicable law.

Supplementary Attachment to the Standard Forms / Appendix 1 to the Model Clauses

  • The Completion of the Companion.
  • The Partner takes on the role of the Data Exporter. While Glamiti assumes the title of the Data Importer.
  • Uncovering the Data Processing: The third clause of this Data Protection Addendum outlines the kinds of individuals the data concerns, the types of data, sensitive information, and the processing activities carried out.

Supplement 2 to the Essential Agreements/ Appendix 2 to the Standard Contractual clauses

This supplementary section adds to the agreement and requires both parties' participation.
Details on Glamiti's protective measures in keeping with clauses 4(d) and 5(c) can be found within the attached legislation or documentation. For a brief overview, Glamiti will happily provide a written report on its security measures upon receiving a request from Partner.