Privacy Policy
LNC Professional
Your trust matters. Here is how we handle your information, in plain language.
Last updated: 18 July 2026
Who we are
LNC Professional is the trading name of LNC NSI Barbados SRL ("LNC Professional", "we", "us", "our"), a Society with Restricted Liability formed under the Barbados Societies with Restricted Liability Act. We supply professional nail products to nail technicians, nail students, salon owners, resellers and distributors around the world through our website lncpronails.com and through direct enquiries.
We are the controller of the personal information described in this policy. That means we decide what is collected and why, and we are the ones you hold accountable for it.
Registered entity: LNC NSI Barbados SRL, trading as LNC Professional
Home jurisdiction: Barbados. Our processing is governed in the first instance by the Barbados Data Protection Act 2019, and we also honour the standards described in this policy for customers elsewhere.
Our people. Your information may be seen by our staff and by staff of our group companies, who act for us and are bound by the same obligations.
How to reach us about your data:
- Email: [email protected]
- WhatsApp: +1 562 548 7272
- Marketing email is sent from [email protected]
If you write to us about your personal information, please put "Data request" in the subject line so it reaches the right person quickly.
Data protection contact: email [email protected] or message us on WhatsApp at +1 562 548 7272. Both reach the people responsible for privacy enquiries.
Who this policy covers
This policy covers everyone whose personal information we hold: people who fill in a form on our website, message us on WhatsApp, Messenger or Instagram, email us, place an order, or apply to become a reseller or distributor.
We sell business to business. Even so, the people we deal with are individuals, and their personal information is protected in the same way. A business contact detail is still personal data when it identifies a person.
What we collect
When you fill in our lead or enquiry form, or message us:
- your name
- your email address
- your phone or WhatsApp number
- your country
- your buyer type (nail technician, salon owner, student, reseller, or distributor)
- a record of the consent you gave, including the date and time
- the advertisement or campaign your enquiry came from
When you order from us or correspond with us:
- the products you ask about or buy, and your order and enquiry correspondence
- the delivery details needed to get your order to you
When you message us on WhatsApp, Facebook Messenger or Instagram Direct:
- your name, your public profile information, and the content of the messages you send us
When you visit our website:
- cookie and pixel information, described in our separate Cookie Policy, and technical information such as your IP address and browser type that is generated automatically when any website is loaded
What we do not collect: we do not ask for, and do not want, sensitive categories of information such as health data, religious or political beliefs, or biometric data. Please do not send them to us.
Payment details: payments are handled by third-party payment processors. We never see or store your card details, and card data does not reach LNC Professional systems at any point.
Why we use it, and our lawful basis for each purpose
We only use your information for the reasons below. "Lawful basis" is the legal justification we rely on, which regulators can ask us to demonstrate.
| What we do | Why | Lawful basis |
|---|---|---|
| Reply to your enquiry, quote you, and answer product questions | So we can actually help you | Steps taken at your request before entering a contract, or our legitimate interest in responding to business enquiries |
| Process and deliver your order, and handle returns | To fulfil what you bought | Performance of a contract with you |
| Route your order to the right fulfilment hub | So your order ships from the nearest location | Performance of a contract with you |
| Assess reseller and distributor applications | To decide who we can supply | Steps taken before entering a contract, and our legitimate interest in running a trade channel responsibly |
| Send you marketing emails and offers | To tell you about products, training and promotions | Your consent, which you can withdraw at any time |
| Keep a record of the consent you gave | So we can prove we asked properly | Legal obligation and our legitimate interest in being accountable |
| Measure which advertisements bring genuine enquiries | So we do not waste money advertising to the wrong people | Your consent for advertising cookies and the Meta Pixel, and our legitimate interest in understanding our own campaigns |
| Keep our systems and accounts secure, and prevent fraud | To protect you and us | Our legitimate interest in security, and legal obligation where applicable |
| Keep accounting and tax records | Because we have to | Legal obligation |
Where we rely on legitimate interests, we have thought about whether our interest is outweighed by your privacy. You can ask us to explain our reasoning, and you can object (see "Your rights" below).
An AI assistant reads and answers our messages
We want to be straightforward about this, because you deserve to know who, or what, you are talking to.
When you message us on WhatsApp, Facebook Messenger or Instagram Direct, your message is handled in the first instance by an automated AI assistant called Lilly. Lilly is software, not a person. Lilly reads the content of your message, works out what you are asking for, and drafts or sends a reply. Our human team oversees Lilly's work and steps in to take over conversations.
What this means in practice:
- the content of your messages is processed by an automated system
- your message content is sent to the AI service provider that powers Lilly in order to generate a reply
- a human being can and does review these conversations
- you can ask to speak to a human at any time. Just say so in the chat, or email [email protected], and a person will take over.
Lilly does not make decisions that produce legal effects for you or similarly significantly affect you. She answers questions, shares product information, and passes enquiries to our team. Pricing, credit terms and distributor approvals are decided by people, not by Lilly.
AI service providers: message content is processed by AI service providers in the United States and the European Union, acting on our instructions and only to draft a reply to you.
Who we share it with
We do not sell your personal information. We have never done so and we do not intend to.
We share it only with service providers who help us run the business, and only for that purpose. They act on our instructions and are bound by contract. The ones we use today are:
| Provider | What they do for us | Where they process data |
|---|---|---|
| Brevo | Marketing and transactional email | European Union |
| Chatwoot | Our chat inbox, where WhatsApp, Messenger and Instagram messages arrive | Self-hosted by us on our own infrastructure, see below |
| Meta Platforms | Advertising, the Meta Pixel, and the Facebook, Instagram and WhatsApp messaging channels | Global, primarily United States and Ireland |
| Cloudflare | Website hosting, content delivery and security | Global edge network |
| Airtable | Our records of enquiries and orders | United States |
| Hetzner | The servers running our self-hosted database and applications | Germany (Nuremberg and Falkenstein) |
We also share information with:
- our own group companies, our group companies in Hong Kong and our Guyanese operating company, where they are involved in supplying or supporting your order
- the third-party fulfilment vendors described in the transfers section below, including the independent logistics company that runs our Panama hub
And where we genuinely have to:
- with delivery and freight partners, so your order arrives
- with our accountants, auditors and legal advisers, under confidentiality
- with a regulator, court or law enforcement body where we are legally required to
- with a buyer, if the business is ever sold, in which case we will tell you first
Your use of Facebook, Instagram and WhatsApp is also governed by the privacy policies of Meta Platforms, Inc. We do not control what Meta does with data you give directly to Meta.
Sending information across borders
We are based in Barbados, and we ship worldwide from four fulfilment locations. We route each order to the one that can get it to you fastest. Not all of them are ours, and the difference matters, so here it is:
| Location | Who runs it | What that means for your data |
|---|---|---|
| United States | Fulfilment provider | |
| Central America (Panama) | An independent third-party logistics vendor, not a company we own | Your delivery details are passed to an outside company acting as our processor, under contract |
| Middle East (Dubai and Jordan), serving Africa and the MENA region | Fulfilment provider | |
| Southeast Asia (Malaysia) | Fulfilment provider |
We also work with our own group companies in Hong Kong and Guyana, and some products ship from the United States.
So your name, contact details and delivery information will be sent to whichever location is handling your order, and to the carrier delivering it. Our service providers listed above also operate internationally. Your information will cross borders. There is no way to run a global supply business otherwise, and we would rather say so plainly than bury it.
Where the Panama hub is concerned, we want to be especially clear. That hub is an outside company. It is not part of our group. It receives your delivery information because it packs and ships your order, and for no other reason. It is bound by a written contract that limits it to acting on our instructions, and it is not permitted to use your information for its own purposes.
Some of the countries involved do not have privacy laws that a Barbadian, European, British or Nigerian regulator would call "adequate". Where that is the case, we rely on one or more of the following safeguards:
- Standard Contractual Clauses or the equivalent transfer clauses in our contracts with the provider or vendor
- an adequacy decision where one exists for the destination country
- binding intra-group arrangements where the transfer is to our own subsidiary in Hong Kong or Guyana
- the necessity of the transfer to perform your contract, which is the position where we send your delivery details to the location and carrier that will actually ship your order
- your explicit consent to the transfer, where no other route is available
Where your data actually sits. Our servers and our email provider are in the European Union. When you place an order we share only the delivery details needed to get your parcel to you with the fulfilment provider for your region, and only for that purpose.
You can ask us for details of the safeguards that apply to your information by emailing [email protected].
How long we keep it
We keep personal information only as long as we have a reason to.
| Information | How long we keep it | Why |
|---|---|---|
| Enquiries that did not become orders | 24 months from your last contact with us | So we can pick up a conversation you started |
| Customer and order records | 5 years from the end of the financial year the record relates to, as required by Barbados tax law | Legal and tax obligation |
| Marketing consent records | for as long as we market to you, plus 24 months afterwards | To prove we had your permission |
| Chat conversations, including AI-handled messages | 24 months | Customer service history and quality review |
| Website and pixel data | See the Cookie Policy |
When the period ends, we delete the information or anonymise it so it can no longer identify you.
Note: the retention periods above are proposals, not commitments, until counsel confirms the statutory minimums that apply to LNC NSI Barbados SRL under Barbados law Publishing a period we cannot honour is worse than publishing none.
Your rights
Wherever you live, we will honour the following. Some of these are guaranteed to you by law under the Barbados Data Protection Act 2019, which is the law of our home jurisdiction, and under the EU and UK GDPR, Nigeria's Data Protection Act, California's privacy laws, and the data protection laws of a growing number of CARICOM states. We apply them to everyone rather than sorting people by passport.
- Access. Ask us what we hold about you, and get a copy.
- Correction. Tell us something is wrong and we will fix it.
- Deletion. Ask us to erase your information. We will, unless we have a legal reason to keep it, such as tax records for a completed order.
- Portability. Ask for the information you gave us in a common machine readable format.
- Objection. Object to us using your information where we rely on legitimate interests. If you object to direct marketing, we will stop, full stop, no questions asked.
- Restriction. Ask us to pause using your information while a dispute about it is sorted out.
- Withdraw consent. Where we rely on your consent, you can take it back at any time. It does not undo what we lawfully did before you withdrew it.
- Opt out of sale or sharing. We do not sell personal information or share it for cross context behavioural advertising in the sense California law uses. If that ever changes, we will tell you and give you a clear way to opt out first.
- No retaliation. Exercising any of these rights will never affect your pricing, your service, or your standing as a customer.
How to exercise a right: email [email protected] or message +1 562 548 7272. We will ask a couple of questions to confirm it is really you, because handing your data to the wrong person would be the worse mistake. We will not ask for more identification than we need.
How long we take: we aim to respond within 30 days. If your request is complicated we may need longer, and we will tell you why before the 30 days are up.
If you are not happy with how we handled it, you can complain to your data protection regulator. Depending on where you are, that may be:
- the Data Protection Commissioner of Barbados, the regulator for our home jurisdiction, who can take a complaint from anyone about how we handle data
- the Information Commissioner's Office in the United Kingdom
- your national supervisory authority in the EU or EEA
- the Nigeria Data Protection Commission
- the California Privacy Protection Agency or the California Attorney General
- the data protection authority or ombudsman in your own country
We would rather you came to us first, but you do not have to.
How you can stop the marketing
Every marketing email we send has an unsubscribe link, and it works. You can also just tell us on WhatsApp or by email and we will take you off the list. We do not send unsolicited messages, and we do not add people to our marketing list who did not ask to be there.
How we keep it safe
We take security seriously and we do the following:
- our website and our systems run over encrypted connections
- our own database is self-hosted on infrastructure we control, not left on a shared consumer service
- access to customer records is limited to the people who need it to do their job
- our service providers are chosen partly on their security posture and are bound by contract
- we monitor our systems for unusual activity and we review access periodically
No system anywhere is perfectly secure, and anyone who tells you otherwise is selling something. If a security breach ever puts your information at real risk, we will tell the relevant regulator within the time the law allows, and we will tell you directly and plainly where the law requires it or where you would want to know.
Certifications: we make no claim to hold any security certification. If we obtain one, we will say so here.
Children
Our products are professional supplies sold to adults in a trade. Our website and our services are not intended for anyone under 18, and we do not knowingly collect information from children.
If you believe a child has given us their information, email [email protected] and we will delete it.
Cookies and the Meta Pixel
Our website uses cookies and the Meta Pixel. These are covered in a separate document, our Cookie Policy, which explains what each one does, how long it lasts, and how to turn the optional ones off.
Automated processing
Two things on our side are automated, and we want both on the record:
- The AI assistant, Lilly, described above, reads and replies to your chat messages.
- The Meta Pixel helps Meta's advertising systems decide who sees our advertisements. That is profiling for advertising purposes, and it runs only if you consent to advertising cookies.
Neither of these makes a decision about you that has a legal effect or a similarly significant effect. We do not use automated systems to approve or refuse credit, to set your prices, or to decide whether you can be a distributor. People make those calls.
If you ever believe an automated process has produced an outcome you want reviewed, email us and a human will look at it.
Changes to this policy
If we change this policy we will update the date at the top. If the change is significant, for example a new purpose for your information or a new category of recipient, we will tell you directly rather than quietly editing the page.
Questions
Questions about your data? Email [email protected] or message +1 562 548 7272. A person will answer.
Placeholder summary
Every item below needs a real answer before this policy can be published. Nothing here has been invented.
| # | Placeholder | What is needed | Who decides |
|---|---|---|---|
| 1 | Last updated date | The date of approval and publication | Proprietor |
| 2 | Registered office address | Full registered office address in Barbados | Proprietor |
| 3 | SRL registration number | The Barbados society registration number | Proprietor |
| 3a | Subsidiary registered names | Exact registered names of the Hong Kong and Guyana subsidiaries | Proprietor |
| 3b | Fulfilment location ownership | For the US, Middle East and Malaysia hubs, confirm group-operated or third-party vendor. Panama is confirmed as a third-party vendor | Proprietor |
| 3c | Panama vendor processor contract | Confirm a signed data processing agreement exists with the Panama 3PL, and whether the vendor is named in the policy | Proprietor, then counsel |
| 4 | Data protection contact | A name or a role title for privacy enquiries. GDPR Article 13 and the NDPA both expect a contact point | Proprietor |
| 5 | Payment data handling | Confirm how payments are taken and whether card or bank data ever touches LNC systems | Proprietor, then counsel |
| 6 | AI service provider name | Which model provider processes chat message content through Lilly | Proprietor, then counsel on whether it must be named publicly |
| 7 | Brevo processing region | Confirm the region Brevo processes in | Proprietor or technical team |
| 8 | Hetzner region | Germany, Finland or United States | Technical team |
| 9 | Transfer safeguards | Which mechanism actually exists for each fulfilment hub and each processor, and whether Standard Contractual Clauses have been signed | Counsel. This is the largest open item. |
| 10 | Retention: enquiries | Confirm or change the proposed 24 months | Proprietor |
| 11 | Retention: customer and order records | The statutory accounting retention minimum under Barbados law | Counsel |
| 12 | Retention: consent records | How long after marketing stops | Counsel |
| 13 | Retention: chat conversations | Confirm or change the proposed 24 months | Proprietor |
Matters that genuinely require a lawyer, stated plainly
These are not placeholders that can be filled by looking something up. They are legal judgment calls, and I am not able to make them.
- Does LNC Professional need an EU representative under GDPR Article 27, or a UK representative under UK GDPR? If the business offers goods to people in the EU or UK without being established there, a representative is generally required, and the representative's details must appear in this policy. There is currently no such appointment and none has been assumed. Counsel must decide, and if the answer is yes, this policy needs a new section.
- Does the business meet the thresholds that make California's CCPA and CPRA apply? Note the basis carefully: LNC NSI Barbados SRL is not a US company and is not incorporated in the United States. Any US exposure arises from two facts instead, and counsel should reason from those: some products ship from the United States, and the principal is a US citizen. Doing business in California is what triggers the CCPA, not incorporation, so shipping into the state can be enough if the revenue or volume thresholds are met. The rights section has been written to honour CCPA-style rights regardless, which is the safer posture, but formal applicability affects other obligations such as the required "Notice at Collection" and specific homepage link wording.
2a. The Barbados Data Protection Act 2019 is now the home regime and needs its own assessment. It is GDPR-modelled and includes a registration requirement for data controllers and processors with the Data Protection Commissioner. Counsel must confirm the Act's current commencement and enforcement position and whether LNC NSI Barbados SRL is required to register. I am not able to verify the in-force status of specific Barbadian provisions from here, and I will not assume it either way. If registration is required, that is an action item, not just a policy edit.
- Nigeria's NDPA. Nigeria is currently the largest source of enquiries. The NDPA has registration obligations for data controllers of major importance and specific requirements around data protection compliance audits. Counsel should assess whether LNC NSI Barbados SRL meets the "major importance" threshold, because that triggers registration with the Nigeria Data Protection Commission.
- Whether the AI assistant disclosure is sufficient in every target market. The disclosure written here is honest and prominent, which is the right instinct. Some jurisdictions are moving toward mandatory, specific AI interaction disclosure, and the EU AI Act's transparency obligation for systems interacting with people is the clearest example. Counsel should confirm the wording meets it.
- The correct legal characterisation of each fulfilment location. This is now partly answered and partly open. Panama is confirmed as an independent third-party logistics vendor, so it is a processor and requires its own signed data processing agreement plus a transfer mechanism in its own right. The US, Middle East and Malaysia locations are still unconfirmed. Group companies (Hong Kong, Guyana) are a different case again, since intra-group transfers can be covered by binding internal arrangements rather than vendor contracts. Counsel should settle each one, because the contracts required differ in each case.
- Whether the Barbados position changes the EU representative analysis. Barbados is not covered by an EU adequacy decision, and a Barbadian controller selling into the EU is exactly the "not established in the Union" scenario Article 27 contemplates. This makes item 1 above more likely to bite, not less. Counsel should treat it as a live question rather than a formality.
Implementation notes
Practical steps to make this policy real rather than decorative.
Live issue on the advertising landing page, needs fixing now
This one is not a future task. It describes the page as it currently runs, while paid traffic is going to it.
The page: api.eiccio.net/eden/v1/lncpro/stock, the landing page Meta traffic ads point to, and the only working route from a paid ad into a WhatsApp conversation with Lilly.
What is wrong with it today:
- The Meta Pixel loads unconditionally on page load. It fires before the visitor has been asked anything and regardless of what they would have chosen. There is no consent gate in front of it.
- There is no privacy policy link on the page at all. A visitor who lands there from an advertisement has no route to find out what happens to their data.
- There is no cookie banner, so there is no consent record for the Pixel and no way for the visitor to decline.
Why it matters more than it looks. Paid traffic is running to this page right now, including to EU-adjacent and Nigerian audiences. Every visit is a live instance of the problem, not a theoretical one. It is also a Meta advertising policy exposure independent of data protection law, because Meta requires advertisers using the Pixel to disclose it and to provide a privacy policy. This page is where the enforcement risk is highest and the fix is cheapest.
What specifically must change before this page is compliant:
- Add a Privacy Policy link and a Cookie Policy link in a visible position on the page, not only in a footer the visitor has to scroll for. These must be the stable published URLs.
- Stop the Pixel from firing on page load. The Pixel script must be loaded conditionally, only after an affirmative consent choice. Removing it from the initial page render and injecting it on consent is the change, not simply adding a banner above it.
- Add the consent banner with equally prominent Accept and Reject controls, and store the choice so the visitor is not asked repeatedly.
- Add the form notice and marketing checkbox from the consent wording document, since this page carries a lead capture path into WhatsApp.
- Add the AI assistant disclosure at the point where the visitor is invited to tap through to WhatsApp, so they know before they start the conversation that Lilly is automated.
- Re-scan the page after the change in a clean browser profile with consent declined, and confirm no Meta Pixel request leaves the browser.
Interim position, stated honestly. Until the Pixel is gated, the accurate description of the current state is that advertising cookies are set without consent. Publishing a cookie policy that says optional cookies "only run if you say yes" while this page fires the Pixel on load would make the policy inaccurate on its first day. Either fix the page before publishing, or publish and fix the page in the same change window. Publishing the policy alone would create a documented gap between what we say and what we do, which is a worse position than the one we are in now.
Where the links must sit
- A Privacy Policy link in the footer of every page of lncpronails.com, including the
/stocklanding page used by the Meta traffic ads. A policy that is not reachable from an ad landing page is a live advertising compliance risk with Meta, not just a legal one. - A Cookie Policy link in the footer, and also inside the cookie banner itself.
- A link next to the submit button on every lead form, in the consent text, not buried elsewhere on the page.
- Both policies should sit at stable URLs, suggested
lncpronails.com/privacyandlncpronails.com/cookies, so they can be referenced from Meta's Business Manager, from Brevo footers, and from WhatsApp Business profile fields without breaking. - Meta requires a privacy policy URL for app review and for the Pixel. Use the stable URL, not a page that might be regenerated.
Do we need a cookie consent banner?
Yes. The Meta Pixel makes this unavoidable.
- The Pixel is not strictly necessary for the website to function, so under the EU ePrivacy Directive and UK PECR it requires prior consent. Prior means the Pixel must not fire until the visitor agrees.
- A banner that only says "we use cookies, by continuing you agree" is not valid consent in the EU or UK. The banner needs a genuine Accept and Reject at the same level of prominence, with reject being just as easy as accept.
- Practically, the Pixel script must be conditionally loaded based on the consent choice. Placing the banner on the page while the Pixel fires on load regardless is the single most common failure, and it is worse than having no banner because it documents the intent to comply while not complying.
- Geo-gating the banner to EU and UK visitors only is a defensible commercial choice, but given the target markets include the EU and UK and given Nigeria's NDPA is also consent-oriented, a single global banner is simpler to operate and harder to get wrong.
- The consent choice must be recordable and revocable. Provide a persistent "Cookie settings" link in the footer so a visitor can change their mind.
What the form consent checkbox must record to be defensible
A consent record is only worth something if it can answer a regulator's question: "prove this person agreed, and show me exactly what they agreed to." Store all of the following against every lead, in the PostgreSQL record and mirrored to Airtable:
- Timestamp of the submission, in UTC, with timezone recorded.
- The exact consent wording shown, stored verbatim, or a version identifier pointing to an immutable copy of that wording. If the wording changes later, old records must still show what the old wording said.
- Which boxes were ticked, stored separately. Marketing consent and the enquiry submission are two different things and must never share one checkbox.
- The unticked default. Pre-ticked boxes are invalid consent under the GDPR. The stored record should reflect an affirmative action by the person.
- The page or URL the form was submitted from.
- The ad campaign identifier the lead arrived from, which is already being captured.
- The IP address at submission, or a truncated form of it, as evidence of the act. Keep this for the consent proof period only.
- The consent version of the privacy policy in force at that moment.
Two operational rules that make the record hold up:
- Marketing consent must be separately withdrawable without deleting the enquiry record. Store it as its own field with its own timestamp, and record the withdrawal timestamp too rather than overwriting.
- Do not treat a WhatsApp message as marketing consent. Someone messaging to ask about a product has consented to a reply, not to a newsletter. Adding them to the Brevo list on that basis is the most likely source of a future complaint, and it is also the fastest way to damage sender reputation on [email protected].