Forma Brands Job 

Applicant Privacy Statement 

LAST UPDATED: MARCH 1, 2026 


INTRODUCTION 

FORMA BRANDS, LLC (“FORMA BRANDS,” “Forma,” “we,” “us,” and “our”) is a 

cosmetics retailer with worldwide operations. This privacy statement (the “Privacy Statement”) describes the privacy practices of Forma as they relate to the collection, use, and sharing of Personal Information relating to applicants for employment with Forma ( “you”). 

In this Privacy Statement the term “Personal Information” means any information from, or about you that either identifies you directly or that makes you identifiable when it is combined with other information from, or about, you from any source. You agree that this Policy applies to you as an individual and is separate from, and does not amend or modify, any contractual arrangements between you or your organization and us, nor create any rights in you under any such contract. 



SOURCES OF PERSONAL INFORMATION WE COLLECT 

We may collect Personal Information about you in several ways and from several sources. We collect Personal Information directly from you automatically when you visit a Forma website as described in the website privacy policy (the “Sites”) and from third parties. We also create Personal Information about you in the context of a prospective employment relationship. The following explains the types of Personal Information under each of these categories of sources. 


Personal Information Collected Directly from You: 

We, and service providers working on our behalf, collect Personal Information from you directly as part of the job application process. This includes, but is not limited to, collection done on a voluntary basis. You are not required to provide this Personal Information, unless it is necessary for us to collect it to comply with our legal obligations. 


Personal Information Collected Automatically: 

We, and entities working on our behalf, collect information from you when you use the Sites that may, alone or in combination with other information, constitute Personal Information. In compliance with applicable laws, we may monitor the use of our premises, equipment, devices, computers, network, applications, software, and similar assets and resources which may result in the collection of Personal Information about you. This monitoring may include the use of cameras in and around our premises or electronic monitoring technologies via our networks in compliance with applicable laws. Monitoring will be done in a manner that is proportionate to the purposes for which such monitoring is undertaken and only as required or permitted by applicable law. 


Personal Information Collected from Third Parties: 

We collect Personal Information about you from third parties in connection with your employment, professional social networking sites such as LinkedIn, application providers, and other data providers for purposes of processing and considering your job application and for other purposes stated below. 


Personal Information Created About You: 

We collect or create Personal Information about you based on our interaction with you as a job applicant such as from interview notes, electronic communications, performance information, and wage information. 


CATEGORIES OF PERSONAL INFORMATION COLLECTED 

The following are the categories of Personal Information we collect, and examples of the Personal Information that fall into those categories: 

  • Contact Information, Identifiers and demographic data: Name, email address, phone number, unique personal identifiers, mailing address, IP-address,: Audio and visual information: Videos, photos, or voice recordings if you provide them in connection with your application, use video or phone interviewing as part of the application process, or if you have publicly available social media profiles).  
  • Sensitive Data:, information about race, national origin, disability, sex, etc. 
  • Professional or employment-related information: Evaluations, skills, membership in professional organizations, professional certifications, and employment history; training forms, performance assessments, and test responses; employment history, educational history, and job applications. 
  • Education Information: Information related to your education including academic credentials, GPA, activities or sports, or other similar background information.  
  • Event Information: Dietary restrictions, travel and accommodation details, and other details specific to a particular recruiting interview, meeting or other event. 
  • Public Social Media Pages: Information that you post on social media. 
  • Work Authorization and Clearances: Work authorization status and relevant visa or other immigration information. 
  • Internet or other electronic network activity information: Information regarding your interaction with the Sites and other applications; precise geolocation information; links you use or web pages you visit while visiting Sites; browser type; internet service provider (ISP); cookies or similar technologies; and mobile device information including device identifier or other information. More information about the types of cookies we collect can be found in our cookie policy. 
  • Protected characteristics under California or federal law: Race, color, ancestry, national origin, citizenship, , sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, marital status, age, medical condition, physical or mental disability, veteran or military status. 
  • Sensory or Surveillance Data: On-premise monitoring in our offices and other workplace facilities (images, video), audio/visual recordings of interviews. 
  • Other Information: any other information you otherwise elect to provide to us. 


USE OF PERSONAL INFORMATION ABOUT YOU 

We use Personal Information collected from or about you for specific, authorized business purposes including to: 

  • Comply with legal requirements, assist in an investigation, comply with requests from regulatory and law enforcement authorities, and meet contractual obligations; 
  • Maintain and improve our cybersecurity program and our awareness of evolving threats; Investigate and respond to cybersecurity and privacy incidents; 
  • Verify compliance with our internal policies and procedures; 
  • Communicate with you via email, mail, or other methods about Forma, benefits, wages, job opportunities, technology or services offered, or other information relevant to employment status; 
  • Conduct studies to maintain, protect and develop our networks, tools, services, and products; 
  • Protect the safety and security of our business, services, and Sites including to prevent suspected fraud, threats to our network, or other illegal activities, or prevent misuse or for any other reason permitted by law; 
  • Exercise, establish, or defend our legal rights; 
  • Analyze employment data, and forecast workforce trends at the aggregate level; 
  • Carry out other activities required in the normal course of our prospective employment relationship with you. 


DISCLOSURE OF PERSONAL INFORMATION ABOUT YOU 

We may disclose Personal Information about you to our affiliate entities for specific, authorized business purposes consistent with the uses described in this Privacy Statement. We may also share Personal Information about you with third parties such as service providers, as described below. 

We may share Personal Information with the following categories of third parties for specific, authorized business purposes or as required or permitted by law: 

  • Service providers/vendors: Personal Information may be shared with service providers that perform services on our behalf to carry out the uses of Personal Information described above in the section titled “Use of Personal Information About You.” This may include the provision of services such as payroll support, benefits, tax and travel management, employment eligibility verification, health and safety experts, and relocation companies. Most of these entities are contractually bound to use the Personal Information they receive only for the purposes of fulfilling their contractual obligations. 
  • Professional Advisors: We may disclose your Personal Information to our professional advisors such as our attorneys, accountants, financial advisors, etc. 
  • Third parties or business partners in connection with business transaction: Personal Information may be disclosed to business partners in connection with a business transaction or to third parties in relation to a corporate transaction, such as a merger, sale of any or all of our company assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business by an affiliate or third party, or in the event of a bankruptcy or related or similar proceedings. 
  • Law enforcement, regulators and other parties for legal or contractual reasons: Personal Information may be disclosed to third parties, as required by law or subpoena, or if we reasonably believe such action is necessary to: 
  • Comply with the law and the reasonable requests of regulators, court orders, law enforcement, or other public authorities, such as a subpoena, government audit, or search warrant; 
  • Comply with Diversity Equity, and Inclusion (“DE&I”) obligations; 
  • Manage legal claims asserted against us; 
  • Comply with a contract or as necessary to establish, exercise or defend against potential, threatened, or actual litigation; 
  • Protect us, your vital interests, or those of another person; and 
  • Investigate fraud or to protect the security or integrity of our Sites or any products or services that we offer. 


RETENTION OF PERSONAL INFORMATION 

We retain Personal Information about you for as long as it is needed for the purposes 

described above in “Use of Personal Information About You,” or as otherwise required by law. Generally, this means we will retain Personal Information about you until the end of either your job application process or, if applicable, your employment with us, as well as a reasonable period of time after that where necessary to respond to any employment inquiries, deal with legal, tax, accounting or administrative matters, or to provide you with ongoing pensions or other benefits. Where we have no continuing legitimate business need to process Personal Information about you, we will either delete or anonymize it or, if this is not possible (for example, because Personal Information has been stored in backup archives), then we will securely store Personal Information about you and isolate it from any further processing until deletion is possible. 



ACCESSING, MODIFYING, AND DELETING PERSONAL INFORMATION ABOUT YOU 

It is important that the Personal Information contained in our record is both accurate and current. 

You may have certain rights with regard to our collection, use, and disclosure of your Personal Information, subject to applicable law. Those rights may include: 

  • Requesting information about, and access to, the Personal Information that we collect from you; 
  • Asking questions or making complaints about our privacy and data security policies and practices as they apply to your Personal Information; 
  • Asking us to correct, update, or delete information that we have collected about you; 
  • Asking for a copy of the information that we have collected from you; 
  • Asking about the third parties who have received your Personal Information; and 
  • Contacting us and receiving a response in a reasonable amount of time to questions or complaints about your Personal Information or our privacy and data security policies and procedures. 

If Personal Information about you changes during the application process, please keep us informed of such changes. Job applicants may verify or correct Personal Information by contacting us directly at 

morphe.privacy@formabrands.com. 


SECURITY 

The security of Personal Information is important to us. We use a combination of reasonable technical, administrative, and physical safeguards designed to protect Personal Information. 

Please note that we do not warrant or represent that Personal Information about you is completely secure. Please be reminded that you are also responsible for taking reasonable steps to protect Personal Information about you against unauthorized disclosure or misuse and to follow and implement all policies and practices to protect Personal Information collected by us. 


Children’s Personal Information 

We do not employ individuals under the age of 18 and we do not knowingly collect Personal Information from such individuals. 


CONTACTING US 

If you have questions or concerns about our practices relating to Personal Information, please contact us at morphe.privacy@morphe.com. 


CHANGES TO THE PRIVACY STATEMENT 

We may, from time to time, make updates or changes to this Privacy Statement as a result of changes in applicable laws or regulations or because of changes in our practices relating to Personal Information. The Last Updated-legend at the top of this page shows when this Privacy Statement was last revised. 


ADDITIONAL PRIVACY NOTICE FOR CALIFORNIA RESIDENTS 

Job applicants who are residents of California have certain additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act and accompanying 

regulations (collectively, the “CPRA”). This Additional Privacy Notice applies only to job applicants and candidates for employment who are residents of the State of California (“Consumers”) and from whom we collect “Personal Information” as defined in the CPRA. We provide you this Notice because under the CPRA, California residents who are job applicants qualify as Consumers. For purposes of this Notice, when we refer to Consumers, we mean you only to the extent you are a job applicant who resides in California. 

This Privacy Notice describes the Personal Information we collect or process about job applicants who are California residents in connection with their job application, as well as how we use, disclose, and protect that Personal Information. This Privacy Notice also outlines the rights you have with respect to Personal Information that we collect or process.  


Supplemental Disclosures: 

In the past 12 months, we have collected Personal Information discussed above in section III “Categories of Personal Information Collected.” The chart below sets forth the categories of third parties to which we disclosed Personal Information for our operational business purposes within the preceding 12 months and the purposes for such disclosures. 

Category of Personal Information 

Categories of Third Parties to whom the information is disclosed for Operational Business Purposes 

Business Purpose for Disclosure 

Contact Information, Identifiers and demographic data: Information such as name; email address; phone number;  unique personal identifiers; mailing address; and IP-address; 

Affiliates; service providers/vendors; professional advisors; third parties in connection with contractual obligations. 

Process your employment application; conduct HR functions. 

Personal Characteristics: Information such as your ; race; sex; citizenship;; veteran or military status; physical or mental disability;. 

Affiliates; vendors; third parties in connection with contractual obligations. 

Satisfy our contractual obligations. 

Professional or employment-related information 

This may include evaluations, skills; membership in professional organizations; professional certifications; and employment history;; training forms; performance assessments; test responses; employment history; drug testing; work authorization and clearances. 

Affiliates; vendors; professional advisors 

Process your job application. 

Education information: 

Education records such as professional; or employment- related information included in locations such as a resume/CV, social media profiles, and job applications. 

Affiliates; vendors; professional advisors; legal authorities, government agencies and regulators; third parties in connection with contractual obligations. 

Process your job application; satisfy our contractual obligations. 

Internet or other electronic network activity information: 

Information regarding your interaction with our Sites and other applications; precise geolocation information; links you use or web pages you visit while visiting our Sites or other applications; browser type; internet service provider (ISP); cookies; and mobile device information including device identifier or other information. 

Affiliates; vendors; professional advisors; legal authorities, government agencies, and regulators. 

To ensure compliance with company policies; to create and maintain cybersecurity controls; to ensure compliance with legal obligations. 

Sensitive Personal Information 

Please note that some of this Personal Information qualifies as Sensitive Personal Information under the CPRA. In the past 12 months, we have collected and/or disclosed the following categories of Sensitive Personal Information directly from job applicants: 

  • Social Security Numbers, , state identification card information, and passport number; 
  • Precise geolocation information; 
  • Health information; 
  • Information regarding sexual orientation; 
  • Biometric data used for the purpose of identifying a unique individual; 
  • Racial or ethnic origin; and 
  • The contents of an individual’s mail, email, and text messages unless the business is the intended recipient of the communication; 

We may use this Sensitive Personal Information for purposes outlined in this Privacy Statement and ensuring the security and integrity of our business, infrastructure, and the individuals we interact with. We do not use or disclose Sensitive Personal Information for purposes other than that which is necessary and proportionate to accomplish the objectives set forth in Cal. Code Regs. tit §7027(m). 

Note that we have neither “sold,” nor “shared” job applicant Personal Information in the past 12 months as the terms are defined by the CPRA. 


Your CPRA Rights 

Under the CPRA, individuals who are California residents have specific rights regarding their Personal Information. These rights are subject to certain exceptions. When required, we will acknowledge your request within 10 business days of receipt and respond to most requests within 45 days unless it is reasonably necessary to extend the response time. In the event that we require more time to respond, we may take an additional 45 days to respond. 

Right to Disclosure of Information: You have the right to request that we disclose certain information regarding our practices with respect to Personal Information. If you submit a valid and verifiable request and we confirm your identity and/or authority to make the request, we will disclose to you any of the following at your direction: 

  • The categories of Personal Information we have collected about you in the last 12 months. 
  • The categories of sources for the Personal Information we have collected about you in the last 12 months. 
  • Our business or commercial purpose for collecting that Personal Information. 
  • The categories of third parties with whom we share that Personal Information. 
  • The specific pieces of Personal Information we collected about you. 

Right to Delete Personal Information: You have the right to request that we delete any of your Personal Information collected from you and retained, subject to certain exceptions. Upon receiving a verified request to delete your Personal Information, we will do so unless otherwise authorized by applicable law or regulations, or unless it is necessary to retain the Personal Information to protect our rights or the rights of others. 

Right to Correct your Personal Information: If you find that we maintain any inaccurate Personal Information, you have the right to request that we correct such inaccuracy. 

Right to Opt Out of the Sale or Sharing of Your Personal Information: 

You have the right to opt-out of the sale or sharing of your Personal Information as such terms are defined by the CPRA. 

Note that we do not sell or share job applicant Personal Information as such terms are defined by the CPRA. 

Right to Non-Discrimination: You have the right not to be discriminated against for the exercise of your California privacy rights described above. 


How to Exercise these Rights 

If you wish to submit a request to exercise one or more of the rights listed above you can do this by emailing us at morphe.privacy@morphe.com or by using our webform. 

In order to protect your privacy and the security of your information, we verify consumer requests by requesting identification documents and other documentation necessary to confirm your identity to the extent permitted by law. Any additional information you provide will be used only to verify your identity and not for any other purpose. 

Authorized Agents 

If you want to make a request as an authorized agent on behalf of a California resident, you may use the submission methods noted above. As part of our verification process, we may request that you provide, as applicable, proof concerning your status as an authorized agent. In addition, we may require the individual on whose behalf you are making the request to verify their own identity or your permission to submit the request.