Privacy Policy

This Policy was last updated on December 29, 2022


This Privacy Policy ("Policy") explains what personal information is collected through our websites and online services, how we use that information, to whom we disclose it, and how we safeguard personal information. Unless indicated otherwise, this Policy applies only to personal information collected through the websites victoriassecretandco.com and careers.victoriassecret.com (in the U.S., Puerto Rico, Canada, China - including Hong Kong, India, Indonesia, Sri Lanka UAE, South Korea and Vietnam), microsites, and other online services that expressly adopt, and display or link to, this Policy (collectively, the “Services”). We refer to Victoria’s Secret & Co at 4 Limited Parkway, Reynoldsburg, OH 43068), as "we," "us," or "our" throughout this Policy.

This Policy addresses these topics:

What information do we collect and how do we use it?
  1. Information You Provide

    When you visit our Services, you may provide us with certain personal information, such as your name, address, phone number, email address, company information, phone number, and any other information you choose to provide. If you apply for a career opportunity with us, we may also collect certain other information, such as your work experience and resume, educational history, job preferences and interests, and other information you provide in connection with an application for employment. If you create a profile on careers.victoriassecret.com, we will also collect your profile username and password.

    We collect this information at various places on our Services. For instance, when you subscribe for investor alerts, we will request that you provide your email address. We may also collect your information if you register on careers.victoriassecret.com and create a profile.

    If you apply for a career opportunity with us, we might contact you to obtain additional identifying information to complete the application process, including background checks. We will only carry out background checks that are considered relevant to the role for which you are applying. If you are offered employment with us, we may also ask you to provide certain personal information required to complete the onboarding process for the role which you have been offered. For example, we may also collect social security number (or local equivalent), bank account numbers, dependent personal information, marital status, gender, date of birth, and emergency contact information.

  2. Information We Collect Automatically

    When you interact with our Services, we obtain certain information by automated means, including the following:

    1. Navigational Information: When you access our Services, we may collect navigational information such as information about where visitors go on our Services, how many visits are made to the Services, when the Services are visited and other information such as domain type, browser information, service provider identification, and IP address.
    2. Device Information: We may obtain information about the computer or mobile device used to access our Services, such as the hardware model, operating system and version, identification numbers assigned to your mobile device, such as the ID for Advertising (IDFA) on Apple devices, and the Advertising ID on Android devices, mobile network information, and website usage behavior.
    3. Cookies, Clear Gifs, and Similar Technologies: To better understand how you interact with our Services, we may collect information using cookies, clear-gifs (also known as web beacons or web bugs) and similar technologies. Our Services do not respond to "Do Not Track" signals.

    A cookie is a small amount of data that's stored by your browser on your device. It's used to do things like see how you navigate our Services and determine browser plug-ins. This helps us improve and deliver our Services, provide better customer service, and tailor and improve your online experience.

    A clear gif is a nearly invisible pixel-sized graphic image on a web page, web-based document or email message. It helps us do things like view the URL of the page on which the clear gif appears and the time the site, document or email in question is viewed. Clear gifs in emails help us confirm the receipt of, and response to, our emails.

    In addition to cookies and clear gifs, we may also use device identifiers, web storage, and other technologies to collect information about your interactions with our content and Services.

    The above technologies may be used to help us understand which of our website’s features online users utilize most: for example, by keeping track of the number of times our Environmental Responsibility Policy is accessed. Cookies, clear gifs, and similar technologies also allow us to associate your online navigational information, with any personal information you provide (such as name, address, phone number, and email address). We associate this information to deliver services to you; improve our business and site; transact business; and direct marketing and/or information relating to job opportunities and applications on this and other online websites and services, and through a variety of media like email, mobile advertising, and direct mail.

    For information about your options with respect to cookies, navigate to What choices do you have over how your information is used?  below.

  3. How We Use the Information We Obtain

    We use the personal information we collect about you through the Services to:

    • communicate with you and respond to your requests;
    • evaluate the effectiveness of our website, analyze trends, and administer our website;
    • provide customer service;
    • improve our Services and the interactions visitors have with our Services;
    • personalize and enhance your experience with our Services;
    • enable you to interact with third-party content service providers, whether by linking to their sites, viewing their content within our online environment, or by viewing our content within their online environment;
    • maintain and create information for statistical purposes;
    • if you apply for employment with us, evaluate your suitability for employment (including obtaining additional information about you from third parties for this evaluation), carry out a background check, send you job alerts (if you request them), and communicate with you about jobs and positions that may match your skills and interests.
  4. Third-Party Analytics Services

    We may use third-party analytics services, such as Google Analytics. The analytics providers that administer these services help us provide certain features on our Services and analyze our visitors' preferences for us, through the use some or all the technologies described above, such as cookies, clear gifs and web server logs. To learn more about Google Analytics and how to opt out, please visit https://support.google.com/analytics/answer/181881?hl=en.

 
 
How do our Services interact with third-party services and content?

We link to third-party sites and services, or otherwise display third-party content through our Services, for your convenience and ease of reference. Those third-party sites and services may operate independently of us. The privacy practices of the relevant third parties, including details on the information they may collect about you, is subject to the privacy statements of those parties, which we strongly suggest you review. To the extent any linked third-party sites and services are not owned or controlled by us, we are not responsible for these third parties’ information practices.

Here are examples of the types of third-party content and services available through or via our Services:

  • Stock Information: We may facilitate easy access to information about the performance of the stock through third-party websites such as the SEC’s EDGAR database.
  • Social Networking and other Third-Party Sites and Services: We may at times facilitate easy access to third-party sites and online services, like social networks and other services that host user-generated content. This may include easy click-through access, the ability for you to share content on third-party services. The third-party's privacy policy applies to any information or content you provide through these services.
  • Annual Reports and Proxy Statements: We enable you to navigate easily to The Public Register and Broadridge, where you can request a hard copies or e-deliveries of our Annual Reports and Proxy Statements.
What information do we share with or disclose to third parties and our affiliates?

We may share information about you with certain third parties, as described below, and as otherwise described in this Policy:

  1. Service Providers and Contractors: We use third-party service providers and contractors to help handle parts of our business because of their expertise, resources, or scale. They help us do things like fulfill requests, operate our Services, monitor activity on our Services, analyze use of our Services, maintain databases, administer and monitor emails, evaluate applications for employment and conduct background checks, and provide consulting services. Contractors may also assist us in hosting microsites and mobile websites where you may provide personal information about yourself and where they may observe information about you in the same way as described above (visit What information do we collect and how do we use it? to learn more).
  2. Law Enforcement and Emergency Response: We may disclose personal information about you (a) if we are required to do so by law or legal process (such as a court order or subpoena); (b) in response to requests by government agencies, such as law enforcement authorities; (c) to establish, exercise, or defend our legal rights; (d) when we believe disclosure is necessary or appropriate to prevent physical or other harm or financial loss; (e) in connection with an investigation of suspected or actual illegal activity; or (f) otherwise with your consent.
  3. Sale, Merger, Transfer, or Similar Event: We reserve the right to share and/or transfer your personal information in the event we sell and/or transfer all or a portion of our business assets (including, without limitation, in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation).
What choices do you have over how your information is used?
  1. Email: You may remove yourself from the Victoria’s Secret & Co. investor email list by following the removal instructions located at the bottom of each “E-mail Alert” or by completing the email alert unsubscribe form. If you would like to stop receiving job alert emails, you may similarly follow the unsubscribe link located at the bottom of each emails. Note that if you opt out of job alert emails from us, we may still send you operational or transactional email messages in connection with your application for employment (such as emails related to your application, updating your account information). Opting out of investor or job alert emails also will not automatically remove you from our brands’ marketing lists, such as Victoria’s Secret, Victoria’s Secret PINK or PINK Nation email list.
  2. Cookies and Clear Gifs: You may view and specify your preferences over the use of cookie technologies on victoriassecretandco.com (our corporate information site) by opening Cookie Preferences for victoriassecretandco.com. And you may do the same for careers.victoriassecret.com by accessing the cookie preferences gear control at the bottom right-hand corner of careers.victoriassecret.com. Note that your cookie preferences are specific to each of these two sites and address future cookie placement, only. You may also specify your preferences through a centralized registry. To learn about how to opt out of interest-based advertising in general, click the following: NAI Opt Out or DAA Opt Out. Additionally, your browser may offer the ability to block or delete cookies from your device. Simply follow your browser's instructions on how to block and clear cookies. Please note that without cookies, you may not to be able to use all features of our Services.
  3. Withdrawing an Employment Application: If at any time you wish to withdraw your application for employment, please log in to your account at careers.victoriassecret.com and select “Withdraw Your Application.” You may also withdraw your application by writing to us at:

    Human Resources
    Victoria’s Secret & Co.
    Four Limited Parkway
    Reynoldsburg, OH 43068
    US

  4. Mobile Text Messages: If you are receiving mobile text messages, for example related to an application or employment opportunities, but you no longer wish to receive these text messages, simply reply STOP to any text message. Please note that these text messages are subject to Victoria’s Secret’s Text Message Terms and Conditions, which are expressly incorporated by reference.
How do we protect personal information?

We maintain administrative, technical and physical safeguards designed to protect the personal information we collect through our Services against accidental, unlawful destruction, loss, alteration, access, disclosure or use.

Our administrative safeguards include implementing, maintaining, and training employees on company privacy and information security policies and procedures.  Our physical and technical safeguards include maintaining physical security policies and standards to protect company systems and data, and a cybersecurity program overseen by executive leadership and the Victoria’s Secret & Co. board of directors.

Where is personal information stored and processed?

Our employees involved in data processing and our servers are based in Columbus, Ohio, US, and other locations throughout the United States. We work with affiliated and unaffiliated service providers in the United States, the United Kingdom, India, China, and other jurisdictions around the world.

Whom should you contact with questions or concerns?

If you have general questions about our Policy, please feel free to contact us by letter or email at:

ATTN: Privacy Matter
Victoria’s Secret & Co.
Four Limited Parkway
Reynoldsburg, OH 43068
US

How will we communicate updates to our Policy?

This Policy may be updated periodically to reflect changes in our personal information practices. Changes to the Policy will be posted on this page. For significant changes, we will notify you by posting a prominent notice on our Services indicating at the top of the Policy when it was most recently updated.

Additionally, our Policy contains the following:

Supplemental Privacy Notice for California Residents

If you are a California resident, the information below (the “California Supplement") also applies to you, in addition to our Victoria’s Secret & Co. Privacy Policy. Certain terms used in this section have the meaning given to them in the California Consumer Privacy Act, as amended by the California Privacy Rights Act, California Civil Code § 1798.100 et seq., and its implementing regulations (collectively the “CCPA/CPRA”). For clarity, the information below applies to personal information we collect about California residents both on our Services and offline, such as in our corporate offices. This California Supplement does not apply to Victoria’s Secret personnel.

  1. Collection and Disclosure Disclosure of Personal Information

    We may collect (and may have collected during the 12-month period prior to the effective date of this Policy) the following categories of personal information about you to the following categories of third parties, as described below:
     
    Category of Personal Information Collected Category of Third-Party, to Whom Information is Disclosed for a Business Purpose (as defined under the CCPA/CPRA) Category of Third-Party, to Whom Information is Sold or Shared (for cross-context behavioral advertising purposes) (as each term is defined under the CCPA/CPRA)
    Identifiers (Personal)
    Including, for example, name, postal address, IP address, email address, telephone number or other similar identifiers)
    • Analytics insights providers
    • Affiliated brands and entities
    • Data centers
    • Human resources service providers
    • Information security service providers
    • Vendors who provide services on our behalf
    Not Applicable
    Additional Data Subject to Cal. Civ. Code § 1798.80

    Characteristics of protected classifications under California or federal law, such as race, and military and veteran status
    • Human resources service providers
    Not Applicable
    Online Activity

    Including, for example, Internet and other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interaction with our Services or other third-party websites or applications
    • Analytics insights providers
    • Affiliated brands and entities
    • Contextual online experience providers
    • Data centers
    • Fraud monitoring and prevention providers
    • Information security service provider
    • Technology administration and integrity providers (including for maintaining and improving networks; identifying problems; and fixing problems)
    • Vendors who provide services on our behalf
    • Advertising technology providers (including online advertising)
    • Social media platforms
    Employment Information

    Including, for example, talent management information (e.g., resumé information, occupation details, education details, certifications and professional associations, historical compensation details, previous employment details, and pre-employment screening and background check information, including criminal records information
    • Human resources service providers
    Not Applicable
    Geolocation by consent for jobs available “nearby”
    • Analytics insights providers
    • Data centers
    • Fraud monitoring and prevention providers
    • Human resources service providers
    • Information security service providers
    Not Applicable
    Sensory Information

    Including, for example, photographs, video and audio recordings, and electronic or similar information
    • Fraud monitoring and prevention providers
    • Information security service providers
    • Vendors who provide services on our behalf
    Not Applicable
    Inferences

    Including, for example, inferences drawn from any of the information identified above to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
    • Human resources service providers
    • Information security service providers
    • Vendors who provide services on our behalf
    Not Applicable

     
  2. Use of Personal Information


    We may use (and may have used during the 12-month period prior to the effective date of this Policy) personal information about you for the following business purposes specified in the CCPA/CPRA (supplementing the information described above in our Privacy Policy), such as:

    • Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing services, providing analytics services, providing storage or providing similar services
    • Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance
    • Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of your current interaction with us
    • Helping to ensure security and integrity to the extent the use of your personal information is reasonably necessary and proportionate for these purposes
    • Debugging to identify and repair errors that impair existing intended functionality
    • Undertaking internal research for technological development and demonstration
    • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us
    • Providing advertising and marketing services, except for cross-context behavioral advertising (which is addressed in the “Disclosures of Personal Information” section of this California Supplement)
       
  3. Sensitive Personal Information


    We do not use or disclose (and have not used or disclosed during the 12-month period prior to the Last Updated date of this Privacy Policy) “sensitive personal information” (as defined under the CCPA/CPRA) for any purpose other than those expressly permitted under the CCPA/CPRA.

  4. Retention of Personal Information


    We will retain your personal information for the period reasonably necessary to achieve the purposes outlined in this Supplement, unless a longer retention period is required or permitted by applicable law, taking into account relevant statutes of limitations and our records retention requirements and policies.

  5. Sale or Sharing of Personal Information


    We do not sell your personal information in exchange for monetary consideration. We may disclose your personal information by allowing certain third parties to collect personal information via automated technologies on our Services for cross-context behavioral advertising purposes. Under California law, these kinds of disclosures may be considered a “sale” when the personal information is exchanged for non-monetary consideration, or “sharing” when the personal information is disclosed for cross-context behavioral advertising purposes. You have the right to opt out of these types of disclosures of your information.

    We do not have actual knowledge that we sell or share personal information of minors under 16 years of age.

  6. California Privacy Rights


    You have certain choices regarding your personal information, as described below.

    • Access: You have the right to request, twice in a 12-month period, that we disclose to you the personal information we have collected, used, and disclosed about you during the past 12 months.

    • Correction: You have the right to request that we correct the personal information we maintain about you, if that information is inaccurate.

    • Deletion: You have the right to request that we delete certain personal information we have collected from you.

    • Opt-Out of Sale or Sharing: You have the right to opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising purposes.

    • Right to Non-Discrimination for Exercise of Privacy Rights: Under the CCPA/CPRA, you have the right to not receive discriminatory treatment if you exercise your privacy rights under the CCPA/CPRA.

How to Submit a Request

To submit a request to exercise your privacy rights under the CCPA/CPRA as an applicant, contractor or former associate, please visit our Privacy webform. If you are submitting a request as an authorized agent on behalf of an applicant, contractor or former associate, on the form add your email address and information about the individual for whom you are submitting the request in the other required fields. To make a privacy request by phone, for applicants and contractors, call 1-888-873-2738 and for former associates, call 1-866-473-4728.

If you are a customer of Victoria’s Secret or to submit a request as an authorized agent on behalf of a consumer, you can submit a separate data subject request by visiting Victoria’s Secret Data Rights. Please add your name and phone number in the Request Details field and an indication that you are submitting the request as an authorized agent. For customers or to call as an authorized agent on behalf of a customer, call 1-800-411-5116.

To opt out of the sale or sharing of your personal information for victoriassecretandco.com, visit the Do Not Sell or Share My Personal Information webpage. To opt out of the sale or sharing of your personal information for careers.victoriassecret.com, visit the Do Not Sell or Share My Personal Information webpage.

Verifying Requests

To help protect your privacy and maintain security, we take steps to verify your identity before granting access to information or complying with a request. Upon submission, you will be required to provide your full name, date of birth, address, phone number. You will also be asked to verify the email address you submit with your request. You will receive an email from us with instructions on completing this step. You may also be asked to sign a declaration under penalty of perjury that you are the individual whose personal information is the subject of the request. If you designate an authorized agent to make a request on your behalf, we may require you to provide the authorized agent written permission to do so and we may require you to verify your identity directly with us (as described above).

To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.

Supplemental Privacy & Cookie Notice for Visitors from the European Economic Area

If you are accessing our Services from a member state of the European Economic Area ("EEA"), this Supplemental Privacy Notice (“Notice”) applies to you in addition to our Online Privacy Policy. This Supplemental Privacy Notice does not otherwise apply to visitors who are accessing our Services from outside the EEA.

Cookies

We use the following web cookies and other information technologies to provide features on our web and mobile sites to users in the EEA, including cookies that deliver basic visitor experiences and fuller website experiences such as interactivity with third-party content.

The following types of cookies (and cookie technology) are used on this website. Cookies that are strictly necessary are set as soon as the user visits the website. Cookies that are not strictly necessary are only set if the web or mobile user gives consent to the use of those cookies.

COOKIE / TECHNOLOGY TYPE FUNCTION
Strictly Necessary Cookies
User-Input Cookies Enables visitors’ input, choices, or selections across their website experience. Examples include maintaining a shopping cart during a visit or a form throughout a transaction.
Authentication Cookies Identifies visitors through the website after they log in.
Necessary Cookies
Security Cookies Helps to ensure our website’s security when visitors request a service. For example, we use cookies to help secure account creation and login pages.
Multimedia Player Cookies Ensures such things as image quality, network link speed, or buffer information for video and audio playback.
Load-balancing Session Cookies Directs website traffic to a particular data center for the quickest website access, and enables visitors to return to that data center if needed.
Analytics and Personalization Cookies
Visitor Customization Cookies Stores preferences and visitor experiential histories: remembers language preference, product-page display preference, and whether certain visitor experiences should be displayed, such as email marketing signup, based on past experiences.
Analytics and Personalization Cookies Enables us to do things like estimate number of visitors, detect most used search-engine keywords that lead to a webpage, measure page load times, administer visitor surveys, identify navigation issues, serve personalized content on our websites, and improve web capabilities.
Targeting Cookies
Social Media Plug-in Cookies These cookies from social media platforms (like Facebook and Instagram) facilitate content sharing on those platforms.
Remarketing and Interest
Based Advertising Cookies
Enables our advertising vendors to deliver tailored ads to our visitors on other websites. The ads are based on a visitor’s combined online and offline (e.g. in-store) shopping history and experience with us, as well with our vendors’ network of advertisers.

You may contact our data protection officer at:

ATTN: Privacy Matter
Victoria’s Secret & Co.
4 Limited Parkway
Reynoldsburg, OH 43068
US

The legal basis for our processing of your personal data in connection with our Services is Article 6.1(b) EU GDPR, which allows processing of personal data as necessary for the performance of a contract. When you access our Services, you form a contract with us based on our Site Terms, Conditions and Notices, and we need to process your personal data to respond to and fulfill your requests and satisfy our obligations with respect to the other purposes listed in this Policy.

As exceptions, we rely on your consent with respect to cookies and direct marketing emails per Article 6.1(a) EU GDPR, and legitimate interests under Article 6.1(f) EU GDPR, especially with respect to situations where we must process your personal data to comply with applicable laws (as a U.S.-based company, we are subject to U.S. laws and must comply, just like EEA-based companies have to comply with EEA laws). When we collect and process sensitive personal data for the purposes described above, we do so when required by law or otherwise with your explicit consent.

Recipients or categories of recipients of your personal data are employees of our company and affiliated and non-affiliated services providers who have a need to know.

When you access our Services, you transfer your personal data to the United States of America and India for which the European Union Commission has not yet issued an unlimited adequacy decision. We will comply with applicable legal requirements to ensure that personal data is subject to an adequate level of protection when we transfer your personal data to additional recipients in countries located outside the EEA. In all such cases, we will only transfer your personal data if:

  1. The country to which the personal data will be transferred has been granted a European Commission adequacy decision; or
  2. We have implemented appropriate safeguards in relation to the transfer, such as the EU Standard Contractual Clauses.

You may request a copy of the safeguards that we have implemented with respect to transfers of personal data by contacting our data protection office, as described above, or by contacting us through our contact information at the end of this Notice.

We will process and keep your personal information for as long as is necessary for the purposes set out in this Policy, for our legitimate business needs, and for compliance with the law.

You have a right to request from us these EU GDPR rights concerning your personal data: access to data; rectification of data; erasure of data; restriction on processing; objection to data processing; and data portability. You can exercise these rights through a combination of actions: (a) visit Your Data Rights; (b) access the information in your account; (c) exercise your opt-out options through our Services; or (d) call us via 1-937-438-4197 in the EU.

If you are also a customer of Victoria’s Secret, you can submit a separate data subject request by visiting Victoria’s Secret Data Rights. If you have provided consent for direct marketing emails or other data processing, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

You have the right to lodge a complaint with a supervisory authority. We do not use automated decision-making, including profiling, as referred to in Article 22(1) EU GDPR, that is, in a way that produces legal effects concerning you or significantly affects you. Our Services' customization technologies and e-commerce processes are automated, but do not produce legal effects or affect you significantly as contemplated by Article 22(1) or (2) EU GDPR.

You can contact us with any questions, or to exercise your rights by calling 1-937-438-4197 in the EU.