1. Information You Provide

   When you visit our Services, you may provide us with certain personal information, such as your name, address, phone number, email address, company information, phone number, and any other information you choose to provide. If you apply for a career opportunity with us or register to be included in our Talent Community candidate database, we may also collect certain other information, such as your work experience and resume, educational history, job preferences and interests, and other information you provide in connection with an application for employment. If you create a profile on careers.victoriassecret.com, we will also collect your profile username and password.

   We collect this information at various places on our Services. For instance, when you subscribe for investor alerts, we will request that you provide your email address. We may also collect your information if you register on careers.victoriassecret.com and create a profile.

   If you apply for a career opportunity with us, we might contact you to obtain additional identifying information to complete the application process, including background checks and other checks to verify the information you have provided to us. We will only carry out background checks that are considered relevant to the role for which you are applying and with your consent (where required by applicable law). If you are offered employment with us, we may also ask you to provide certain personal information required to complete the onboarding process for the role which you have been offered. For example, we may also collect social security number (or local equivalent), bank account numbers, dependent personal information, marital status, gender, date of birth, and emergency contact information.

2. Information We Collect Automatically

   When you interact with our Services, we obtain certain information by automated means, including the following:

   1. Navigational Information: When you access our Services, we may collect navigational information such as information about where visitors go on our Services, how many visits are made to the Services, when the Services are visited and other information such as domain type, browser information, service provider identification, and IP address.
   2. Device Information: We may obtain information about the computer or mobile device used to access our Services, such as the hardware model, operating system and version, identification numbers assigned to your mobile device, such as the ID for Advertising (IDFA) on Apple devices, and the Advertising ID on Android devices, mobile network information, and website usage behavior.
   3. Cookies, Clear Gifs, and Similar Technologies: To better understand how you interact with our Services, we may collect information using cookies, clear-gifs (also known as web beacons, web bugs or pixels) and similar technologies. Our Services do not respond to "Do Not Track" signals.

   A cookie is a small amount of data that's stored by your browser on your device. It's used to do things like see how you navigate our Services and determine browser plug-ins. This helps us improve and deliver our Services, provide better customer service, and tailor and improve your online experience.

   A clear gif is a nearly invisible pixel-sized graphic image on a web page, web-based document or email message. It helps us do things like view the URL of the page on which the clear gif appears and the time the site, document or email in question is viewed. Clear gifs in emails help us confirm the receipt of, and response to, our emails.

   In addition to cookies and clear gifs, we may also use device identifiers, web storage, and other technologies to collect information about your interactions with our content and Services.

   The above technologies may be used to help us understand which of our website’s features online users utilize most: for example, by keeping track of the number of times our Environmental Responsibility Policy is accessed. Cookies, clear gifs, and similar technologies also allow us to associate your online navigational information, with any personal information you provide (such as name, address, phone number, and email address). We associate this information to deliver services to you; improve our business and site; transact business; and direct marketing and/or information relating to job opportunities and applications on this and other online websites and services, and through a variety of media like email, mobile advertising, and direct mail.

   For information about your options with respect to cookies, navigate to What choices do you have over how your information is used?  below.

3. How We Use the Information We Obtain

   We use the personal information we collect about you through the Services to:

   • communicate with you and respond to your requests;
   • sending you communications and email alerts;
   • evaluate the effectiveness of our website, analyze trends, and administer our website;
   • provide customer service;
   • improve our Services and the interactions visitors have with our Services;
   • personalize and enhance your experience with our Services;
   • enable you to interact with third-party content service providers, whether by linking to their sites, viewing their content within our online environment, or by viewing our content within their online environment;
   • maintain and create information for statistical purposes;
   • if you apply for employment with us, evaluate your suitability for employment (including obtaining additional information about you from third parties for this evaluation), carry out a background check, send you job alerts (if you request them), and communicate with you about jobs and positions that may match your skills and interests; and if you have joined our Talent Community candidate database, to contact you about job openings that may be of interest to you.

4. Third-Party Analytics Services

   We may use third-party analytics services, such as Google Analytics. The analytics providers that administer these services help us provide certain features on our Services and analyze our visitors' preferences for us, through the use some or all the technologies described above, such as cookies, clear gifs and web server logs. To learn more about Google Analytics and how to opt out, please visit https://support.google.com/analytics/answer/181881?hl=en.

We link to third-party sites and services, or otherwise display third-party content through our Services, for your convenience and ease of reference. Those third-party sites and services may operate independently of us. The privacy practices of the relevant third parties, including details on the information they may collect about you, is subject to the privacy statements of those parties, which we strongly suggest you review. To the extent any linked third-party sites and services are not owned or controlled by us, we are not responsible for these third parties’ information practices.

Here are examples of the types of third-party content and services available through or via our Services:

• Stock Information: We may facilitate easy access to information about the performance of the stock through third-party websites such as the SEC’s EDGAR database.
• Social Networking and other Third-Party Sites and Services: We may at times facilitate easy access to third-party sites and online services, like social networks and other services that host user-generated content. This may include easy click-through access, the ability for you to share content on third-party services. The third-party's privacy policy applies to any information or content you provide through these services.
• Annual Reports and Proxy Statements: We enable you to navigate easily to The Public Register and Broadridge, where you can request a hard copies or e-deliveries of our Annual Reports and Proxy Statements.

We may share information about you with certain third parties and affiliates, as described below, and as otherwise described in this Policy:

1. Service Providers and Contractors: We use affiliated and unaffiliated third-party service providers and contractors to help handle parts of our business because of their expertise, resources, or scale. They help us do things like fulfill requests, operate our Services, monitor activity on our Services, analyze use of our Services, maintain databases, administer and monitor emails, evaluate applications for employment and conduct background checks, and provide consulting services. Contractors may also assist us in hosting microsites and mobile websites where you may provide personal information about yourself and where they may observe information about you in the same way as described above (visit What information do we collect and how do we use it? to learn more).
2. Law Enforcement, Legal Disclosure and Emergency Response: We and our service providers may disclose personal information about you (a) if we are required or permitted to do so by law or legal process (such as a court order or subpoena); (b) in response to requests by courts or government agencies, such as law enforcement authorities; in the jurisdictions in which we or our service providers process your personable information; (c) to establish, exercise, or defend our legal rights; (d) when we believe disclosure is necessary or appropriate to prevent physical or other harm or financial loss; (e) in connection with an investigation of suspected or actual illegal activity; or (f) otherwise with your consent.
3. Sale, Merger, Transfer, or Similar Event: We reserve the right to share and/or transfer your information in the event we sell and/or transfer all or a portion of our business assets (including, without limitation, in the event of a prospective or completed merger, acquisition, joint venture, reorganization, dissolution or liquidation).

1. Email: You may remove yourself from the Victoria’s Secret & Co. investor email list by following the removal instructions located at the bottom of each “E-mail Alert” or by completing the email alert unsubscribe form. If you would like to stop receiving job alert emails, you may similarly follow the unsubscribe link located at the bottom of each emails. Note that if you opt out of job alert emails from us, we may still send you operational or transactional email messages in connection with your application for employment (such as emails related to your application, updating your account information). Opting out of investor or job alert emails also will not automatically remove you from our brands’ marketing lists, such as Victoria’s Secret, Victoria’s Secret PINK or PINK Nation email list. If you have joined our Talent Community, you can unsubscribe from receiving email communications about jobs that may be of interest to you by clicking the unsubscribe link included in the Talent Community emails. 
2. Cookies and Clear Gifs: You may view and specify your preferences over the use of cookie technologies on victoriassecretandco.com (our corporate information site) by selecting the Cookie Preferences button on the do not sell my personal information page. And you may do the same for careers.victoriassecret.com by accessing the cookie preferences gear control at the bottom right-hand corner of careers.victoriassecret.com. Note that your cookie preferences are specific to each of these two sites and address future cookie placement, only. You may also specify your preferences with respect to companies that participate in a centralized registry. Additionally, your browser may offer the ability to block or delete cookies from your device. Simply follow your browser's instructions on how to block and clear cookies. Please note that without cookies, you may not to be able to use all features of our Services.
    
3. Withdrawing an Employment Application: If at any time you wish to withdraw your application for employment, please log in to your account at careers.victoriassecret.com and select “Withdraw Your Application.” You may also withdraw your application by writing to us at:
   
   Human Resources
   Victoria’s Secret & Co.
   Four Limited Parkway
   Reynoldsburg, OH 43068
   US
4. Mobile Text Messages: If you are receiving mobile text messages, for example related to an application or employment opportunities, but you no longer wish to receive these text messages, simply reply STOP to any text message. Please note that these text messages are subject to Victoria’s Secret’s Text Message Terms and Conditions, which are expressly incorporated by reference.
5. Location Information: You may have the ability to turn location-based services on and off by adjusting the settings of your internet browser or mobile device.  

If you reside in California, Canada, Colorado, Connecticut, European Economic Aera ("EEA") Virginia or Utah, you may have certain rights regarding your personal information. If you are a resident of California, Canada, or the EEA, for more information about your privacy rights, please see the respective Supplemental Privacy Notice below for California, Canada, and the EEA. 

If you are a Colorado, Connecticut, Virginia or Utah resident and you use the Services or interact with us in an individual or household capacity (and not in a commercial or employment context), you may have certain rights regarding your personal information, as described below.

• To submit a request to access (including portability), correct, or delete your personal information, please visit the Your Privacy Rights webform and select your state or province of residence and the nature of your request, or call us at 1-888-873-2738.  We will comply with your request in accordance with our obligations under applicable law. We do not discriminate against individuals who exercise any of their rights described in this Policy.”
• To submit a request to opt out of the processing of your personal information for purposes of targeted advertising or the sale of your personal information, please visit the Do not sell or share my personal information webpage or call us at 1-888-873-2738.
• To submit a request as an authorized agent on behalf of a resident, please visit the Your Privacy Rights webform. On the form, add your email address and information about the individual for whom you are submitting the request in the other required fields. Please add your name and phone number in the Request Details field and an indication that you are submitting the request as an authorized agent.
• Appeals: We will make every reasonable effort to fulfill Your Privacy Rights request. However, if we are unable to fulfill your request, whether because we cannot verify you or if you believe we did not adequately respond to your request, we will provide you instructions to appeal and, where required by applicable law, the reasons for any refusal. If you are submitting your appeal by email, please explain your concerns and provide us your reference number so we may properly review your privacy rights request history. We may also have a person from our Privacy Team reach out to you with additional questions or to address your specific concerns.

We may require certain personal data for the purpose of verifying the identity of the individual making the request

We maintain administrative, technical and physical safeguards designed to protect the personal information we collect through our Services against accidental, unlawful destruction, loss, alteration, access, disclosure or use.

Our administrative safeguards include implementing, maintaining, and training employees on company privacy and information security policies and procedures.  Our physical and technical safeguards include maintaining physical security policies and standards to protect company systems and data, and a cybersecurity program overseen by executive leadership and the Victoria’s Secret & Co. board of directors.

Our employees involved in data processing and our servers are based in Columbus, Ohio, US, and other locations throughout the United States. We work with affiliated and unaffiliated service providers in the United States, the United Kingdom, India, China, and other jurisdictions around the world. We and our service providers may disclose your personal data if we are required or permitted by applicable law or legal process, which may include lawful access by foreign courts, law enforcement or other government authorities in the jurisdictions in which we or our service providers operate.

If you have general questions about our Policy, please feel free to contact us by letter or email at:

ATTN: Privacy Matter
Victoria’s Secret & Co.
Four Limited Parkway
Reynoldsburg, OH 43068
US

This Policy may be updated periodically to reflect changes in our personal information practices. Changes to the Policy will be posted on this page. For significant changes, we will notify you by posting a prominent notice on our Services indicating at the top of the Policy when it was most recently updated.

If you are a California resident, the information below (the “California Supplement") also applies to you, in addition to our Victoria’s Secret & Co. Privacy Policy. Certain terms used in this section have the meaning given to them in the California Consumer Privacy Act, as amended by the California Privacy Rights Act, California Civil Code § 1798.100 et seq., and its implementing regulations (collectively the “CCPA/CPRA”). For clarity, the information below applies to personal information we collect about California residents both on our Services and offline, such as in our corporate offices. This California Supplement does not apply to Victoria’s Secret personnel.

1. Collection and Disclosure of Personal Information

   We may collect (and may have collected during the 12-month period prior to the effective date of this Policy) the following categories of personal information about you to the following categories of third parties, as described below:

   Category of Personal Information Collected	Category of Third-Party, to Whom Information is Disclosed for a Business Purpose (as defined under the CCPA/CPRA)	Category of Third-Party, to Whom Information is Sold or Shared (for cross-context behavioral advertising purposes) (as each term is defined under the CCPA/CPRA)
   Identifiers (Personal) Including, for example, name, postal address, IP address, email address, telephone number or other similar identifiers)	• Analytics insights providers • Affiliated brands and entities • Data centers • Human resources service providers • Information security service providers • Vendors who provide services on our behalf	Not Applicable
   Additional Data Subject to Cal. Civ. Code § 1798.80 Characteristics of protected classifications under California or federal law, such as race, and military and veteran status	• Human resources service providers	Not Applicable
   Online Activity Including, for example, Internet and other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interaction with our Services or other third-party websites or applications	• Analytics insights providers • Affiliated brands and entities • Contextual online experience providers • Data centers • Fraud monitoring and prevention providers • Information security service provider • Technology administration and integrity providers (including for maintaining and improving networks; identifying problems; and fixing problems) • Vendors who provide services on our behalf	• Advertising technology providers (including online advertising) • Social media platforms
   Employment Information Including, for example, talent management information (e.g., resumé information, occupation details, education details, certifications and professional associations, historical compensation details, previous employment details, and pre-employment screening and background check information, including criminal records information	• Human resources service providers	Not Applicable
   Geolocation by consent for jobs available “nearby”	• Analytics insights providers • Data centers • Fraud monitoring and prevention providers • Human resources service providers • Information security service providers	Not Applicable
   Sensory Information Including, for example, photographs, video and audio recordings, and electronic or similar information	• Fraud monitoring and prevention providers • Information security service providers • Vendors who provide services on our behalf	Not Applicable
   Inferences Including, for example, inferences drawn from any of the information identified above to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes	• Human resources service providers • Information security service providers • Vendors who provide services on our behalf	Not Applicable

2. Use of Personal Information
    

   We may use (and may have used during the 12-month period prior to the effective date of this Policy) personal information about you for the following business purposes specified in the CCPA/CPRA (supplementing the information described above in our Privacy Policy), such as:

   • Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing services, providing analytics services, providing storage or providing similar services
   • Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance
   • Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of your current interaction with us
   • Helping to ensure security and integrity to the extent the use of your personal information is reasonably necessary and proportionate for these purposes
   • Debugging to identify and repair errors that impair existing intended functionality
   • Undertaking internal research for technological development and demonstration
   • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us
   • Providing advertising and marketing services, except for cross-context behavioral advertising (which is addressed in the “Disclosures of Personal Information” section of this California Supplement)
3. Sensitive Personal Information
    

   We do not use or disclose (and have not used or disclosed during the 12-month period prior to the Last Updated date of this Privacy Policy) “sensitive personal information” (as defined under the CCPA/CPRA) for any purpose other than those expressly permitted under the CCPA/CPRA.

4. Retention of Personal Information
    

   We will retain your personal information for the period reasonably necessary to achieve the purposes outlined in this Supplement, unless a longer retention period is required or permitted by applicable law, taking into account relevant statutes of limitations and our records retention requirements and policies.

5. Sale or Sharing of Personal Information
    

   We do not sell your personal information in exchange for monetary consideration. We may disclose your personal information by allowing certain third parties to collect personal information via automated technologies on our Services for cross-context behavioral advertising purposes. Under California law, these kinds of disclosures may be considered a “sale” when the personal information is exchanged for non-monetary consideration, or “sharing” when the personal information is disclosed for cross-context behavioral advertising purposes. You have the right to opt out of these types of disclosures of your information.

   We do not have actual knowledge that we sell or share personal information of minors under 16 years of age.

6. California Privacy Rights
    

   You have certain choices regarding your personal information, as described below.

   • Access: You have the right to request, twice in a 12-month period, that we disclose to you the personal information we have collected, used, and disclosed about you during the past 12 months.
   • Correction: You have the right to request that we correct the personal information we maintain about you, if that information is inaccurate.
   • Deletion: You have the right to request that we delete certain personal information we have collected from you.
   • Opt-Out of Sale or Sharing: You have the right to opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising purposes.
   • Right to Non-Discrimination for Exercise of Privacy Rights: Under the CCPA/CPRA, you have the right to not receive discriminatory treatment if you exercise your privacy rights under the CCPA/CPRA.

How to Submit a Request

To submit a request to exercise your privacy rights under the CCPA/CPRA as an applicant, contractor or former associate, please visit our Privacy webform. If you are submitting a request as an authorized agent on behalf of an applicant, contractor, or former associate, on the form add your email address and information about the individual for whom you are submitting the request in the other required fields. To make a privacy request by phone, for applicants and contractors, call 1-888-873-2738 and for former associates, call 1-866-473-4728.

If you are a customer of Victoria’s Secret or to submit a request as an authorized agent on behalf of a consumer, you can submit a separate Privacy request by visiting Victoria’s Secret Privacy Rights webform. Please add your name and phone number in the Request Details field and an indication that you are submitting the request as an authorized agent. For customers or to call as an authorized agent on behalf of a customer, call 1-800-411-5116.

To opt out of the sale or sharing of your personal information for victoriassecretandco.com, visit the Do Not Sell or Share My Personal Information webpage. To opt out of the sale or sharing of your personal information for careers.victoriassecret.com, visit the Do Not Sell or Share My Personal Information webpage.

Verifying Requests

To help protect your privacy and maintain security, we take steps to verify your identity before granting access to information or complying with a request. Upon submission, you will be required to provide your full name, date of birth, address, phone number. You will also be asked to verify the email address you submit with your request. You will receive an email from us with instructions on completing this step. You may also be asked to sign a declaration under penalty of perjury that you are the individual whose personal information is the subject of the request.

If you designate an authorized agent to make a request on your behalf, we may require you to provide the authorized agent written permission to do so and we may require you to verify your identity directly with us (as described above).
To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.

If you are accessing our Services from a member state of the European Economic Area ("EEA"), this Supplemental Privacy Notice (“Notice”) applies to you in addition to our Online Privacy Policy. This Supplemental Privacy Notice does not otherwise apply to visitors who are accessing our Services from outside the EEA.

Cookies

We use the following web cookies and other information technologies to provide features on our web and mobile sites to users in the EEA, including cookies that deliver basic visitor experiences and fuller website experiences such as interactivity with third-party content.

The following types of cookies (and cookie technology) are used on this website. Cookies that are strictly necessary are set as soon as the user visits the website. Cookies that are not strictly necessary are only set if the web or mobile user gives consent to the use of those cookies.

You may contact our data protection officer at:

ATTN: Privacy Matter
Victoria’s Secret & Co.

4 Limited Parkway, Reynoldsburg, OH 43068
US

The legal basis for our processing of your personal data in connection with our Services is Article 6.1(b) EU GDPR, which allows processing of personal data as necessary for the performance of a contract. When you access our Services, you form a contract with us based on our Site Terms, Conditions and Notices, and we need to process your personal data to respond to and fulfill your requests and satisfy our obligations with respect to the other purposes listed in this Policy.

As exceptions, we rely on your consent with respect to cookies and direct marketing emails per Article 6.1(a) EU GDPR, and legitimate interests under Article 6.1(f) EU GDPR, especially with respect to situations where we must process your personal data to comply with applicable laws (as a U.S.-based company, we are subject to U.S. laws and must comply, just like EEA-based companies have to comply with EEA laws). When we collect and process sensitive personal data for the purposes described above, we do so when required by law or otherwise with your explicit consent.

Recipients or categories of recipients of your personal data are employees of our company and affiliated and non-affiliated services providers who have a need to know.

When you access our Services, you transfer your personal data to the United States of America and India for which the European Union Commission has not yet issued an unlimited adequacy decision. We will comply with applicable legal requirements to ensure that personal data is subject to an adequate level of protection when we transfer your personal data to additional recipients in countries located outside the EEA. In all such cases, we will only transfer your personal data if:

1. The country to which the personal data will be transferred has been granted a European Commission adequacy decision; or
2. We have implemented appropriate safeguards in relation to the transfer, such as the EU Standard Contractual Clauses.

You may request a copy of the safeguards that we have implemented with respect to transfers of personal data by contacting our data protection office, as described above, or by contacting us through our contact information at the end of this Notice.

We will process and keep your personal information for as long as is necessary for the purposes set out in this Policy, for our legitimate business needs, and for compliance with the law.

You have a right to request from us these EU GDPR rights concerning your personal data: access to data; rectification of data; erasure of data; restriction on processing; objection to data processing; and data portability. You can exercise these rights through a combination of actions: (a) visit Your Privacy Rights; (b) access the information in your account; (c) exercise your opt-out options through our Services; or (d) by phone, for applicants and contractors, call 1-888-873-2738 and for former associates, call 1-866-473-4728. 

If you are also a customer of Victoria’s Secret, you can submit a separate privacy request by visiting Victoria’s Secret Privacy Rights If you have provided consent for direct marketing emails or other data processing, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

You have the right to lodge a complaint with a supervisory authority.

We do not use automated decision-making, including profiling, as referred to in Article 22(1) EU GDPR, that is, in a way that produces legal effects concerning you or significantly affects you. Our Services' customization technologies and e-commerce processes are automated, but do not produce legal effects or affect you significantly as contemplated by Article 22(1) or (2) EU GDPR.

You can contact us with any questions, or to exercise your rights by calling +1-937-438-4197 in the EU.

The following applies in addition to the Privacy Notice above:

We collect personal information for the purposes disclosed to you at the time personal information is collected, and as set out under “What information do we collect and how do we use it?”.

You have the right to access, update, rectify and correct inaccuracies in your personal information in our custody and control and withdraw your consent to our collection, use and disclosure of your personal information. You may exercise these rights by using the Your Privacy Rights webform or by calling or writing to us at the contact information set out below.

To submit a request as an authorized agent on behalf of a resident, please visit the Your Privacy Rights webform. On the form, add your email address and information about the individual for whom you are submitting the request in the other required fields. Please add your name and phone number in the Request Details field and an indication that you are submitting the request as an authorized agent. See What information do we share with or disclose to third parties and our affiliates? to learn about how we may share your personal information. Your personal information will be transferred to us and our affiliated and unaffiliated service providers outside of your province.

How to Contact Us

If you have general questions or concerns about our Privacy Policy or the manner in which we or our service providers treat your personal information, for applicants and contractors, call 1-888-873-2738 and for former associates, call 1-866-473-4728.You may also contact our Privacy Officer at the contact information below:

ATTN: Privacy Officer

Victoria’s Secret (Canada) Corp.

4 Limited Parkway

Reynoldsburg, OH 43068

US

Information about our Privacy Governance Policies and Practices

We are committed to protecting personal information and have implemented a comprehensive set of policies and practices that govern our treatment of personal information. These policies and procedures include, among other things, the following:

• We have implemented policies and procedures to protect personal information in our custody and control from unauthorized access, use or disclosure.
• We have implemented processes to respond to data subject requests and complaints in a timely and effective manner.
• We have implemented a framework for the retention and destruction of personal information to ensure compliance with legal obligations, and to securely destroy personal information once no longer required.
• We have designated a Privacy Officer who is responsible for overseeing the company’s compliance with privacy legislation.
• We have policies and trainings that define the roles and responsibilities for our employees with respect to the treatment of personal information.
• We provide our employees with regular privacy training and awareness.