Privacy Policy

This Policy was last updated on August 3, 2021.


This Privacy Policy ("Policy") explains what personal information is collected through our websites and online services, how we use that information, to whom we disclose it, and how we safeguard personal information. Unless indicated otherwise, this Policy applies only to personal information collected through the websites victoriassecretandco.com and careers.victoriassecret.com (in the U.S., Puerto Rico, Canada, China - including Hong Kong, India, Indonesia, Sri Lanka UAE, South Korea and Vietnam), microsites, and other online services that expressly adopt, and display or link to, this Policy (collectively, the “Services”). We refer to Victoria’s Secret & Co at 4 Limited Parkway, Reynoldsburg, OH 43068), as "we," "us," or "our" throughout this Policy.

This Policy addresses these topics:

What information do we collect and how do we use it?
  1. Information You Provide

    When you visit our Services, you may provide us with certain personal information, such as your name, address, phone number, email address, company information, phone number, and any other information you choose to provide. If you apply for a career opportunity with us, we may also collect certain other information, such as your work experience and resume, educational history, job preferences and interests, and other information you provide in connection with an application for employment. If you create a profile on careers.victoriassecret.com, we will also collect your profile username and password.

    We collect this information at various places on our Services. For instance, when you subscribe for investor alerts, we will request that you provide your email address. We may also collect your information if you register on careers.victoriassecret.com and create a profile.

    If you apply for a career opportunity with us, we might contact you to obtain additional identifying information to complete the application process, including background checks. We will only carry out background checks that are considered relevant to the role for which you are applying. If you are offered employment with us, we may also ask you to provide certain personal information required to complete the onboarding process for the role which you have been offered. For example, we may also collect social security number (or local equivalent), bank account numbers, dependent personal information, marital status, gender, date of birth, and emergency contact information.

  2. Information We Collect Automatically

    When you interact with our Services, we obtain certain information by automated means, including the following:

    1. Navigational Information: When you access our Services, we may collect navigational information such as information about where visitors go on our Services, how many visits are made to the Services, when the Services are visited and other information such as domain type, browser information, service provider identification, and IP address.
    2. Device Information: We may obtain information about the computer or mobile device used to access our Services, such as the hardware model, operating system and version, identification numbers assigned to your mobile device, such as the ID for Advertising (IDFA) on Apple devices, and the Advertising ID on Android devices, mobile network information, and website usage behavior.
    3. Cookies, Clear Gifs, and Similar Technologies: To better understand how you interact with our Services, we may collect information using cookies, clear-gifs (also known as web beacons or web bugs) and similar technologies. Our Services do not respond to "Do Not Track" signals.

    A cookie is a small amount of data that's stored by your browser on your device. It's used to do things like see how you navigate our Services and determine browser plug-ins. This helps us improve and deliver our Services, provide better customer service, and tailor and improve your online experience.

    A clear gif is a nearly invisible pixel-sized graphic image on a web page, web-based document or email message. It helps us do things like view the URL of the page on which the clear gif appears and the time the site, document or email in question is viewed. Clear gifs in emails help us confirm the receipt of, and response to, our emails.

    In addition to cookies and clear gifs, we may also use device identifiers, web storage, and other technologies to collect information about your interactions with our content and Services.

    The above technologies may be used to help us understand which of our website’s features online users utilize most: for example, by keeping track of the number of times our Environmental Responsibility Policy is accessed. Cookies, clear gifs, and similar technologies also allow us to associate your online navigational information, with any personal information you provide (such as name, address, phone number, and email address). We'll associate this information to deliver services to you; and to improve our business and site; transact business; and direct marketing and/or information relating to job opportunities and applications on this and other online websites and services, and through a variety of media like email, mobile advertising, and direct mail.

    For information about your options with respect to cookies, navigate to What choices do you have over how your information is used? below.

  3. How We Use the Information We Obtain

    We use the personal information we collect about you through the Services to:

    • communicate with you and respond to your requests;
    • evaluate the effectiveness of our website, analyze trends, and administer our website;
    • provide customer service;
    • improve our Services and the interactions visitors have with our Services;
    • personalize and enhance your experience with our Services;
    • enable you to interact with third-party content service providers, whether by linking to their sites, viewing their content within our online environment, or by viewing our content within their online environment;
    • maintain and create information for statistical purposes;
    • if you apply for employment with us, evaluate your suitability for employment (including obtaining additional information about you from third parties for this evaluation), carry out a background check, send you job alerts (if you request them), and communicate with you about jobs and positions that may match your skills and interests.
  4. Third-Party Analytics Services

    We may use third-party analytics services, such as Google Analytics. The analytics providers that administer these services help us provide certain features on our Services and analyze our visitors' preferences for us, through the use some or all the technologies described above, such as cookies, clear gifs and web server logs. To learn more about Google Analytics and how to opt out, please visit https://support.google.com/analytics/answer/181881?hl=en.

How do our Services interact with third-party services and content?

We link to third-party sites and services, or otherwise display third-party content through our Services, for your convenience and ease of reference. Those third-party sites and services may operate independently of us. The privacy practices of the relevant third parties, including details on the information they may collect about you, is subject to the privacy statements of those parties, which we strongly suggest you review. To the extent any linked third-party sites and services are not owned or controlled by us, we are not responsible for these third parties’ information practices.

Here are examples of the types of third-party content and services available through or via our Services:

  • Stock Information: We may facilitate easy access to information about the performance of the stock through third-party websites such as the SEC’s EDGAR database.
  • Social Networking and other Third-Party Sites and Services: We may at times facilitate easy access to third-party sites and online services, like social networks and other services that host user-generated content. This may include easy click-through access, the ability for you to share content on third-party services. The third-party's privacy policy applies to any information or content you provide through these services.
  • Annual Reports and Proxy Statements: We enable you to navigate easily to The Public Register and Broadridge, where you can request a hard copies or e-deliveries of our Annual Reports and Proxy Statements.
What information do we share with or disclose to third parties and our affiliates?

We may share information about you with certain third parties, as described below, and as otherwise described in this Policy:

  1. Service Providers and Contractors: We use third-party service providers and contractors to help handle parts of our business because of their expertise, resources, or scale. They help us do things like fulfill requests, operate our Services, monitor activity on our Services, analyze use of our Services, maintain databases, administer and monitor emails, evaluate applications for employment and conduct background checks, and provide consulting services. Contractors may also assist us in hosting microsites and mobile websites where you may provide personal information about yourself and where they may observe information about you in the same way as described above (visit What information do we collect and how do we use it? to learn more).
  2. Law Enforcement and Emergency Response: We may disclose personal information about you (a) if we are required to do so by law or legal process (such as a court order or subpoena); (b) in response to requests by government agencies, such as law enforcement authorities; (c) to establish, exercise, or defend our legal rights; (d) when we believe disclosure is necessary or appropriate to prevent physical or other harm or financial loss; (e) in connection with an investigation of suspected or actual illegal activity; or (f) otherwise with your consent.
  3. Sale, Merger, Transfer, or Similar Event: We reserve the right to share and/or transfer your personal information in the event we sell or transfer all or a portion of our business assets (including, without limitation, in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation).
What choices do you have over how your information is used?
  1. Email: You may remove yourself from the Victoria’s Secret & Co. investor email list by following the removal instructions located at the bottom of each “E-mail Alert” or by completing the email alert unsubscribe form. If you would like to stop receiving job alert emails, you may similarly follow the unsubscribe link located at the bottom of each emails. Note that if you opt out of job alert emails from us, we may still send you operational or transactional email messages in connection with your application for employment (such as emails related to your application, updating your account information). Opting out of investor or job alert emails also will not automatically remove you from our brands’ marketing lists, such as Victoria’s Secret, Victoria’s Secret PINK or PINK Nation email list.
  2. Cookies and Clear Gifs: You may view and specify your preferences over the use of cookie technologies on victoriassecretandco.com (our corporate information site) by opening Cookie Preferences for victoriassecretandco.com. And you may do the same for careers.victoriassecret.com by accessing the cookie preferences gear control at the bottom right-hand corner of careers.victoriassecret.com. Note that your cookie preferences are specific to each of these two sites and address future cookie placement, only. You may also specify your preferences through a centralized registry. To learn about how to opt out of interest-based advertising in general, click the following: NAI Opt Out or DAA Opt Out. Additionally, your browser may offer the ability to block or delete cookies from your device. Simply follow your browser's instructions on how to block and clear cookies. Please note that without cookies, you may not to be able to use all features of our Services.
  3. Withdrawing an Employment Application: If at any time you wish to withdraw your application for employment, please log in to your account at careers.victoriassecret.com and select “Withdraw Your Application.” You may also withdraw your application by writing to us at:

    Human Resources
    Victoria’s Secret & Co.
    Four Limited Parkway
    Reynoldsburg, OH 43068
    US

  4. Mobile Text Messages: If you are receiving mobile text messages, for example related to an application or employment opportunities, but you no longer wish to receive these text messages, simply reply STOP to any text message.
How do we protect personal information?

We maintain administrative, technical and physical safeguards designed to protect the personal information we collect through our Services against accidental, unlawful destruction, loss, alteration, access, disclosure or use.

Our administrative safeguards include implementing, maintaining, and training employees on company privacy and information security policies and procedures.  Our physical and technical safeguards include maintaining physical security policies and standards to protect company systems and data, and a cybersecurity program overseen by executive leadership and the Victoria’s Secret & Co. board of directors.

Where is personal information stored and processed?

Our employees involved in data processing and our servers are based in Columbus, Ohio, US, and other locations throughout the United States. We work with affiliated and unaffiliated service providers in the United States, the United Kingdom, India, China, and other jurisdictions around the world.

Whom should you contact with questions or concerns?

If you have general questions about our Policy, please feel free to contact us by letter or email at:

ATTN: Privacy Matter
Victoria’s Secret & Co.
Four Limited Parkway
Reynoldsburg, OH 43068
US
VSprivacy@victoria.com

Supplemental Privacy Notice for California Consumers

If you are a California consumer, the information below (the “California Supplement") also applies to you, in addition to our Victoria’s Secret & Co. Privacy Policy. Certain terms used in this section have the meaning given to them in California Civil Code § 1798.100 et seq. For clarity, the information below applies to personal information we collect about California consumers both on our Services and offline, such as in our corporate offices.

  1. Collection and Disclosure
    During the 12-month period prior to the effective date of this Policy, we may have:
    1. Collected the following categories of personal information about you:
      • Identifiers (personal) (including, for example, name, alias, postal address, unique personal identifier, online and device identifier, IP address, email address, account name and number, social security number, telephone number, postal address, or other similar identifiers).
      • Identifiers (Government-Issued Identification Information) (including, for example, driver's license number, passport number, or state identification card number).
      • Commercial Information (including, for example, online browsing and website interaction histories; and direct marketing histories).
      • Computing or mobile-device information and internet or other electronic-network-activity information (including, for example, login credentials; online advertisement engagements; and cookies, tags, and similar device or user identifying information).
      • Education and professional information.
      • Financial information (including, for example, banking details and income level).
      • Geolocation information.
      • Inferences (including, for example, preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes).
      • Personal characteristics, histories, and associations (including, for example, signature; physical characteristics or description; and characteristics of protected classifications under California or federal law).
      • Household information (including, for example, family size and composition).
      • Incident-related information (including, for example, statements; or insurance, or similar claims).
      • Photographs, video and audio recordings, and similar information.
    2. Collected personal information about you from the following categories of sources:
      • You (for example, through your use of our Services).
      • Your computing or mobile devices.
      • Our technology (for example, through observed consumer interactions with us and through our Services).
      • Our Services and systems.
      • Our vendors, such as background check companies.
      • Public records.
      • Your associations (e.g., through referral programs).
      • Social media networks.
      • Advertising networks.
      • Unaffiliated third parties.
    3. Collected or sold personal information about you for the following business or commercial purposes (supplementing the information described above in our Privacy Policy):
      • Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, or providing similar services.
      • Auditing related to a current interaction with you and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance.
      • Enabling short-term, transient use, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
      • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
      • Undertaking internal research for technological development and demonstration.
      • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us.
      • Facilitating accounting, auditing, and reporting.
      • Delivering advertising through technology (including, for example, to facilitate personalized content, remarketing, online display ads, and interest-based ads).
      • Delivering advertising through direct or mass media (including, for example, via email, SMS, telephone, post, and broadcasts).
      • Facilitating affiliate marketing.
      • Administering claims management, handling, and insurance.
      • Responding to incidents.
      • Delivering customer and associate services.
      • Pursuing legal matters.
      • Delivering website, mobile-app, and e-commerce services.
      • Facilitating information security.
      • Conducting surveys.
      • Administering technology and ensure technology integrity (including, for example, by maintaining and improving networks; and identifying and fixing problems).
    4. Shared your personal information with the following categories of third parties:
      • Affiliated retail brand and entity.
      • Vendors who provide services on our behalf, including:
        • Advertising technology (e.g., online advertising) provider.
        • Claims management (including, for example, legal or insurance) provider.
        • Incident-response service provider.
        • Customer information provider.
        • Customer service provider.
        • Data center/host/cloud-service provider.
        • Focus group host and service.
        • Fraud monitoring and prevention service.
        • Information security service provider.
        • Logistics (for example, order management and fulfillment) provider.
        • Payment and transaction processor.
        • Print and mail vendor.
        • Product and fit tester.
        • Shipping & handling service provider.
        • Social media provider.
        • Solutions (miscellaneous) provider.
        • Survey administrator.
        • Technology administration and integrity (e.g., systems maintenance, improvement, and solutions) provider.
        • Vendor (miscellaneous) services.
    5. Disclosed for a business purpose the following categories of personal information about you:
      • Identifiers (personal) (including, for example, name, alias, postal address, unique personal identifier, online and device identifier, IP address, email address, account name and number, social security number, telephone number, postal address, or other similar identifiers).
      • Identifiers (Government-Issued Identification Information) (including, for example, driver's license number or state identification card number).
      • Commercial Information (including, for example, online browsing and website interaction histories; and direct marketing histories).
      • Computing or mobile-device information and internet or other electronic-network-activity information (including, for example, login credentials; online advertisement engagements; and cookies, tags, and similar device or user identifying information).
      • Education and professional information.
      • Financial information (including, for example, banking details and income level).
      • Geolocation information.
      • Inferences (including, for example, preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes).
      • Personal characteristics, histories, and associations (including, for example, signature; physical characteristics or description; and characteristics of protected classifications under California or federal law).
      • Household information (including, for example, family size and composition).
      • Photographs, video and audio recordings, and similar information.

California Consumer Privacy Rights (for visitors of victoriassecretandco.com)

Visitors to victoriassecretandco.com (with no affiliation to Victoria’s Secret & Co. in the capacity of contractor, job applicant, or associate) may have the right to request, twice in a 12-month period, the following information about the personal information we have collected about you during the past 12 months:

  1. the categories and specific pieces of personal information we have collected about you;
  2. the categories of sources from which we collected the personal information;
  3. the business or commercial purpose for which we collected or sold the personal information;
  4. the categories of third parties with whom we shared the personal information; and
  5. the categories of personal information about you that we disclosed for a business purpose, and the categories of third parties to whom we disclosed that information for a business purpose.

In addition, you have the right to request that we delete the personal information we have collected from you.

If you are a resident of California and a visitor to victoriassecretandco.com and want to submit a data subject request under the California Consumer Privacy Act, visit Your Data Rights. If you are also a customer of Victoria’s Secret, you can submit a separate data subject request by visiting Victoria’s Secret Data Rights.

To help protect your privacy and maintain security, we take steps to verify your identity before granting access to information or complying with a request. To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.

Metrics: California Consumer Privacy Requests from January 1, 2020 – December 31,2020

The table below contains the required metrics regarding our processing of consumer rights requests under the California Consumer Privacy Act in 2020:

Request Type Requests Received Requests Complied With In Whole or In Part Requests Denied* Median Days for Response
Access 52 4 48 41
Deletion 101 12 89 52
Opt-Out 1,450 1,408 42 Less than 1 day

*Requests may have been denied for various reasons, including where the requests were not verifiable, were made by an agent who did not have authorization to make the request, were not made by a consumer, or called for information that was exempt from disclosure or deletion.

Supplemental Privacy & Cookie Notice for Visitors from the European Economic Area

If you are accessing our Services from a member state of the European Economic Area ("EEA"), this Supplemental Privacy Notice applies to you in addition to our Online Privacy Policy. This Supplemental Privacy Notice does not otherwise apply to visitors who are accessing our Services from outside the EEA.

Cookies

We use the following web cookies and other information technologies to provide features on our web and mobile sites to users in the EEA, including cookies that deliver basic visitor experiences and fuller website experiences such as interactivity with third-party content.

The following types of cookies (and cookie technology) are enabled when a web or mobile user visits this website:

COOKIE / TECHNOLOGY TYPE FUNCTION
User-Input Cookies Enables visitors’ input, choices, or selections across their website experience. Examples include maintaining a shopping cart during a visit or a form throughout a transaction.
Authentication Cookies Identifies visitors through the website after they log in.
Security Cookies Helps to ensure our website’s security when visitors request a service. For example, we use cookies to help secure account creation and login pages.
Multimedia Player Cookies Ensures such things as image quality, network link speed, or buffer information for video and audio playback.
Load-balancing Session Cookies Directs website traffic to a particular data center for the quickest website access, and enables visitors to return to that data center if needed.
Visitor Customization Cookies Stores preferences and visitor experiential histories: remembers language preference, product-page display preference, and whether certain visitor experiences should be displayed, such as email marketing signup, based on past experiences.
Social Media Plug-in Cookies These cookies from social media platforms (like Facebook and Instagram) facilitate content sharing on those platforms.
Remarketing and Interest
Based Advertising Cookies
Enables our advertising vendors to deliver tailored ads to our visitors on other websites. The ads are based on a visitor’s combined online and offline (e.g. in-store) shopping history and experience with us, as well with our vendors’ network of advertisers.
Analytics and Personalization Cookies Enables us to do things like estimate number of visitors, detect most used search-engine keywords that lead to a webpage, measure page load times, administer visitor surveys, identify navigation issues, serve personalized content on our websites, and improve web capabilities.

You may contact our data protection officer at:

ATTN: Privacy Matter
Victoria’s Secret & Co.
4 Limited Parkway
Reynoldsburg, OH 43068
US
VSprivacy@victoria.com

The legal basis for our processing of your personal data in connection with our Services is Article 6.1(b) EU GDPR, which allows processing of personal data as necessary for the performance of a contract. When you access our Services, you form a contract with us based on our Site Terms, Conditions and Notices, and we need to process your personal data to respond to and fulfill your requests and satisfy our obligations with respect to the other purposes listed in this Policy.

As exceptions, we rely on your consent with respect to cookies and direct marketing emails per Article 6.1(a) EU GDPR, and legitimate interests under Article 6.1(f) EU GDPR, especially with respect to situations where we must process your personal data to comply with applicable laws (as a U.S.-based company, we are subject to U.S. laws and must comply, just like EEA-based companies have to comply with EEA laws).

Recipients or categories of recipients of your personal data are employees of our company and affiliated and non-affiliated services providers who have a need to know.

When you access our Services, you transfer your personal data to the United States of America and India for which the European Union Commission has not yet issued an unlimited adequacy decision.

We will process and keep your personal information for as long as is necessary for the purposes set out in this Policy, for our legitimate business needs, and for compliance with the law.

You have a right to request from us these EU GDPR rights concerning your personal data: access to data; rectification of data; erasure of data; restriction on processing; objection to data processing; and data portability. You can exercise these rights through a combination of actions: (a) visit Your Data Rights; (b) access the information in your account; (c) exercise your opt-out options through our Services; or (d) contact us via email VSPrivacy@victoria.com, or call 1-937-438-4197.

If you are also a customer of Victoria’s Secret, you can submit a separate data subject request by visiting Victoria’s Secret Data Rights.

If you have provided consent for direct marketing emails or other data processing, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

You have the right to lodge a complaint with a supervisory authority. We do not use automated decision-making, including profiling, as referred to in Article 22(1) EU GDPR, that is, in a way that produces legal effects concerning you or significantly affects you. Our Services' customization technologies and e-commerce processes are automated, but do not produce legal effects or affect you significantly as contemplated by Article 22(1) or the EU GDPR.

You can contact us with any questions, or to exercise your rights by emailing VSPrivacy@victoria.com or calling 1-937-438-4197 in the EU.