Data retention policy

Data Retention Policy (UK & EU GDPR‑Compliant)

Date published: 9/7/2026

Summary: DermaExchange retains personal data only for as long as necessary to fulfil the purposes for which it was collected, meet legal obligations, resolve disputes, and enforce agreements.


1. Purpose of This Policy

This Data Retention Policy explains how long DermaExchange (“we”, “our”, “the Company”) stores personal data collected through our website, customer accounts, marketing systems, and order processing tools.


2. Categories of Data & Retention Periods

Customer Account Information

  • Data: Name, email, phone number, shipping/billing address, account preferences

  • Retention: Kept until the customer requests deletion or after 24 months of inactivity

  • Reason: Necessary for account functionality and repeat purchases

Order & Transaction Records

  • Data: Order history, payment confirmations, invoices

  • Retention: 6 years

  • Reason: Required under UK tax and accounting laws

Payment Information

  • Data: Card details (processed by PCI‑compliant third‑party processors)

  • Retention: Not stored on DermaExchange servers

  • Reason: Security and PCI compliance

Customer Support Communications

  • Data: Emails, chat logs, support tickets

  • Retention: 24 months

  • Reason: Service quality, dispute resolution

Marketing & Newsletter Data

  • Data: Email address, marketing preferences

  • Retention: Until consent is withdrawn

  • Reason: GDPR consent‑based marketing rules

Website Analytics Data

  • Data: IP address, device info, browsing behaviour (pseudonymised)

  • Retention: 26 months (Google Analytics default)

  • Reason: Performance monitoring and site optimisation

Cookies & Tracking Data

  • Retention:

    • Session cookies: Deleted when browser closes

    • Persistent cookies: Up to 12 months unless user deletes them

  • Reason: Site functionality and analytics


3. Data Deletion & Anonymisation

When retention periods expire, data is either:

  • Securely deleted, or

  • Anonymised so it can no longer identify individuals


4. User Rights

Users may request:

  • Access to their data

  • Correction

  • Deletion

  • Restriction of processing

  • Withdrawal of marketing consent

Requests can be made via Contact Us.


5. Policy Review

This policy is reviewed annually or when legal requirements change.