Enable Accessibility
Enable Accessibility
The page navigation is complete. You may now navigate the page content as you wish.
Skip to main content

Privacy Notices

American Eagle Outfitters Global Privacy Notice


This Global Privacy Notice is effective as of October 9, 2023, and applies to our customers outside of North America.

This Global Privacy Notice (this "Notice") explains how data about you is collected, used and disclosed by American Eagle Outfitters, Inc., a company incorporated under the laws of Delaware (United States of America) and our affiliates and subsidiaries, including AEO Management Company (collectively, "AEO", "we", "us", or "our").

We are responsible for the processing of your Personal Data (as defined below) that we collect or receive from you, as a data controller (includes other similar terms under applicable privacy laws). This Notice applies to data we collect when you access or use our technology platforms (including, without limitation, our websites, mobile applications and other AEO-controlled or related properties that link to this Notice; collectively, the "Platforms"), shop in our stores, engage with us via social media, or when you otherwise interact with us.

In some locations, we have partnered with third parties to operate AEO-branded stores, websites and apps, to promote and sell our products and services, and to fulfill orders (“Retail Partners”). Retail Partners will collect and process Personal Data about you, subject to their own privacy policies, which they make available to you when you make a purchase from, visit a website operated by, or otherwise interact with such Retail Partners. This Notice also applies to our processing of any Personal Data that we may receive from one of our Retail Partners.

Please read this Notice completely (before providing us with your Personal Data or otherwise interacting with us or any Retail Partner or a third party that refers to this Notice in its privacy policy) to understand how we collect, use and disclose your Personal Data. We may supply different or additional notices on how we process Personal Data specific to certain programs or activities. We may also provide different notices on how we process Personal Data with respect to certain subsidiaries or affiliates, in which case this Notice will not apply. This Notice does not apply to job applicants and candidates who apply for employment with us, or to employees and non-employee workers in the context of our working relationship with them.

QUICK GUIDE TO CONTENTS

1. COLLECTION OF PERSONAL DATA.

2. PURPOSES AND LEGAL BASES FOR PROCESSING PERSONAL DATA.

3. DISCLOSURES AND SHARING.

4. YOUR RIGHTS AND CHOICES.

5. SECURITY AND RETENTION.

6. INTERNATIONAL TRANSFERS OF PERSONAL DATA.

7. CHANGES.

8. CONTACT US.

9. ADDITIONAL INFORMATION FOR CERTAIN JURISDICTIONS.

1. COLLECTION OF PERSONAL DATA.

a) Definition of Personal Data

In this Notice, our use of the term "Personal Data" includes other similar terms under applicable privacy laws—such as "personal information" and "personally identifiable information." In general, "Personal Data" includes any information relating to an identified or identifiable natural person, such as name, e-mail address, telephone number, home address, or payment data (e.g., account data or credit card number).

b) When do we collect your Personal Data?

We may collect Personal Data when you interact with AEO, any of our brands, or Platforms, such as when you:

• Purchase, return, reserve or try-on merchandise at one of our stores or through our Platforms;

• Consent to receive our promotional email, SMS/text messages, or other communications;

• Visit, use, and/or register through our Platforms;

• Information from your emails, texts, chats, video calls and voice calls with our sales associates;

• Visit our stores;

• Consent to our use of cookies;

• Participate in our contests, sweepstakes or promotions;

• Participate in one of our surveys or other customer research;

• Consent to the collection and processing of your location data;

• Purchase gift cards for others; and

• Contact or visit our Customer Service Department, or otherwise contact us or one of our service providers with a comment, question or complaint.

In addition, we may collect and receive Personal Data about you from third parties, including our Retail Partners, vendors and service providers. For instance, we may engage vendors and work with other partners to provide services to us or to you on our behalf (such as payment processors, cloud hosting and service providers). As noted above, we work with Retail Partners to make our products and services available in certain locations. These Retail Partners may be responsible for processing orders, communicating with customers and handling returns in their respective locations, and they may provide us with customer Personal Data including, but not limited to, name, contact information, demographics, purchase history and marketing preferences.

When we collect your personal data we will indicate whether it is optional or mandatory for you to provide specific types of Personal Data. The collection of some Personal Data is mandatory for the purposes described in this Notice. If you do not provide us such mandatory Personal Data, we may not be able to administer and manage our relationship with you (such as communicate with you or perform our contract with you), which in some cases may mean we are unable to continue with your engagement with us if applicable, or we may be prevented from complying with our legal obligations.

2. PURPOSES AND LEGAL BASES OF PROCESSING PERSONAL DATA

While the purposes for which we may process Personal Data will vary depending upon the circumstances, in general, we use Personal Data for the business purposes set forth in this section.

In this section, we also explain the purposes for which we collect and process your personal information, as well as the legal bases upon which we process Personal Data, as required by certain privacy laws, such as the EU General Data Protection Regulation (the "GDPR"), UK Data Protection Act 2018, Bahrain Personal Data Protection Law No. 30 of 2018 (“PDPL”), Brazilian General Data Protection Law (the "LGPD"), Hong Kong Personal Data (Privacy) Ordinance ("PDPO"), and the Personal Information Protection Act of Korea (the “PIPA”), and the Singapore Personal Data Protection Act 2012 (“PDPA”).

a) Legal bases of processing under certain privacy laws

Pursuant to the GDPR and other relevant privacy laws, in general, we process your Personal Data on the following legal bases:

• Performance of our contract with you: The Personal Data we collect may be used to perform our agreements with you, including our Terms of Use and other terms and conditions applicable to the Platform you use.

• To comply with a legal obligation to which AEO is subject: The Personal Data we collect may be processed in order to comply with the law and our legal obligations.

• For our legitimate business interests: We may process Personal Data in furtherance of our legitimate business interests in protecting, maintaining and improving the Platform; developing new Platforms, features and services; marketing and promoting our products and Platforms (including by profiling and marketing); protecting our legal rights and interests; in support of mergers, acquisitions, reorganizations and other business transactions; and to generally operate and improve our business.

• With your consent: We may process Personal Data about you based on your consent, for example to send you marketing communications, surveys, news, updates and other communications. Where required by applicable law, AEO will obtain your consent to this Notice and our collection, use and disclosure of your Personal Data. You may be able to withdraw your consent at any time in accordance with applicable laws; please see Section 4. Your Rights and Choices below for information on how to withdraw your consent.

b) How we collect, use and process Personal Data

Below we describe how we may collect and for what purposes we use Personal Data, including, where applicable, Personal Data we receive from third parties, for example Retail Partners.

i. Purchasing, returning, reserving or trying-on merchandise

When you purchase or return merchandise through one of our stores or through our Platforms, we collect and use the Personal Data that you provide, such as your order, postal address, email address, age and payment information, for the purposes of fulfilling your order, processing your return, and updating you on the status of your order/return. When you reserve or try-on merchandise in-store, we may collect Personal Data such as your name, telephone number, email address, location and the items you wish to reserve or try-on for the purposes of fulfilling your request.

Where applicable, the processing of your Personal Data for these purposes is necessary for the performance of a contract with you. We also use this Personal Data collected as necessary for our legitimate interests, including fraud detection, improving the Platforms and business operations, information security purposes, monitoring our sales, and aggregate analytic modeling.

ii. Promotion/marketing

We may send promotional/marketing communications, ads and other information about our products, services, news, offers, promotions and events (e.g. contests, sweepstakes and surveys) which we think may be of interest to you via direct mail and email and other electronic means. We process your Personal Data for these purposes, and we obtain your consent to send you direct marketing communications. You may unsubscribe from these communications by following the instructions in the message. If you have any questions about unsubscribing from our messages or would like assistance in unsubscribing from promotional messaging, please contact us as outlined below.

Where applicable pursuant to relevant privacy laws, our processing of your Personal Data for marketing and promotional purposes is based on your consent.

iii. Platform use

If you choose to visit, use, and/or register with one of our Platforms, we process the information that you provide, such as your name, email address, date of birth, shipping/billing address, credit card and account-related data for the purposes of administering and securing your account on our Platforms. Please note, when registering an account, you will be prompted to provide certain information. If you do not provide shipping, billing or credit card information upon account registration, we will automatically save this information to your account when subsequently provided, including upon your completion of an order. If you would like to revise this information, please access your account at any time.

Where applicable, the processing of your Personal Data for these purposes is as necessary for the performance of a contract with you. We also use this Personal Data collected as necessary for our legitimate interests. These legitimate interests are namely improving our Platforms and business operations, information security purposes, monitoring our sales, and aggregate analytic modeling.

iv. Cookies

Most of the Platforms use cookies and other automated technologies to collect certain information about the use of the Platforms and to provide certain features on our Platform. For example, these technologies may be used as analytics tools to understand what users like on our Platform, to improve our Platforms and to deliver personalized content (e.g. targeted advertisement). Most of the websites that AEO manages or controls include a Cookie Notice (accessible, for example, through the “Cookie Notice” link in the footer of the website), which contains more information about our use of cookies and similar technologies.

Where applicable, the processing of your Personal Data for this purpose is based on your consent and in compliance with applicable legal requirements.

v. Sweepstakes/contests/promotions

We process the Personal Data that you provide if you choose to participate in one of our contests, sweepstakes or promotions for the purposes of conducting them and communicating with you, all as further described in the

respective terms and conditions. Where applicable, the processing of your Personal Data for these purposes is as necessary for the performance of a contract with you.

If you consent, we may also process your photo and/or video recorded at any relating event where you participate. The processing of your Personal Data for this purpose is then based on your consent.

vi. Customer surveys and other customer research

If you consent, we process the Personal Data that you provide if you choose to participate in one of our customer surveys or other research tools to analyze and better understand how customers like you interact with our brands.

Where applicable, the processing of your Personal Data for this purpose is based on your consent.

vii. Location data

When you navigate to any of the Platforms, we use location information to tailor your user experience and provide relevant content. Specifically, we use your device’s address and location information to geo-locate you to a default country, and we also use it to provide relevant store location, shipping, and product selection pages. Additionally, when you first launch any of our mobile applications, you will be asked to consent to the application’s collection of location data. We use this information to provide you with information about nearby stores/locations; products, their availability/location, or reserved items; and special offers and promotions.

Where applicable, the processing of your Personal Data for this purpose is based on your consent.

If you initially consent to our mobile application’s collection of this location data, you can subsequently change the collection of this data at any time by changing the preferences on your device. You may also stop our collection of location data by following the standard uninstall process to remove all of our mobile applications from your device.

viii. Gift cards for others

In certain circumstances, we may also collect Personal Data that you provide to us regarding other people. For example, you may provide us with the name and address for a gift recipient. When you provide us with this Personal Data, we use it for the purposes of processing the shipment. We rely on you to obtain any necessary information from the intended recipient for our use of their Personal Data for these purposes. You are responsible for obtaining the informed consent of others whose Personal Data you provide.

As applicable, the processing of the gift recipient’s Personal Data for this purpose is as necessary for the performance of a contract with you.

Where the gift recipient has consented, we use their Personal Data to communicate with the intended recipient. As applicable, the processing of the gift recipient’s Personal Data for this purpose is then based on your consent.

ix. Customer Service

We process the Personal Data you provide to us when you contact our Customer Service Department (name, telephone number, email address, purchase details) for the purposes of reviewing any issues you raise and responding to you. Depending upon the nature of your query, we may request additional Personal Data for the purposes of verifying your identity (e.g. birth date or banking details). We may record the audio information in customer service telephone calls, and may save and store written customer service interactions such as chat and email, for quality and training purposes and to meet our legal obligations.

As applicable, the processing of your Personal Data for these purposes is as necessary for the performance of a contract with you.

x. Securing our business and complying with legal obligations

We may process Personal Data to secure and protect our business, defend our legal rights, and comply with legal obligations. In addition, we may process Personal Data for our internal auditing, reporting, corporate governance, and internal operations purposes.

As applicable, the processing of your Personal Data for these purposes is as necessary to comply with legal obligations and for our legitimate interests.

xi. Managing our relationships with others, including Retail Partners

We also process the above mentioned Personal Data to manage our relationship with vendors, Retail Partners, and third parties who assist us in providing our services or goods, for example, to ensure the proper performance of their tasks, to evaluate our work with them, and to ensure the smooth transition between different service providers or Retail Partners.

As applicable, the processing of your Personal Data for these purposes is as necessary for the performance of a contract with you, and/or as it is necessary for our legitimate interests, namely, improving business operations, monitoring our sales, and securing the proper performance of our service providers and Retail Partners.

3. DISCLOSURES AND SHARING OF PERSONAL DATA.

Except as described in this Notice, we will not share your Personal Data with third party controllers (i.e. third parties that use the Personal Data for their own purposes). We may, however, share aggregated, non-personal or anonymous data, which cannot be used to identify you, with third parties. We may also share your Personal Data in the following circumstances:

Your Consent to have Your Personal Data Shared: While utilizing our Platforms, you may have the opportunity to opt-in to receive information and/or marketing offers from third parties about goods or services they offer or to otherwise consent to the sharing of your data with a third party. If you agree to have your Personal Data shared, your Personal Data will be disclosed to the third party and the Personal Data you disclose will be subject to the privacy notice and business practices of that third party.

Third Parties Providing Services and Retail Partners: We may share your Personal Data with vendors that perform functions on our behalf or assist with our business operations to perform contracts with you, such as those that host or operate our Platforms, process transactions and payments, fulfill orders or provide customer service; or other third parties that provide internal promotional assistance, and analyze our data. Additionally, we may share your Personal Data with vendors that manage our credit card or analyze data, or advertisers and “powered by” partners who power product reviews on our products or services. We may also share your Personal Data with other third parties, including our Retail Partners, that we work with to send marketing, conduct advertising campaigns, and provide other promotional assistance. These third parties may assist us in marketing and advertising our products, services, news, offers, promotions and events (e.g. contests, sweepstakes and surveys) which we think may be of interest to you, via mail and via email and other electronic means. If we transition from one Retail Partner to another in a particular location, then we may transfer the Personal Data we received about you from our current or former Retail Partner to a new Retail Partner, or we may ask our current or former Retail Partner to transfer the Personal Data collected about you to the new Retail Partner.

AEO Group Companies: Your Personal Data may be processed by members of AEO group companies who assist us in marketing and advertising our products and Platforms), as well as for analytics, research and demographic studies, development, and to help us improve and tailor our Platforms. Our group companies are subject to this Notice when they use your Personal Data. AEO is responsible for managing the Personal Data that may be shared with AEO group companies.

Compliance with Legal Obligations: We may also disclose your Personal Data if we believe we are required to do so by law, or that doing so is reasonably necessary to comply with legal processes; when we believe it is necessary or appropriate to disclose Personal Data to law enforcement or other governmental or regulatory authorities or the courts (in any relevant jurisdiction worldwide), such as to investigate actual or suspected fraud or violations of law, breaches of security, or breaches of this Notice; to regularly exercise our rights in judicial, administrative or arbitration proceedings (as applicable in Brazil); to respond to any claims against us; and, to protect the rights, property, or personal safety of AEO, our customers, or the public.

Corporate Transactions: In addition, your Personal Data may be disclosed as part of any proposed or actual merger, sale, and transfer of AEO, assets, acquisition, bankruptcy, or similar event.

4. YOUR RIGHTS AND CHOICES.

This section describes the choices and rights you have with respect to your Personal Data and how to exercise them.

a) Opt-out of marketing communications.

You may opt-out of marketing emails by: (i) logging into your online account and updating your preferences; (ii) contacting us by phone, email or postal mail, or (iii) following the removal instructions in the communication that you received. If you opt out of direct marketing communications, we may to the extent permitted by applicable law still send you non-promotional communications, such as those about your account or our ongoing business relations. For example, if our service is temporarily suspended for maintenance, or your payment could not be processed, we might send you an email.

b) Withdraw your consent.

In all cases where we process your Personal Data based on your consent, you may withdraw consent for each individual purpose at any time without reasons. Please contact us via privacy@ae.com to withdraw consent.

c) Review and Correct your Personal Data.

Generally, registered account holders may review and update their profile information and communications preferences directly within their account. If you are not a registered account holder, require our help to exercise your rights or want to make a request regarding your Personal Data held by AEO, you may contact us as set forth below, in Section 8. Contact Us.

Submitting Requests. Privacy requests should be directed to the AEO‘s privacy team as set forth below in Section 8. Contact Us. Please keep in mind that certain services will not be available if you withdraw your consent, or otherwise delete or object to our processing of certain Personal Data. We will respond to your request in accordance with applicable law, and we will inform you if we do not intend to comply with your request. We also may ask you for additional information so that we can confirm your identity or verify your request.

Please note that if you would like to submit a request regarding your Personal Data collected and processed by one of our Retail Partners, you must submit a request directly to such Retail Partner. For questions about the Retail Partner in your jurisdiction, you can contact us as set forth below, in Section 8. Contact Us.

Additional Information for Certain Jurisdictions. We are committed to respecting the privacy rights of individuals under all privacy laws applicable to us. Some privacy and data protection laws require that we provide specific information about individual rights to applicable consumers, which we have set forth in Section 9 below.

5. SECURITY AND RETENTION

We have implemented administrative, technical, and physical measures to help protect the Personal Data we collect from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. However, no website or Internet transmission is completely secure. Thus, we cannot and do not guarantee that unauthorized access, hacking, data loss, or other breaches will never occur. We urge you to take steps to keep your Personal Data safe, such as choosing a strong password and keeping it private, enabling multifactor authentication (where available), as well as logging out of your account, and closing your web browser when finished using the Platforms.

In general, we retain your Personal Data as long as necessary for purposes for which the Personal Data was collected and is used by us, as stated in this Notice, and as otherwise necessary to fulfill our legal obligations, resolve disputes, maintain appropriate business records, enforce our agreements or for such longer period as required by applicable law. The retention period depends on the information and the reason for which we have collected it. For example, we keep records of customer purchases and transactions in accordance with the relevant return and exchange periods under our return policy.

6. INTERNATIONAL TRANSFERS OF PERSONAL DATA.

We are based in the United States and are governed by U.S. law, and have operations, entities and vendors in the United States and throughout the world. By accessing or using the Platforms, or otherwise providing information to us, you acknowledge that we collect, process, transfer and store data about you in and to the United States and other applicable territories in which the privacy laws may not be as comprehensive as or

equivalent to those in the country where you reside and/or are a citizen. We will

take steps to ensure that your Personal Data is subject to appropriate safeguards and receives an adequate level of protection as required under applicable privacy laws, when your Personal Data is transferred to and processed in other jurisdictions, including through appropriate written data processing terms and/or data transfer agreements. Please use the contact information below if you have a question or complaint about the policies, practices or manner in which we or our vendors treat your Personal Data.

If you are located in the EEA or the UK, your Personal Data may be transferred to and processed in the United States and other jurisdictions that do not provide equivalent levels of data protection according to the European Commission. In such cases, AEO will take steps to ensure that appropriate safeguards are in place to protect your Personal Data, including by putting in place standard contractual clauses as approved by the European Commission and the UK Information Commissioner, respectively.

7. CHANGES.

We may update this Notice from time to time. If we make changes, we will notify you by revising the date at the top of the Notice and, in some cases, we may provide you with additional notice (such as adding a statement to our homepage or sending you a notification). Where required to do so by applicable law, we will seek your consent to such changes. We encourage you to review this Notice whenever you interact with us to stay informed about our data practices and the ways you can help protect your privacy.

8. CONTACT US.

As it relates to questions you might have about this Notice or if you have a complaint or concern that AEO may have failed to adhere to this Notice, please contact us as follows:

Please note, the role and department responsible for compliance with the obligations under this Notice is:

Assistant General Counsel, Privacy: Legal Department, privacy@ae.com

American Eagle Outfitters

c/o Legal Department

77 Hot Metal Street

Pittsburgh, PA 15203

Attention: Assistant General Counsel, Privacy

Tel: 1-888-232-4535

E-mail: privacy@ae.com

See Section 9 below for additional contact information for certain jurisdictions.

9. ADDITIONAL INFORMATION FOR CERTAIN JURISDICTIONS.

EEA (GDPR), UK, and Brazil: Subject to the conditions set out in the applicable law, users in the European Union/European Economic Area, United Kingdom and Brazil (as well as in other jurisdictions where similar rights apply) have the following rights with regard to our processing of their Personal Data:

• Right to Access, Correct and Restrict the Processing of Your Personal Data: If you wish to access, modify, verify, correct, delete, or restrict the processing of any of your Personal Data collected through the Platforms, you may contact us using the contact information provided above. Alternatively, you may access, modify, verify, correct or delete your registered user data through our Platforms. Please note, all active accounts must be associated with a physical address and customer service may assist with certain changes. Additionally, we may refuse requests that are manifestly unfounded or excessive, in particular because of their repetitive character.

• Right to Object: You may ask us at any time to stop processing your Personal Data, and we will do so, if we: (i) rely on legitimate interests to process your Personal Data, except if we can demonstrate compelling legal grounds for the processing or where we need to process it for the establishment, exercise or defense of legal claims; or (ii) process your Personal Data for direct marketing.

• Right of Deletion: You have the right, in certain circumstances, to request that we delete or remove your Personal Data, such as where we no longer need it or if you withdraw your consent (where applicable). To the extent permitted by applicable law, we will retain and use your Personal Data as necessary to

comply with our legal obligations, resolve disputes, maintain appropriate business records, and enforce our agreements.

• Right to Data Portability: You have the right, in certain circumstances, to receive a copy of Personal Data we have obtained from you in a structured, commonly used and machine readable format, and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.

• Right to Withdraw Your Consent: In the event your Personal Data is processed on the basis of your consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Brazilian users also have the right to be informed about the consequences of denying or withdrawing consent.

• Right to Lodge a Complaint: If you think that the processing of Personal Data by us violates data protection laws, you may lodge a complaint with the competent supervisory authority.

Please note that some of these rights may be limited, such as where we have an overriding interest or legal obligation to continue to process the data. Please contact us using the information set out above, in Section 8. Contact Us, if you wish to exercise any of your rights or if you have any inquiries or complaints regarding the processing of your Personal Data by us.

You may contact our EU and UK Local Representatives as required under Art. 27 GDPR as follows:

VeraSafe Czech Republic s.r.o

Klimentská 46

Prague 1, 11002

Czech Republic

Contact Form: https://verasafe.com/public-re...

VeraSafe Ireland Ltd.

Unit 3D North Point House

North Point Business Park

New Mallow Road

Cork T23AT2P

Ireland

Contact Form: https://verasafe.com/public-re...

Verasafe United Kingdom Ltd. 37 Albert Embankment London SE1 7TL United Kingdom Contact Form: https://verasafe.com/public-re...

Australia: Subject to the conditions set out in the applicable law, if you are a user in Australia, you have the right to access, correct or make a complaint regarding your Personal Data under the Privacy Act:

• Access and Correction: Upon your written request, subject to certain exceptions provided by law, AEO will give you access to your Personal Data. Additionally, if you believe that the personal information that AEO holds about you is not accurate, complete or up to date you may write to the Assistant General Counsel, Privacy at the address provided above. AEO will respond to your requests to access or correct Personal Data within a reasonable time and, if necessary, correct any inaccurate Personal Data within a reasonable time. There is no charge for requesting access to your Personal Data but AEO may require you to meet our reasonable costs in providing you with access (such as photocopying costs or costs for time spent on collating large amounts of material).

• Questions, Comments or Complaints: Requests for access and correction of your Personal Data, and questions or comments should be directed to the Assistant General Counsel, Privacy: Legal Department, privacy@ae.com, through the contact details above.

If you are still not satisfied about the way in which we have handled your Personal Data, you can contact the Office of the Australian Information Commissioner (www.oaic.gov.au).

Chile: Subject to the conditions set out in the applicable law, if you are a user in Chile, you have the following rights with regard to our processing of your Personal Data:

• Request information on the processing of your Personal Data;

• Request that incorrect or incomplete Personal Data be modified;

• Request that your Personal Data be deleted if they are stored without a legal basis or if they are out of date;

• Request the deletion or blocking of your Personal Data, if applicable, if the Personal Data have been provided voluntarily or if they are used for commercial communications and you no longer wish to be included in the relevant register, either permanently or temporarily;

• Oppose the use of your Personal Data for advertising, market research or opinion polling purposes;

• Revoke your consent to the processing of Personal Data at any time with effect for the future; in this case, we ask you to refrain from future use of our Platforms or interaction with us or our Retail Partners.

Egypt: Subject to the conditions set out in the applicable law, if you are a user in Egypt, you have the following rights with regard to our processing of your Personal Data:

• To have knowledge of, review, access or obtain your Personal Data, which is in the possession of any Holder, Processor or Controller;

• To withdraw your consent concerning the retention or processing of your Personal Data;

• To correct, edit, delete, add or update your Personal Data;

• To limit the processing of your Personal Data to a specific purpose;

• To be notified of any breach or infringement of your Personal Data; and

• To object to the processing of your Personal Data or the results thereof, whenever such processing or results contradict your fundamental rights and freedoms.

Hong Kong: Subject to the conditions set out in the applicable law, if you are a user in Hong Kong, you have the following rights with regard to our processing of your Personal Data:

• Request access to your Personal Data;

• Request the correction of your Personal Data.

If you are located in Hong Kong SAR, you may contact our Hong Kong Privacy Lead at: ATTN: Privacy Lead, Alexandra House 18 Charter Road 6th Floor, Central Hong Kong, Hong Kong

Japan: Subject to the conditions set out in the applicable law, if you are a user in Japan, you have the following rights with regard to our processing of your Personal Data:

• Request access to your Personal Data;

• Request that incorrect or incomplete Personal Data be modified; and

• Request that your Personal Data be deleted or restrict processing of your Personal Data if AEO (i) uses your Personal Data beyond the purpose stipulated herein or in a manner that would trigger/induce illegal conduct by others or (ii) has collected your Personal Data by deceit.

Republic of Korea: Subject to the conditions set out in the applicable law, if you are a user in Republic of Korea, you may, by yourself or through your legal representatives/guardians, exercise your rights as data subjects, including but not limited to the following rights to:

• Request information on the processing of your Personal Data;

• Request that incorrect or incomplete Personal Data be modified;

• Request that your Personal Data be deleted if they are stored without a legal basis or if they are out of date;

• Request the suspension of processing of your Personal Data;

• Oppose the use of your Personal Data for advertising, market research or opinion polling purposes; and

• Revoke your consent to the processing of Personal Data at any time with effect for the future; in this case, we ask you to refrain from future use of our Platforms or interaction with us or our Retail Partners.

If you are located in the Republic of Korea, the third party(ies) to which Personal Data may be Transferred are:

a) Third party recipients

Name of Recipient

Purposes of use and collection by Recipient

Items of personal data accessed by or disclosed to the Recipient

AEO Group Companies (listed here)

privacy@ae.com

See Section 3 above for a description of the purposes of collection and use by AEO Group Companies, including for marketing, advertising, analytics, research and other purposes described above.

Name, contact information, marketing and other preferences, profile and other demographics, online browsing information and identifiers.

Direct access and in some cases secure file transfer or similar method.


b) Third party services providers/processors (outsourcing)

Name of Processor

Outsourced tasks/purposes

Categories of Personal Data and Method of Transfer

Localised Inc.

1460 Broadway

New York, NY 10036

USA

privacy@localised.com

The personal data will be processed by the processor for AEO‘s use only for the purposes set out in this privacy policy and transferred to the Processor for the outsourcing of marketing, advertising and promotional campaigns delivery and related support.

(Please note: Localised Inc. is one of our Retail Partners and may collect personal information from you directly, as a controller, in order to process and fulfill your orders and for other purposes as explained in their privacy policy. )

Name, contact information, marketing and other preferences, profile and other demographics and identifiers.

Secure file transfer or similar method.


Singapore: Subject to the conditions set out in the applicable law, if you are a user in Singapore, you have the following rights with regard to our processing of your Personal Data:

• Request access to your Personal Data as well as information on how that Personal Data has been used and disclosed by us in the last 12 months;

• Correct your Personal Data;

• Withdraw your consent;

• Request the transfer of your Personal Data which is in our possession or under our control.

You may contact our privacy officer for Singapore at: privacy@ae.com.

Taiwan: Subject to the conditions set out in the applicable law, if you are a user in Taiwan, you have the following rights with regard to our processing of your Personal Data:

• You may inquire about or request for a review or make a copy of your Personal Data;

• You may, together with proper explanation, request us to supplement or correct your Personal Data;

• In the event of a dispute over the accuracy of your Personal Data, you may request us to discontinue processing or using your Personal Data. However, the preceding sentence will not be applicable when it is necessary for us to conduct our business or when it is agreed to by you in writing, and the dispute has been recorded;

• You may request us to delete, discontinue processing or using your Personal Data when the specific purpose no longer exists or the notified retention period expires. However, the preceding sentence will not be applicable when it is necessary for us to conduct our business or when it is agreed to by you in writing; and

• You may request us to delete or discontinue collecting, processing or using of your Personal Data in the case where a violation of the applicable law occurs during our collecting, processing or using your Personal Data.

Where you request for inquiring about or for a review or making a copy of your Personal Data, we will determine whether to accept or reject such request within fifteen (15) days, provided that such deadline may be extended by up to fifteen (15) days, if necessary, and you will be notified in writing of the reason for the extension. For your other requests, we will determine whether to accept or reject such request within thirty (30) days, provided that such deadline may be extended by up to thirty (30) days, if necessary, and you will be notified in writing of the reason for the extension.