Privacy policy
DERMA EXCHANGE LTD
PRIVACY POLICY
PART 1 – INTRODUCTION, COMPANY DETAILS AND SCOPE
Effective Date: 09/07/2026
Last Updated: 09/07/2026
1. Introduction
Derma Exchange Ltd ("Derma Exchange", "we", "our" or "us") is committed to protecting your privacy and handling your personal information fairly, lawfully and transparently.
We recognise that customers place significant trust in us when purchasing skincare products, booking virtual consultations and sharing personal information, including health-related information. We are committed to maintaining that trust by ensuring your information is collected, used, stored and protected in accordance with applicable data protection laws.
This Privacy Policy explains:
- what information we collect;
- why we collect it;
- how we use it;
- who we share it with;
- how long we keep it;
- how we protect it;
- your legal rights regarding your personal information.
This Privacy Policy should be read together with our:
- Website Terms & Conditions
- Cookie Policy
- Virtual Consultation Terms
- Prescription Product Policy
- Data Retention Policy
Together these documents explain how Derma Exchange Ltd operates and how your information is managed throughout your relationship with us.
2. Who We Are
Derma Exchange Ltd is a company registered in England and Wales.
Company Name
Derma Exchange Ltd
Company Number
17331624
Trading Address
37 Falshaw Way
Manchester
M18 7TG
United Kingdom
Telephone:
0330 043 1833
Email:
Website:
Throughout this Privacy Policy, references to "Derma Exchange", "we", "our" or "us" refer to Derma Exchange Ltd.
3. Our Role
Derma Exchange Ltd operates:
- an online skincare retail platform;
- an online consultation booking service;
- customer support services;
- educational skincare resources;
- prescription skincare access (where clinically appropriate through authorised clinicians).
Derma Exchange Ltd acts as the controller of personal data relating to the operation of its website, customer accounts, product orders, marketing preferences and customer support activities.
Where customers book virtual consultations, certain personal and health information may also be processed by appropriately trained, verified and certified clinicians operating under the clinical governance framework of Health Exchange UK.
Those clinicians are responsible for their own independent clinical decisions and for processing clinical information in accordance with applicable legal and professional obligations.
Where appropriate, Derma Exchange Ltd and Health Exchange UK (or the relevant clinician) may each act as independent data controllers in respect of different processing activities. We will always seek to make these responsibilities clear to you.
4. Our Commitment to Privacy
We are committed to ensuring that your personal information is:
- processed lawfully, fairly and transparently;
- collected only for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary;
- accurate and kept up to date;
- retained only for as long as necessary;
- protected using appropriate technical and organisational security measures;
- handled in accordance with your legal rights.
We regularly review our privacy practices to ensure continued compliance with UK data protection legislation and recognised industry standards.
5. Legal Framework
This Privacy Policy has been prepared in accordance with, and is intended to comply with, the following legislation and regulatory requirements where applicable:
- UK General Data Protection Regulation (UK GDPR);
- Data Protection Act 2018;
- Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR);
- Consumer Rights Act 2015;
- Electronic Commerce (EC Directive) Regulations 2002;
- UK Cosmetics Regulation (retained Regulation (EC) No. 1223/2009);
- Consumer Protection from Unfair Trading Regulations 2008.
We also seek to align our practices with guidance issued by the Information Commissioner's Office (ICO) and industry best practice for secure online retail and virtual consultation services.
6. Scope of This Privacy Policy
This Privacy Policy applies to personal information collected when you:
- visit www.dermaexchange.com;
- create a customer account;
- purchase products;
- book or attend a virtual consultation;
- submit a skincare questionnaire;
- upload photographs for clinical assessment;
- contact our customer support team;
- subscribe to newsletters or marketing communications;
- enter competitions or promotions;
- submit reviews or testimonials;
- communicate with us via telephone, email, live chat or social media.
This Privacy Policy applies regardless of whether you access our Website using:
- desktop computers;
- laptops;
- tablets;
- smartphones;
- other internet-enabled devices.
7. Information Covered by This Policy
This Privacy Policy applies to information that identifies you directly or indirectly, including:
- personal information;
- contact information;
- financial information;
- technical information;
- transaction history;
- consultation information;
- health information;
- communication records;
- marketing preferences.
Certain information collected during virtual consultations may constitute special category personal data (health information) under UK GDPR and is subject to enhanced legal protection.
We explain how we handle this information in later sections of this Privacy Policy.
8. Our Privacy Principles
The way we handle personal information is guided by the following principles:
Transparency
We explain clearly why we collect information and how it is used.
Data Minimisation
We only collect information that is reasonably necessary to provide our products and services.
Security
We employ appropriate technical and organisational measures to protect personal information against unauthorised access, loss, misuse or disclosure.
Accuracy
We encourage customers to keep their personal information up to date so that we can provide safe and effective services.
Confidentiality
Access to personal information is restricted to authorised individuals who require access to perform their duties.
Accountability
We maintain internal policies and procedures to demonstrate compliance with UK data protection legislation.
9. Third-Party Websites
Our Website may contain links to third-party websites, including:
- payment providers;
- courier tracking services;
- social media platforms;
- manufacturer websites;
- booking systems;
- educational resources.
These websites operate independently from Derma Exchange Ltd.
We are not responsible for the privacy practices or content of third-party websites.
Customers should review the privacy policies of any external websites they visit.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect:
- changes in legislation;
- regulatory guidance;
- technological developments;
- changes to our services;
- improvements to our privacy practices.
Where changes are significant, we will take reasonable steps to notify customers through appropriate channels, such as our Website or email where appropriate.
The latest version of this Privacy Policy will always be available on www.dermaexchange.com and will include the effective date at the top of the document.
11. Contacting Us About Privacy
If you have any questions regarding this Privacy Policy or the way your personal information is handled, please contact:
Data Protection Enquiries
Derma Exchange Ltd
37 Falshaw Way
Manchester
M18 7TG
United Kingdom
Telephone: 0330 043 1833
Email: privacy@dermaexchange.com
General Customer Support:
Website:
12. Our Commitment to Responsible Data Use
Derma Exchange Ltd recognises that some of the information collected through our Website, particularly in connection with virtual consultations, may be sensitive in nature.
We are committed to processing personal and health information responsibly, ensuring that it is used only for legitimate purposes connected with the services we provide, and that it is protected by appropriate safeguards.
We do not sell personal data to third parties, nor do we permit your health information to be used for unrelated commercial purposes.
DERMA EXCHANGE LTD
PRIVACY POLICY
PART 2 – PERSONAL INFORMATION WE COLLECT
13. Overview
To operate our online skincare retail platform, provide virtual consultation services and deliver a safe customer experience, Derma Exchange Ltd collects different categories of personal information.
The type and amount of information we collect depends upon how you interact with us.
For example:
- browsing our Website;
- creating an account;
- placing an order;
- booking a consultation;
- contacting Customer Services;
- subscribing to marketing communications;
- participating in promotions or surveys.
We will only collect information that is reasonably necessary for legitimate business, legal or clinical purposes.
14. Identity Information
We may collect the following identity information:
- Title
- Full name
- Date of birth
- Gender (where voluntarily provided or clinically relevant)
- Username
- Customer account number
- Consultation reference number
- Order reference number
Identity information enables us to:
- identify you correctly;
- process your orders;
- facilitate consultations;
- prevent fraud;
- comply with legal obligations.
15. Contact Information
We may collect:
- residential address;
- delivery address;
- billing address;
- email address;
- telephone number;
- preferred communication method.
This information is used to:
- fulfil orders;
- communicate regarding consultations;
- respond to enquiries;
- send order updates;
- provide customer support.
16. Account Information
When you create an account, we may collect:
- username;
- encrypted password;
- account preferences;
- saved delivery addresses;
- saved wish lists;
- consultation history;
- communication preferences;
- purchase history.
Passwords are stored using secure encryption methods. Derma Exchange Ltd does not have access to your plain-text password.
17. Order and Transaction Information
When you purchase products, we may collect:
- products ordered;
- order value;
- order dates;
- invoices;
- delivery details;
- order status;
- returns history;
- refund history;
- promotional discounts used;
- loyalty rewards (where applicable).
This enables us to:
- process purchases;
- provide customer support;
- manage warranties and returns;
- meet our accounting obligations.
18. Payment Information
Payments made through our Website are processed securely by authorised third-party payment providers.
Depending on the payment method selected, information may include:
- payment transaction reference;
- payment authorisation status;
- payment provider;
- billing address;
- partial card details (where provided by the payment processor for identification purposes only).
Derma Exchange Ltd does not store complete payment card numbers, CVV codes or other sensitive payment credentials on its own systems.
Payment information is handled in accordance with the Payment Card Industry Data Security Standard (PCI DSS) by the relevant payment provider.
19. Technical Information
When you visit our Website, we may automatically collect technical information including:
- IP address;
- browser type and version;
- operating system;
- device type;
- device identifiers;
- language settings;
- time zone;
- screen resolution;
- internet service provider;
- referring website;
- pages visited;
- date and time of access.
This information helps us:
- maintain Website security;
- improve performance;
- identify technical issues;
- prevent fraud;
- understand customer behaviour.
20. Website Usage Information
We collect information regarding how visitors interact with our Website, including:
- pages viewed;
- search terms used;
- navigation paths;
- products viewed;
- products added to basket;
- abandoned baskets;
- session duration;
- clicks;
- downloads;
- purchases completed.
This information assists us in:
- improving customer experience;
- optimising Website performance;
- measuring marketing effectiveness;
- improving product presentation.
Where required by law, this information is collected only after obtaining consent through our cookie management platform.
21. Communication Information
When you contact us, we may collect:
- emails;
- telephone recordings (where calls are recorded);
- live chat messages;
- social media communications;
- customer support tickets;
- complaint correspondence;
- consultation enquiries.
Communications may be retained for:
- quality assurance;
- staff training;
- complaint handling;
- legal compliance;
- fraud prevention.
22. Marketing Preferences
Where you choose to receive marketing communications, we may collect:
- newsletter subscription status;
- communication preferences;
- preferred products;
- preferred brands;
- promotional engagement;
- email interaction statistics.
This enables us to tailor marketing communications to your interests.
You may withdraw your consent to marketing communications at any time.
23. Consultation Information
Where you book a virtual consultation, we may collect information including:
- presenting skin concerns;
- previous skincare treatments;
- current skincare routine;
- current medications (where relevant);
- allergies;
- relevant medical history;
- lifestyle factors relevant to skin health;
- consultation notes;
- follow-up recommendations.
This information enables appropriately trained, verified and certified clinicians operating under the governance framework of Health Exchange UK to assess your suitability for skincare recommendations or prescription-only treatments where applicable.
24. Clinical Photographs
As part of a consultation, customers may choose to upload photographs of their skin.
These images may include:
- facial photographs;
- photographs of affected skin areas;
- treatment progress images;
- before-and-after comparison photographs (where consent has been provided).
Clinical photographs are used solely for purposes connected with your consultation, ongoing care, clinical review and quality assurance.
They are stored securely and access is restricted to authorised individuals.
25. Health Information (Special Category Personal Data)
Some information collected during consultations constitutes special category personal data under UK GDPR because it relates to your health.
This may include:
- skin conditions;
- symptoms;
- allergies;
- medical history;
- medication history;
- pregnancy or breastfeeding status (where relevant);
- previous cosmetic procedures;
- consultation outcomes;
- treatment recommendations;
- prescriptions issued;
- follow-up records.
Health information receives enhanced protection under UK GDPR and is processed only where a lawful basis and an appropriate Article 9 condition apply.
Further information regarding our legal basis for processing is provided later in this Privacy Policy.
26. Prescription Information
Where prescription-only skincare products are considered, additional information may be processed, including:
- prescribing decisions;
- prescription details;
- dosage instructions;
- contraindications;
- clinician notes;
- repeat prescription requests;
- clinical review outcomes.
This information is processed only where necessary for the safe provision of clinical services.
27. Customer Reviews and Testimonials
If you submit:
- reviews;
- testimonials;
- product ratings;
- before-and-after photographs;
- feedback surveys;
we may collect:
- your name or chosen display name;
- review content;
- star ratings;
- photographs (where submitted);
- date submitted.
We will only publish identifiable testimonials or before-and-after photographs where we have an appropriate legal basis to do so, including consent where required.
28. Competition and Promotion Information
If you enter competitions or promotional campaigns, we may collect:
- your name;
- contact details;
- entries submitted;
- prize fulfilment information.
Information collected for promotional purposes will only be used in accordance with the applicable promotion terms and this Privacy Policy.
29. Social Media Information
Where you interact with Derma Exchange Ltd through social media platforms, we may receive information such as:
- profile name;
- public profile information;
- comments;
- messages;
- likes;
- shares;
- engagement statistics.
Processing of information by social media providers is governed by their own privacy policies.
30. Information from Third Parties
We may receive information from third parties including:
- payment providers;
- courier companies;
- fraud prevention agencies;
- booking system providers;
- analytics providers;
- advertising partners (where consent has been provided);
- clinicians operating under Health Exchange UK's governance framework;
- customer service platforms.
We only receive information that is necessary for the provision of our services or to comply with legal obligations.
31. Information We Do Not Intentionally Collect
Derma Exchange Ltd does not intentionally collect personal information that is unnecessary for the provision of our services.
We ask customers not to provide:
- unrelated medical records;
- information about other individuals without their authority;
- excessive personal information that is not relevant to their enquiry or consultation.
Where unnecessary information is received, we may securely delete or redact it where appropriate.
32. Keeping Your Information Accurate
It is important that the information we hold about you is accurate and up to date.
You should notify us promptly if your:
- name changes;
- address changes;
- email address changes;
- telephone number changes;
- health information changes where relevant to ongoing consultations;
- communication preferences change.
Maintaining accurate information helps us provide safe services and fulfil our legal obligations.
DERMA EXCHANGE LTD
PRIVACY POLICY
PART 3 – SPECIAL CATEGORY (HEALTH) DATA, PURPOSES OF PROCESSING AND LAWFUL BASES
33. Introduction
As an online clinical skincare retailer offering access to virtual consultations, Derma Exchange Ltd may process information relating to your health.
Health information is afforded additional legal protection under the UK General Data Protection Regulation (UK GDPR) because it constitutes Special Category Personal Data.
We recognise that customers place a high degree of trust in us when sharing health-related information. We are committed to ensuring that such information is processed lawfully, fairly, securely and only where necessary for clearly defined purposes.
We will never process health information unless an appropriate legal basis under Article 6 UK GDPR and a corresponding condition under Article 9 UK GDPR applies.
34. What is Special Category Personal Data?
Special Category Personal Data is information that requires additional protection because of its sensitive nature.
In connection with our services, this may include:
- skin conditions;
- dermatological symptoms;
- consultation questionnaires;
- medical history relevant to skin health;
- allergies;
- medication history;
- prescription information;
- pregnancy or breastfeeding status (where relevant);
- clinical photographs;
- clinician consultation notes;
- treatment recommendations;
- follow-up assessments;
- repeat prescription reviews.
We collect only the information reasonably necessary to provide safe, effective and personalised skincare services.
35. Why We Process Health Information
Health information is processed only where necessary to:
- facilitate virtual consultations;
- assess the suitability of skincare products;
- determine whether prescription-only products may be clinically appropriate;
- identify potential contraindications or allergies;
- reduce the risk of adverse reactions;
- maintain accurate consultation records;
- provide follow-up care where appropriate;
- respond to customer enquiries relating to previous consultations;
- comply with applicable legal and regulatory obligations;
- protect the health and safety of customers.
We do not collect health information for unrelated commercial purposes.
36. Clinical Governance
Virtual consultations available through the Website are delivered by appropriately trained, verified and certified clinicians operating under the clinical governance framework of Health Exchange UK.
Clinical information is processed only by individuals who require access for legitimate clinical or administrative purposes.
Clinical recommendations remain entirely independent.
Derma Exchange Ltd does not influence prescribing decisions or require clinicians to recommend particular products.
37. Our Lawful Bases under Article 6 UK GDPR
Depending upon the circumstances, we rely on one or more of the following lawful bases for processing personal data.
Performance of a Contract
We process personal information where necessary to:
- create customer accounts;
- process orders;
- arrange deliveries;
- manage consultations;
- provide customer support;
- fulfil our contractual obligations.
Examples include:
- processing your order;
- arranging delivery;
- managing consultation appointments;
- responding to product enquiries.
Legitimate Interests
We process certain information where necessary for our legitimate interests provided those interests are not overridden by your rights and freedoms.
Examples include:
- improving Website functionality;
- fraud prevention;
- cyber security;
- analysing Website performance;
- customer service improvements;
- complaint handling;
- maintaining business records;
- preventing misuse of our Website.
Before relying on legitimate interests, we consider the impact on your privacy and implement appropriate safeguards.
Legal Obligation
Certain information must be processed to comply with legal obligations, including obligations relating to:
- taxation;
- accounting;
- consumer protection;
- product safety;
- fraud prevention;
- regulatory investigations;
- law enforcement requests.
Consent
In some circumstances we rely upon your consent.
Examples include:
- receiving email marketing communications;
- use of non-essential cookies;
- publication of testimonials;
- publication of before-and-after photographs;
- certain optional consultation services.
Where processing relies upon consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
38. Additional Conditions under Article 9 UK GDPR
Where health information is processed, we rely upon one or more of the following conditions under Article 9 UK GDPR.
Healthcare Purposes
Health information may be processed where necessary for the provision of healthcare, clinical assessment or treatment recommendations carried out by appropriately qualified clinicians.
This includes:
- virtual consultations;
- skincare assessments;
- treatment recommendations;
- prescription assessments;
- clinical follow-up.
Explicit Consent
Where required by law, we will obtain your explicit consent before processing certain health information.
For example:
- uploading consultation photographs;
- participating in optional clinical programmes;
- publication of identifiable clinical case studies;
- publication of before-and-after images.
Consent may be withdrawn at any time.
Withdrawal does not affect processing already undertaken lawfully.
Establishment or Defence of Legal Claims
Health information may be processed where necessary for:
- responding to complaints;
- defending legal proceedings;
- professional indemnity matters;
- insurance claims;
- dispute resolution.
39. Information Provided by You
Most health information processed by Derma Exchange Ltd is provided directly by you.
Examples include:
- consultation questionnaires;
- uploaded photographs;
- consultation discussions;
- follow-up communications;
- product feedback;
- allergy disclosures.
You are responsible for ensuring that information provided is accurate and complete.
Failure to provide accurate information may affect clinical recommendations and product suitability.
40. Information Received from Clinicians
Where appropriate, Derma Exchange Ltd may receive limited clinical information from clinicians operating under the Health Exchange UK governance framework.
This information may include:
- consultation outcomes;
- product recommendations;
- prescription status;
- follow-up requirements;
- administrative information necessary to fulfil product orders or provide customer support.
We do not request access to more clinical information than is reasonably necessary for our role as the operator of the Website, booking platform and retail services.
41. Clinical Decision-Making
Clinical decisions are made independently by the consulting clinician.
Derma Exchange Ltd does not:
- diagnose medical conditions;
- prescribe medicines;
- overrule clinical decisions;
- require clinicians to recommend products;
- influence prescribing decisions for commercial purposes.
The processing of health information is limited to supporting the safe delivery of consultation services and associated retail fulfilment where appropriate.
42. Data Minimisation
We apply the principle of data minimisation by collecting only information that is:
- relevant;
- adequate;
- proportionate;
- necessary for the purpose for which it is processed.
We do not request excessive medical information where it is not relevant to the services provided.
43. Accuracy of Clinical Information
Accurate health information is essential for safe consultation outcomes.
Customers should notify us or the consulting clinician promptly if there are changes to:
- medications;
- allergies;
- pregnancy status;
- medical history relevant to skin health;
- skin condition;
- previous adverse reactions.
Failure to keep information up to date may affect the appropriateness of treatment recommendations.
44. Confidentiality
Health information is treated as confidential.
Access is restricted to authorised personnel who require access to perform their professional duties.
This may include:
- consulting clinicians;
- authorised administrative staff;
- customer support staff (where necessary);
- IT providers acting under contractual confidentiality obligations;
- legal or regulatory authorities where disclosure is required by law.
All personnel handling health information are subject to confidentiality obligations.
45. Automated Decision-Making
Derma Exchange Ltd does not make solely automated decisions that produce legal or similarly significant effects in relation to:
- clinical suitability;
- prescription decisions;
- treatment recommendations.
Where automated tools, questionnaires or artificial intelligence technologies are used to assist with information gathering or administrative processes, they are used only to support—not replace—the independent professional judgement of appropriately trained, verified and certified clinicians.
No customer will be refused treatment or prescribed medication solely on the basis of automated processing.
46. Protection of Health Information
Health information is protected through a combination of technical and organisational measures, including:
- encryption of data in transit using secure TLS protocols;
- encryption of sensitive data at rest where appropriate;
- role-based access controls;
- multi-factor authentication for authorised users where implemented;
- secure hosting environments;
- audit logging and monitoring;
- regular security updates and vulnerability management;
- staff training on confidentiality and data protection;
- contractual confidentiality obligations with relevant service providers.
We regularly review our security measures to ensure they remain appropriate to the nature and sensitivity of the information we process.
47. Our Commitment
We recognise that health information is among the most sensitive categories of personal information.
Accordingly, Derma Exchange Ltd is committed to:
- processing health information only where necessary;
- maintaining appropriate confidentiality;
- respecting your privacy and dignity;
- supporting independent clinical decision-making;
- complying with UK GDPR and applicable data protection legislation;
- maintaining transparent information governance practices.
We will never knowingly sell your health information or permit its use for unrelated commercial advertising purposes.
DERMA EXCHANGE LTD
PRIVACY POLICY
PART 4 – HOW WE USE YOUR PERSONAL INFORMATION
48. Introduction
Derma Exchange Ltd uses personal information only where there is a legitimate business, legal or clinical reason to do so.
We process your information for clearly defined purposes connected with:
- operating our Website;
- supplying skincare products;
- facilitating virtual consultations;
- providing customer support;
- maintaining security;
- complying with legal obligations; and
- improving our services.
We do not process personal information for purposes that are incompatible with those described in this Privacy Policy.
49. Operating Our Website
We use personal information to ensure the Website functions correctly and securely.
This includes:
- displaying website content;
- remembering your preferences;
- maintaining customer sessions;
- enabling secure login;
- preventing unauthorised access;
- improving website performance;
- identifying technical faults;
- maintaining cybersecurity.
Lawful Basis
- Legitimate Interests
- Performance of a Contract (where applicable)
50. Creating and Managing Customer Accounts
Where you register an account, we use your information to:
- create your customer profile;
- authenticate your identity;
- maintain your login credentials;
- store your preferences;
- provide access to previous orders;
- enable faster checkout;
- manage account security.
Lawful Basis
- Performance of a Contract
51. Processing Product Orders
Your information is used to:
- process purchases;
- confirm orders;
- dispatch products;
- generate invoices;
- arrange delivery;
- process refunds;
- manage returns;
- provide order updates.
Without this information we would be unable to fulfil your order.
Lawful Basis
- Performance of a Contract
52. Facilitating Virtual Consultations
Where you book a consultation we use your information to:
- schedule appointments;
- send appointment reminders;
- provide consultation access links;
- manage consultation administration;
- communicate with clinicians;
- arrange follow-up appointments where appropriate.
Clinical information collected during consultations is processed separately in accordance with the Health Exchange UK governance framework.
Lawful Basis
- Performance of a Contract
- Healthcare Purposes (where health information is involved)
53. Supporting Independent Clinical Assessment
Where you choose to undergo a virtual consultation, relevant information may be made available to the consulting clinician to enable them to:
- assess your skincare concerns;
- review consultation photographs;
- determine product suitability;
- identify contraindications;
- recommend treatment where appropriate;
- decide whether prescription-only skincare is clinically appropriate.
Clinical decisions are made independently by the clinician.
Derma Exchange Ltd does not influence clinical recommendations for commercial purposes.
Lawful Basis
- Healthcare Purposes
- Performance of a Contract
54. Supplying Prescription Products
Where prescription-only skincare products are approved by an authorised independent prescriber, we may process relevant administrative information to:
- verify prescription approval;
- fulfil authorised orders;
- arrange lawful supply;
- manage repeat prescription requests where applicable;
- provide customer support relating to prescription fulfilment.
Clinical decisions remain the responsibility of the independent clinician.
Lawful Basis
- Performance of a Contract
- Legal Obligation
- Healthcare Purposes
55. Providing Customer Support
We use personal information to:
- respond to enquiries;
- investigate complaints;
- provide technical assistance;
- resolve delivery issues;
- assist with returns;
- verify customer identity where necessary;
- improve customer satisfaction.
Communications may be recorded or retained for quality assurance and training purposes.
Lawful Basis
- Performance of a Contract
- Legitimate Interests
56. Fraud Prevention and Security
Protecting our customers and business from fraud is a legitimate priority.
We may process personal information to:
- verify customer identity;
- detect fraudulent transactions;
- prevent payment fraud;
- identify suspicious behaviour;
- investigate cyber security incidents;
- prevent misuse of consultation services;
- protect customer accounts.
Where appropriate we may use third-party fraud prevention services.
Lawful Basis
- Legitimate Interests
- Legal Obligation
57. Payment Processing
Payment information is processed to:
- authorise transactions;
- prevent fraudulent payments;
- process refunds;
- reconcile accounts;
- maintain financial records.
Payment processing is carried out through secure third-party payment providers.
Derma Exchange Ltd does not store complete payment card details.
Lawful Basis
- Performance of a Contract
- Legal Obligation
58. Delivery and Logistics
We use your personal information to:
- prepare orders for dispatch;
- generate shipping labels;
- arrange courier collections;
- provide parcel tracking;
- communicate delivery updates;
- investigate delivery issues.
Your delivery information is shared only with delivery partners involved in fulfilling your order.
Lawful Basis
- Performance of a Contract
59. Marketing Communications
Where you have consented, we may use your personal information to send:
- newsletters;
- skincare advice;
- promotional offers;
- product launches;
- educational content;
- seasonal campaigns;
- loyalty programme updates.
Marketing communications may be delivered by:
- email;
- SMS (where consent has been given);
- post;
- other electronic communications permitted by law.
You may unsubscribe at any time by:
- clicking the unsubscribe link;
- updating your account preferences;
- contacting us directly.
Withdrawing consent does not affect service-related communications such as order confirmations or appointment reminders.
Lawful Basis
- Consent
- Soft Opt-In (where permitted under PECR)
60. Website Analytics and Performance
We analyse how visitors use our Website in order to:
- improve navigation;
- optimise page performance;
- understand customer journeys;
- improve product presentation;
- identify technical issues;
- improve accessibility.
Analytics information is normally aggregated and does not identify individual users unless you have consented to cookies that enable such processing.
Lawful Basis
- Consent (where required)
- Legitimate Interests (for strictly necessary analytics where applicable)
61. Google Merchant Center and Google Ads
To advertise eligible cosmetic products through Google services, Derma Exchange Ltd may use limited information to:
- display product listings;
- measure advertising performance;
- identify product demand;
- improve product feed quality;
- monitor conversion rates;
- optimise marketing campaigns.
We do not share consultation notes, prescription information or health data with Google Merchant Center or Google Ads for advertising purposes.
Where Google Analytics or advertising cookies are used, these will be subject to your cookie preferences and applicable consent requirements.
Lawful Basis
- Consent (where required)
- Legitimate Interests (for non-identifiable business analytics)
62. Product Improvement and Business Development
We may analyse customer feedback and purchasing trends to:
- improve product selection;
- identify popular brands;
- enhance consultation services;
- improve customer experience;
- develop new services;
- monitor business performance.
Where possible, information is anonymised or aggregated before analysis.
Lawful Basis
- Legitimate Interests
63. Legal and Regulatory Compliance
We may process personal information where necessary to:
- comply with legal obligations;
- respond to lawful requests from regulators;
- maintain accounting records;
- comply with tax legislation;
- investigate complaints;
- protect our legal rights;
- defend legal claims.
Lawful Basis
- Legal Obligation
- Legitimate Interests
64. Product Safety and Adverse Event Reporting
Where we become aware of a suspected adverse reaction or product safety concern, we may use relevant information to:
- investigate the issue;
- contact affected customers where appropriate;
- notify manufacturers or suppliers;
- comply with cosmetic product safety obligations;
- report serious undesirable effects to the relevant competent authorities where required by law.
Only the minimum necessary information will be disclosed.
Lawful Basis
- Legal Obligation
- Public Interest in Public Health (where applicable)
65. Customer Surveys and Service Improvements
From time to time, we may invite customers to participate in surveys or provide feedback about our products and services.
Participation is voluntary.
Survey responses help us:
- improve customer experience;
- enhance consultation services;
- identify areas for improvement;
- measure customer satisfaction.
Where survey results are published, they will normally be anonymised unless you have expressly agreed otherwise.
Lawful Basis
- Legitimate Interests
- Consent (where appropriate)
66. Corporate Transactions
If Derma Exchange Ltd undergoes a business reorganisation, merger, acquisition, investment, or sale of assets, personal information may be transferred to the relevant successor organisation, provided appropriate safeguards are in place and your rights under applicable data protection laws are protected.
We will notify customers where required by law.
Lawful Basis
- Legitimate Interests
- Legal Obligation (where applicable)
67. Commitment to Purpose Limitation
Derma Exchange Ltd will only use your personal information for the purposes described in this Privacy Policy or for other compatible purposes permitted by law.
If we intend to process your personal information for a materially different purpose, we will update this Privacy Policy and, where required, notify you or seek your consent before doing so.
DERMA EXCHANGE LTD
PRIVACY POLICY
PART 5 – SHARING YOUR PERSONAL INFORMATION
68. Introduction
Derma Exchange Ltd respects the confidentiality of your personal information.
We do not sell your personal information to third parties.
We only share personal information where:
- it is necessary to provide our products or services;
- you have instructed us to do so;
- you have given your consent;
- we are legally required to do so;
- it is necessary to protect your vital interests or those of another person;
- it is necessary for the establishment, exercise or defence of legal claims.
Whenever personal information is shared, we seek to ensure that appropriate contractual, technical and organisational safeguards are in place.
69. Sharing Information with Health Exchange UK
Where you book a virtual consultation through our Website, certain information may be shared with Health Exchange UK for the purposes of clinical governance and administration.
This may include:
- your name;
- date of birth;
- contact details;
- consultation booking details;
- completed consultation questionnaires;
- clinical photographs;
- consultation outcomes;
- follow-up requirements.
Health Exchange UK processes information in accordance with applicable data protection legislation and its own information governance procedures.
Only the minimum information reasonably necessary will be shared.
70. Sharing Information with Independent Clinicians
Virtual consultations are undertaken by appropriately trained, verified and certified clinicians operating under the governance framework of Health Exchange UK.
Relevant personal information may be shared with the consulting clinician to enable them to:
- conduct your consultation;
- assess your skin concerns;
- review uploaded photographs;
- determine treatment suitability;
- recommend skincare products;
- prescribe prescription-only products where clinically appropriate;
- maintain appropriate clinical records.
Clinical recommendations are made independently by the clinician.
Derma Exchange Ltd does not influence clinical decisions for commercial purposes.
71. Sharing Information with Independent Prescribers
Where prescription-only skincare products are being considered, relevant information may be shared with an authorised independent prescriber.
Information shared may include:
- consultation information;
- medical history relevant to prescribing;
- allergies;
- current medication;
- consultation photographs;
- previous treatment history;
- prescription requests.
Only information necessary to support safe prescribing will be disclosed.
72. Payment Service Providers
Payments made through our Website are processed securely by authorised third-party payment providers.
Depending upon your chosen payment method, limited personal information may be shared including:
- your name;
- billing address;
- payment amount;
- transaction reference;
- payment verification information.
Payment providers process this information under their own privacy policies and in accordance with applicable payment security standards.
Derma Exchange Ltd does not store complete payment card details.
73. Delivery and Courier Partners
To deliver your order we may share information with courier and logistics providers.
This may include:
- your name;
- delivery address;
- telephone number (where required);
- email address (where required for tracking);
- parcel reference;
- delivery instructions.
Courier companies are required to process your information only for delivery purposes.
74. Shopify
Derma Exchange Ltd uses Shopify as its e-commerce platform.
Shopify processes personal information necessary to:
- host the Website;
- process customer orders;
- manage customer accounts;
- process payments (where Shopify Payments is used);
- support customer communications;
- maintain Website security.
Shopify processes personal information in accordance with its own privacy documentation and applicable data protection legislation.
Where Shopify processes personal information on our behalf, appropriate contractual safeguards are in place.
75. Booking and Consultation Platforms
Where consultation booking software or secure video consultation platforms are used, relevant information may be shared with those providers.
Information may include:
- your name;
- appointment date;
- email address;
- consultation reference;
- video consultation access details.
We seek to ensure that providers are contractually required to maintain appropriate confidentiality and security.
76. Cloud Hosting and IT Providers
Derma Exchange Ltd uses reputable technology providers to support the secure operation of its business.
These providers may process personal information for purposes including:
- cloud hosting;
- secure storage;
- email services;
- cybersecurity monitoring;
- backup services;
- technical support;
- disaster recovery.
Such providers act only in accordance with our documented instructions and are subject to contractual confidentiality obligations.
77. Customer Service Providers
Where customer service software is used, authorised service providers may process information necessary to:
- respond to enquiries;
- manage support tickets;
- investigate complaints;
- monitor customer satisfaction;
- provide technical assistance.
Access is restricted to authorised personnel with a legitimate business need.
78. Marketing Service Providers
Where you have consented to receive marketing communications, we may use specialist marketing providers to assist with:
- email newsletters;
- SMS communications (where applicable);
- customer segmentation;
- campaign management;
- marketing analytics.
These providers may process:
- your name;
- email address;
- communication preferences;
- engagement statistics.
They may not use your personal information for their own independent marketing purposes.
79. Website Analytics Providers
Where permitted by your cookie preferences, we may use analytics providers including Google Analytics or equivalent services to understand how visitors use our Website.
Information processed may include:
- browser information;
- device information;
- IP address (subject to applicable controls);
- pages viewed;
- session duration;
- navigation behaviour.
Where possible, information is aggregated or pseudonymised.
Health information collected during consultations is never shared with analytics providers for advertising purposes.
80. Professional Advisers
Where necessary, personal information may be shared with our professional advisers including:
- solicitors;
- accountants;
- auditors;
- insurers;
- regulatory consultants;
- data protection advisers.
Information is shared only where reasonably necessary for professional advice or compliance.
Professional advisers are subject to confidentiality obligations.
81. Regulators and Government Authorities
We may disclose personal information where required or permitted by law to:
- courts;
- law enforcement agencies;
- HM Revenue & Customs;
- the Information Commissioner's Office (ICO);
- Trading Standards;
- other competent regulatory authorities.
We will only disclose information that is legally required or reasonably necessary.
82. Product Manufacturers
Where a product safety issue or adverse reaction is reported, limited information may be shared with manufacturers or authorised distributors for the purposes of:
- investigating product quality concerns;
- product recalls;
- adverse event reporting;
- regulatory compliance.
Where possible, information will be anonymised or pseudonymised before sharing.
83. Business Transfers
If Derma Exchange Ltd undergoes:
- merger;
- acquisition;
- restructuring;
- refinancing;
- sale of assets;
- business transfer,
personal information may be transferred to the new owner or successor organisation.
Any successor organisation will be required to respect this Privacy Policy and applicable data protection legislation.
Customers will be notified where required by law.
84. International Transfers
Some of our service providers may process personal information outside the United Kingdom.
Where personal information is transferred internationally, Derma Exchange Ltd will ensure that appropriate safeguards are in place, such as:
- an adequacy decision recognised by the UK Government;
- the UK International Data Transfer Agreement (IDTA);
- the UK Addendum to the EU Standard Contractual Clauses (SCCs);
- other lawful transfer mechanisms recognised under UK GDPR.
We take reasonable steps to ensure that your personal information continues to receive an equivalent level of protection.
85. Data Processing Agreements
Where third-party organisations process personal information on behalf of Derma Exchange Ltd, we require them to enter into written Data Processing Agreements (DPAs) where required by law.
These agreements require processors to:
- act only on our documented instructions;
- implement appropriate security measures;
- maintain confidentiality;
- assist us in complying with data protection legislation;
- delete or return personal information when instructed.
86. Confidentiality Obligations
Everyone who processes personal information on behalf of Derma Exchange Ltd is expected to maintain strict confidentiality.
This includes:
- employees;
- consultants;
- contractors;
- clinicians;
- customer service representatives;
- IT providers;
- professional advisers.
Access to personal information is restricted to those with a legitimate need to know.
87. Information We Never Sell
Derma Exchange Ltd does not sell personal information to:
- advertisers;
- data brokers;
- marketing companies;
- social media platforms;
- unrelated third parties.
We do not permit your health information to be used for behavioural advertising or profiling unrelated to the services we provide.
88. Our Commitment to Responsible Sharing
Whenever personal information is shared, Derma Exchange Ltd is committed to ensuring that:
- only the minimum necessary information is disclosed;
- recipients have an appropriate lawful basis for processing;
- appropriate security measures are maintained;
- confidentiality is protected;
- sharing is consistent with this Privacy Policy and applicable law.
We regularly review our relationships with third-party providers to ensure they continue to meet our standards for privacy, security and legal compliance.
DERMA EXCHANGE LTD
PRIVACY POLICY
PART 6 – INTERNATIONAL DATA TRANSFERS, DATA SECURITY AND CYBERSECURITY
89. Our Commitment to Information Security
Derma Exchange Ltd recognises that protecting personal information is fundamental to maintaining the trust of our customers.
We implement appropriate technical, organisational and physical security measures designed to protect personal information against:
- accidental loss;
- unauthorised access;
- unauthorised disclosure;
- misuse;
- alteration;
- corruption;
- destruction.
Our security programme is regularly reviewed to ensure it remains appropriate to the nature, volume and sensitivity of the personal information we process.
90. Security by Design and by Default
Privacy and security are considered during the design, development and operation of our Website, systems and services.
Where reasonably practicable, we implement the principles of Privacy by Design and Privacy by Default, ensuring that:
- only information necessary for each purpose is collected;
- access to personal information is restricted;
- security controls are built into our systems from the outset;
- privacy risks are assessed before introducing new technologies or services.
Where required, we undertake Data Protection Impact Assessments (DPIAs) before implementing processing activities likely to present a high risk to individuals.
91. Technical Security Measures
To protect your personal information, Derma Exchange Ltd may implement measures including:
- Secure Sockets Layer (SSL) / Transport Layer Security (TLS) encryption for all website traffic;
- encryption of sensitive personal information where appropriate;
- encrypted database connections;
- secure hosting environments;
- firewall protection;
- intrusion detection and prevention systems;
- malware detection;
- vulnerability scanning;
- regular software updates and security patching;
- secure coding practices;
- penetration testing where appropriate.
These measures are reviewed periodically and updated in line with evolving cyber security risks.
92. Organisational Security Measures
We implement organisational safeguards including:
- confidentiality agreements for employees and contractors;
- role-based access controls;
- staff training on data protection and cyber security;
- information governance policies;
- secure disposal procedures;
- documented incident response procedures;
- supplier due diligence;
- regular policy reviews.
Only authorised personnel whose duties require access to personal information are permitted to access it.
93. Access Controls
Access to personal information is granted on a least privilege basis.
Access permissions are allocated according to job responsibilities.
Where appropriate, access controls include:
- unique user accounts;
- password policies;
- role-based permissions;
- account monitoring;
- automatic session timeouts;
- audit logging.
Access rights are reviewed periodically and removed promptly when no longer required.
94. Multi-Factor Authentication
Where supported by our systems, administrative access to customer information is protected through Multi-Factor Authentication (MFA).
We encourage customers to enable MFA on their accounts where this functionality is available.
95. Password Security
Customer passwords are protected using industry-recognised hashing and encryption techniques.
Derma Exchange Ltd does not have access to customers' plain-text passwords.
Customers are responsible for:
- maintaining the confidentiality of their passwords;
- choosing strong passwords;
- avoiding password reuse across multiple websites;
- notifying us immediately if they suspect unauthorised access.
96. Payment Security
Payments made through our Website are processed by secure third-party payment providers.
Derma Exchange Ltd does not store:
- complete payment card numbers;
- CVV numbers;
- card PINs;
- payment authentication credentials.
Payment providers are expected to comply with the Payment Card Industry Data Security Standard (PCI DSS) or equivalent industry standards.
97. Monitoring and Cyber Security
To protect our Website and customers, we monitor systems for:
- unauthorised access;
- suspicious login activity;
- attempted fraud;
- malware;
- denial-of-service attacks;
- abnormal system behaviour;
- other cyber security threats.
Security monitoring is undertaken solely for the purpose of protecting our systems, customers and business.
98. Audit Logging
Certain activities within our systems may be recorded for security and compliance purposes.
Audit logs may include:
- user authentication events;
- account changes;
- administrative actions;
- access to sensitive information;
- system events.
Audit logs are retained only for as long as reasonably necessary to support security, compliance and investigation of incidents.
99. Data Backups
To reduce the risk of accidental data loss, we maintain secure backup procedures.
Backups may include:
- customer account information;
- order records;
- consultation administration records;
- business records.
Backups are protected using appropriate security measures and retained only for as long as necessary in accordance with our Data Retention Policy.
100. Business Continuity and Disaster Recovery
Derma Exchange Ltd maintains business continuity arrangements designed to minimise disruption in the event of:
- hardware failure;
- cyber incidents;
- power outages;
- system failures;
- natural disasters;
- other significant operational events.
These arrangements are reviewed periodically to ensure their effectiveness.
101. Personal Data Breaches
A personal data breach may include:
- unauthorised disclosure of personal information;
- accidental deletion;
- loss of data;
- unauthorised access;
- cyber attacks;
- ransomware incidents.
Where we become aware of a personal data breach, we will:
- investigate promptly;
- assess the risks;
- take appropriate remedial action;
- notify affected individuals where required by law;
- notify the Information Commissioner's Office (ICO) where required under UK GDPR.
We maintain documented procedures for identifying, reporting and managing personal data breaches.
102. Reporting Security Concerns
If you believe your personal information has been compromised or identify a security vulnerability affecting our Website, please notify us immediately:
Email: privacy@dermaexchange.com
or
We investigate all reported security issues promptly and confidentially.
103. International Data Transfers
Some of our trusted service providers may process personal information outside the United Kingdom.
Where this occurs, Derma Exchange Ltd will ensure that an appropriate legal transfer mechanism is in place before any personal information is transferred.
Such mechanisms may include:
- a UK adequacy regulation;
- the UK International Data Transfer Agreement (IDTA);
- the UK Addendum to the EU Standard Contractual Clauses (SCCs);
- another transfer mechanism recognised under UK GDPR.
We will take reasonable steps to ensure that transferred personal information receives a level of protection substantially equivalent to that provided within the United Kingdom.
104. Cloud Computing Services
Where cloud-based systems are used, we seek to ensure that providers:
- maintain recognised security certifications where appropriate (such as ISO/IEC 27001 or equivalent);
- implement appropriate encryption and access controls;
- process personal information only in accordance with our instructions;
- provide appropriate contractual safeguards.
Cloud providers are subject to contractual obligations relating to confidentiality, security and data protection.
105. Security of Clinical Information
Clinical information receives enhanced protection because of its sensitive nature.
Access to consultation records, clinical photographs and prescription-related information is restricted to authorised individuals who require access for legitimate clinical, administrative or legal purposes.
Clinical information is not used for advertising or unrelated commercial profiling.
106. Customer Responsibilities
Customers also play an important role in protecting personal information.
We recommend that customers:
- use strong and unique passwords;
- keep passwords confidential;
- log out after using shared devices;
- install security updates on their devices;
- avoid using unsecured public Wi-Fi when accessing their account;
- verify emails before providing personal information;
- contact us if they suspect unauthorised access.
Derma Exchange Ltd cannot be responsible for losses resulting from a customer's failure to take reasonable precautions to protect their own account credentials.
107. Security Reviews
We regularly review our:
- information security policies;
- cyber security controls;
- supplier security;
- access permissions;
- incident response procedures;
- technical safeguards.
Where improvements are identified, we will implement reasonable measures to strengthen our security arrangements.
108. Our Security Commitment
Whilst no internet-based service can guarantee absolute security, Derma Exchange Ltd is committed to maintaining security measures that are appropriate to the nature and sensitivity of the personal information we process.
We continuously review emerging cyber security threats, technological developments and regulatory guidance to help ensure that your personal information remains protected throughout its lifecycle.
DERMA EXCHANGE LTD
PRIVACY POLICY
PART 7 – YOUR RIGHTS UNDER UK GDPR
109. Your Data Protection Rights
Derma Exchange Ltd is committed to respecting and facilitating your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
These rights help you understand how your personal information is used and allow you to exercise control over that information where applicable.
The exercise of these rights is subject to certain legal conditions and exceptions.
110. Right to Be Informed
You have the right to receive clear, transparent and easily understandable information about:
- who we are;
- why we collect your personal information;
- what personal information we collect;
- how we use it;
- who we share it with;
- how long we retain it;
- your legal rights;
- how to contact us regarding privacy matters.
This Privacy Policy has been prepared to help fulfil that obligation.
111. Right of Access
You have the right to request confirmation of whether Derma Exchange Ltd processes your personal information.
Where we do, you may request a copy of that information together with supplementary information including:
- the categories of personal information held;
- the purposes for which it is processed;
- recipients or categories of recipients;
- retention periods;
- your rights under UK GDPR;
- information about automated decision-making (where applicable);
- the source of the information where it was not obtained directly from you.
Requests are commonly referred to as Subject Access Requests (SARs).
112. How to Make a Subject Access Request
Requests should be submitted to:
Data Protection Officer / Privacy Team
Derma Exchange Ltd
37 Falshaw Way
Manchester
M18 7TG
United Kingdom
Email:
We may ask you to provide information necessary to verify your identity before releasing personal information.
This protects your privacy and helps prevent unauthorised disclosure.
113. Response Time
Subject Access Requests will normally be answered within one calendar month of:
- receiving the request; and
- verifying your identity.
Where requests are particularly complex or numerous, we may extend this period by up to two additional months where permitted by law.
If an extension is required, we will inform you and explain the reasons.
114. Fees
Access requests are generally provided free of charge.
However, we reserve the right to charge a reasonable administrative fee or refuse a request where it is:
- manifestly unfounded;
- excessive;
- repetitive.
Any fee will reflect the administrative costs of complying with the request.
115. Right to Rectification
You have the right to request correction of inaccurate personal information.
You also have the right to request completion of incomplete personal information.
We encourage customers to keep their information up to date, particularly where changes may affect:
- deliveries;
- consultation appointments;
- prescription safety;
- communication preferences.
Where appropriate, corrections will also be communicated to relevant third parties with whom the information has been shared.
116. Right to Erasure ("Right to be Forgotten")
In certain circumstances you may request that we erase your personal information.
This right applies only where one of the legal grounds under UK GDPR is satisfied.
Examples include where:
- the information is no longer necessary;
- consent has been withdrawn;
- processing is unlawful;
- successful objection has been made;
- the information must be erased to comply with a legal obligation.
This right is not absolute.
We may retain information where necessary to:
- comply with legal obligations;
- maintain accounting records;
- defend legal claims;
- comply with healthcare governance requirements;
- comply with product safety legislation;
- comply with tax legislation.
Where health records are subject to statutory or professional retention requirements, we may not be able to erase them immediately.
117. Right to Restrict Processing
You may request that we temporarily restrict the processing of your personal information where:
- you contest its accuracy;
- processing is unlawful but you oppose deletion;
- we no longer require the information but you require it for legal claims;
- you have objected to processing pending verification of our legitimate interests.
During any restriction period, your information will generally only be processed:
- with your consent;
- for legal claims;
- to protect another person's rights;
- for important public interest reasons.
118. Right to Data Portability
Where processing is based on:
- your consent; or
- a contract,
and carried out by automated means, you may request that your personal information be provided:
- in a structured;
- commonly used;
- machine-readable format.
Where technically feasible, you may also request that information be transmitted directly to another organisation.
This right does not generally apply to information processed solely under legal obligations or legitimate interests.
119. Right to Object
You have the right to object to certain types of processing.
This includes processing based upon:
- legitimate interests;
- direct marketing;
- profiling related to direct marketing.
If you object to direct marketing, we will stop using your personal information for that purpose as soon as reasonably practicable.
Where processing is based on legitimate interests, we will assess whether our interests override your rights and freedoms.
120. Rights Relating to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing where those decisions produce legal or similarly significant effects.
Derma Exchange Ltd does not make clinical decisions solely through automated processing.
Clinical recommendations and prescription decisions are made by appropriately trained, verified and certified clinicians operating under the governance framework of Health Exchange UK.
Any automated tools used by Derma Exchange Ltd are intended to support administrative processes or assist clinicians and do not replace independent professional judgement.
121. Right to Withdraw Consent
Where we rely upon your consent to process personal information, you may withdraw that consent at any time.
Examples include:
- email marketing;
- SMS marketing;
- optional cookies;
- publication of testimonials;
- publication of before-and-after photographs.
Withdrawal of consent does not affect processing carried out before consent was withdrawn.
122. Exercising Your Rights
Requests relating to your personal information may be submitted by:
Email:
Telephone:
0330 043 1833
Or by post:
Derma Exchange Ltd
37 Falshaw Way
Manchester
M18 7TG
United Kingdom
We may request reasonable information to verify your identity before acting upon your request.
123. Verification of Identity
To protect your privacy, we may ask for additional information before responding to requests involving personal information.
Verification may include confirmation of:
- your identity;
- previous orders;
- account information;
- consultation reference;
- registered email address.
Where requests are submitted by an authorised representative, we may require written authority before disclosing information.
124. Requests Made on Behalf of Another Person
Where someone seeks to exercise rights on behalf of another individual, we may require evidence of:
- legal authority;
- written consent;
- power of attorney;
- parental responsibility (where applicable).
We reserve the right to refuse requests where sufficient authority has not been demonstrated.
125. Right to Complain
If you are dissatisfied with the way Derma Exchange Ltd processes your personal information, we encourage you to contact us first so that we can investigate and seek to resolve your concerns.
Privacy complaints should be directed to:
Privacy Team
Derma Exchange Ltd
37 Falshaw Way
Manchester
M18 7TG
United Kingdom
Email:
Telephone:
0330 043 1833
We aim to acknowledge privacy complaints promptly and respond within a reasonable timeframe.
126. Information Commissioner's Office (ICO)
If you remain dissatisfied after contacting us, or you believe we have processed your personal information unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent authority responsible for data protection.
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website:
Telephone:
0303 123 1113
Making a complaint to the ICO does not affect your right to pursue any other legal remedies available to you.
127. Our Commitment to Your Rights
Derma Exchange Ltd is committed to ensuring that individuals can exercise their rights under UK GDPR fairly, transparently and without unnecessary delay.
We regularly review our privacy procedures and staff training to ensure that requests are handled professionally and in accordance with applicable legislation.
Where we are unable to comply with a request, we will explain the reasons and inform you of any further rights available to you.
DERMA EXCHANGE LTD
PRIVACY POLICY
PART 8 – MARKETING COMMUNICATIONS, COOKIES, DATA RETENTION, CHILDREN'S PRIVACY AND FINAL PROVISIONS
128. Marketing Communications
Derma Exchange Ltd values your privacy and will only send marketing communications where permitted by applicable law.
Marketing communications may include:
- newsletters;
- skincare advice and educational content;
- new product launches;
- exclusive offers;
- promotional campaigns;
- consultation availability;
- seasonal skincare recommendations;
- loyalty programme updates;
- customer surveys;
- event invitations.
Marketing communications may be sent by:
- email;
- SMS (where applicable);
- post;
- telephone (where appropriate and lawful);
- other electronic communication methods permitted by law.
129. Lawful Basis for Marketing
We will only send electronic marketing communications where:
- you have given your consent;
- you have purchased products from us and we rely on the "soft opt-in" provisions under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR);
- another lawful basis under applicable legislation applies.
You may withdraw your marketing preferences at any time.
130. Opting Out of Marketing
You may stop receiving marketing communications by:
- clicking the "Unsubscribe" link contained within marketing emails;
- updating your customer account preferences;
- contacting Customer Services;
- emailing privacy@dermaexchange.com;
- emailing support@dermaexchange.com.
Opting out of marketing will not affect essential service communications, including:
- order confirmations;
- dispatch notifications;
- consultation reminders;
- payment confirmations;
- important product safety notices;
- legal notices.
131. Personalised Marketing
Where permitted by law and subject to your preferences, we may use information about your interactions with our Website to provide more relevant communications.
Examples include:
- skincare routines relevant to products you have purchased;
- replenishment reminders;
- product recommendations based on previous purchases;
- educational content relevant to your stated skin concerns.
We do not use sensitive health information from clinical consultations to create advertising profiles or for behavioural advertising.
Clinical consultation data is kept separate from our marketing activities except where necessary to fulfil your request or where you have expressly consented.
132. Cookies and Similar Technologies
Our Website uses cookies and similar technologies to improve your browsing experience and to support the secure operation of the Website.
Cookies may be used to:
- remember your preferences;
- maintain secure login sessions;
- keep products in your shopping basket;
- analyse Website usage;
- improve Website performance;
- detect fraud;
- support customer service;
- measure marketing effectiveness (where consent has been provided).
A detailed explanation of the cookies we use is provided in our separate Cookie Policy.
133. Cookie Consent
When you first visit our Website, you will be presented with a cookie preference banner.
Except for cookies that are strictly necessary for the operation of the Website, we will not place cookies on your device unless you have provided your consent.
You may:
- accept all cookies;
- reject non-essential cookies;
- customise your cookie preferences;
- change your preferences at any time through our Cookie Preference Centre.
Withdrawal of consent does not affect the lawfulness of processing carried out before consent was withdrawn.
134. Data Retention
Derma Exchange Ltd retains personal information only for as long as necessary to fulfil the purposes for which it was collected or to comply with legal, regulatory and contractual obligations.
Retention periods are determined by considering:
- legal requirements;
- contractual obligations;
- regulatory guidance;
- operational needs;
- limitation periods for legal claims;
- customer expectations.
Detailed retention periods are set out in our Data Retention Policy, which forms part of this Privacy Policy.
135. Secure Disposal of Information
When personal information is no longer required, Derma Exchange Ltd will ensure that it is securely deleted, anonymised or destroyed using appropriate methods.
These may include:
- secure electronic deletion;
- cryptographic erasure where appropriate;
- secure destruction of paper records;
- anonymisation of data used for statistical or analytical purposes.
Where information is retained in backups, it will remain subject to appropriate security controls until it is overwritten or securely destroyed in accordance with our retention procedures.
136. Children's Privacy
Our Website is intended for individuals aged 18 years and over.
We do not knowingly collect personal information directly from children under the age of 18 without the involvement of a parent or legal guardian where required.
If we become aware that personal information has been collected from a child unlawfully, we will take reasonable steps to delete that information promptly unless we are legally required to retain it.
Parents or guardians who believe that a child has provided personal information through our Website should contact us immediately.
137. Accessibility
Derma Exchange Ltd is committed to making information about privacy accessible and easy to understand.
If you require this Privacy Policy in an alternative format because of a disability or accessibility requirement, please contact us and we will make reasonable efforts to provide it in an appropriate format.
138. Changes to this Privacy Policy
We may amend this Privacy Policy from time to time to reflect:
- changes in legislation;
- regulatory guidance;
- technological developments;
- changes to our products or services;
- improvements to our privacy practices.
Where changes are material, we will provide appropriate notice by:
- publishing the updated Privacy Policy on our Website;
- displaying a notice on our Website; or
- contacting customers by email where appropriate.
The updated Privacy Policy will become effective from the date shown at the top of the document.
139. Contacting Us About Privacy
If you have any questions about this Privacy Policy or the way your personal information is handled, please contact:
Privacy Lead
Derma Exchange Ltd
Company Number: 17331624
Trading Address:
37 Falshaw Way
Manchester
M18 7TG
United Kingdom
Telephone: 0330 043 1833
Email: privacy@dermaexchange.com
General Customer Support:
Email: support@dermaexchange.com
Website:
140. Information Commissioner's Office (ICO)
If you believe that Derma Exchange Ltd has not handled your personal information appropriately, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).
We encourage you to contact us first so that we have the opportunity to investigate and resolve your concerns.
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: https://ico.org.uk
Telephone: 0303 123 1113
141. Privacy Governance Statement
Derma Exchange Ltd is committed to maintaining the highest standards of privacy, confidentiality and information governance.
We regularly review:
- our privacy policies;
- information security controls;
- data protection procedures;
- supplier agreements;
- staff training;
- clinical governance arrangements;
- technology platforms.
Where improvements are identified, we will update our practices to ensure continued compliance with applicable legislation and recognised industry standards.
142. Google Merchant Center and Platform Compliance
Derma Exchange Ltd is committed to operating a transparent and trustworthy online retail platform.
Accordingly, we undertake to:
- provide clear and accurate information about our identity, products and services;
- maintain transparent pricing and delivery information;
- avoid misleading claims regarding products or clinical outcomes;
- protect customer privacy;
- operate secure payment systems;
- comply with applicable platform policies, including those of Google Merchant Center, Google Shopping, Shopify and other marketplaces on which our products may be listed.
Nothing in this Privacy Policy authorises the use of personal information in a manner inconsistent with applicable data protection legislation or platform requirements.
143. Version Control
Document Title: Privacy Policy
Document Owner: Privacy Lead – Derma Exchange Ltd
Version: 1.0
Effective Date: [Insert Date]
Review Date: 12 months from the Effective Date, or earlier if required due to changes in legislation, regulatory guidance or business operations.
ACKNOWLEDGEMENT
By using www.dermaexchange.com, creating an account, purchasing products or booking a consultation, you acknowledge that you have read and understood this Privacy Policy.
Where processing is based on your consent, you may withdraw that consent at any time in accordance with this Privacy Policy.
Nothing in this Privacy Policy limits or excludes your statutory rights under applicable data protection legislation.