Privacy Policy

1) Who we are and scope

1.1 We are committed to safeguarding the privacy of our website visitors and service users.

1.2 This policy applies where we act as a data controller for personal data of our UK website visitors and customers; i.e., where we determine the purposes and means of processing.

1.3 We use cookies on our website. Where cookies are not strictly necessary for the provision of our site and services, we will ask for your consent via our cookie banner on first visit.

1.4 In this policy, “we”, “us” and “our” refer to Eden Dermatology.

Controller & contacts

• Registered office (legal seat): Äussere Weberstr. 57, 02763 Zittau, Germany

• UK representative office (customer contact): 83 Ducie Street, Manchester, M1 3JQ, England, UK

• Customer email: cs (at) edendermatology.co.uk

• Regulatory note: Goldschmidt Distribution, PO BOX 8294, Belfast, BT1 1AA, Northern Ireland acts as our regulatory representative only (not for cancellations, orders, or customer service).

2) How we use your personal data

Overview. We’ve set out: (a) the categories of personal data; (b) sources; (c) purposes; and (d) legal bases.

2.1 Usage data (analytics & security)

• What: IP address, approximate location, device/browser, OS, referral source, pages viewed, session duration, navigation paths, errors.

• Source: Your device; Google Analytics.

• Purpose: Analyse and improve site performance and services; detect abuse/fraud.

• Legal basis: Legitimate interests (monitoring/improving our website). Where required, analytics runs only with consent via the cookie banner.

2.2 Account / order data (“account data”)

• What: Name, billing/delivery address, email, phone, order history.

• Source: You (checkout, account, customer service).

• Purpose: Operate the website, supply goods/services, communicate about orders, maintain backups, secure our services.

• Legal basis: Contract (to supply goods) and legitimate interests (proper administration and security); legal obligation (tax/audit).

• We do not rely on consent for core order processing.

2.3 Profile data (optional)

• What: Saved addresses, preferences, wishlist.

• Purpose: Enable and monitor account features; personalise experience.

• Legal basis: Legitimate interests (better UX) or consent where required.

2.4 Service data

• What: Data you provide in the course of using our services (e.g., support details).

• Purpose: Operate the website, provide services, secure systems, backups, and communications.

• Legal basis: Contract and legitimate interests (administration and security).

2.5 Publication data

• What: Information you post for publication (e.g., reviews).

• Purpose: Enable publication; administer our website/services.

• Legal basis: Legitimate interests and/or contract; consent where applicable.

2.6 Enquiry data

• What: Details in enquiries about our goods/services.

• Purpose: Offer, market and sell relevant goods/services; respond to enquiries.

• Legal basis: Legitimate interests (responding and pre-contract steps) or consent.

2.7 Customer relationship data

• What: Contact details and communications between you and us.

• Purpose: Manage relationships, communicate with customers, keep records, promote our products/services to existing customers where lawful.

• Legal basis: Legitimate interests (proper management of our customer relationships and business).

2.8 Transaction data

• What: Contact details, masked payment details/identifiers, transaction details.

• Purpose: Supply goods/services; keep proper records; fraud prevention.

• Legal basis: Contract; legitimate interests (administration/fraud prevention); legal obligation (accounting).

2.9 Notifications/marketing (“notification data”)

• What: Email address, name, preferences, engagement data.

• Purpose: Send newsletters/notifications you signed up for; similar-products emails to existing customers where permitted (“soft opt-in”).

• Legal basis: Consent (opt-in), or legitimate interests/soft opt-in where permitted. You can unsubscribe at any time.

2.10 Correspondence data

• What: Messages you send us and metadata generated by our forms.

• Purpose: Communicate with you; record-keeping.

• Legal basis: Legitimate interests (site/business administration and user communications); contract where relevant.

2.11 Professional-use confirmation (where applicable)

• What: Your explicit tick-box confirmation that you are a qualified professional; we may log a boolean confirmation along with timestamp and IP.

• Purpose: Safety/compliance evidence for professional-use products.

• Legal basis: Legitimate interests (safety and dispute handling) and contract (pre-contractual checks).

2.12 Legal claims

• Purpose: Establish, exercise or defend legal claims.

• Legal basis: Legitimate interests (protecting our rights/your rights/others’ rights).

2.13 Insurance, risk and advice

• Purpose: Obtain/maintain insurance, manage risks, get professional advice.

• Legal basis: Legitimate interests (protecting our business).

2.14 Legal obligations & vital interests

• We may process data to comply with the law or protect vital interests.

2.15 Third-party data

• Please do not supply another person’s personal data unless we prompt you to do so or you have their permission.

3) Providing your personal data to others

3.1 Group companies. We may disclose personal data within our group where necessary for the purposes set out in this policy. (See: www.edendermatology.co.uk/group if applicable.)

3.2 Insurers & professional advisers. For insurance, risk management, legal and claims handling.

3.3 Delivery & logistics. We may disclose name, address, telephone and email to suppliers/sub-contractors necessary for fulfilling contracts, including Royal Mail (www.royalmail.co.uk) and Evri/MyHermes (www.myhermes.co.uk), or other couriers we use from time to time.

3.4 Payments. Financial transactions are handled by PayPal and Stripe. We share transaction data only as needed to process/refund payments and handle related complaints/queries. See:

• PayPal: https://www.paypal.com/uk/webapps/mpp/ua/privacy-full

• Stripe: https://stripe.com/gb/privacy

3.5 Compliance/legal. We may disclose data where necessary to comply with legal obligations or to establish/exercise/defend legal claims.

We do not sell your personal data.

4) International transfers

4.1 We may transfer personal data outside the UK/EEA when using global service providers.

4.2 For such transfers we implement appropriate safeguards, including:

• the UK International Data Transfer Agreement (IDTA);

• the EU Standard Contractual Clauses with the UK Addendum; and/or

• reliance on an adequacy decision (e.g., UK–US Data Bridge), where applicable.

4.3 Hosting/email/stack locations.

• Hosting: [Insert your provider and primary region: e.g., “UK/EU data centres with [provider name].”]

• Email service/helpdesk: [Insert your provider and region.]
  We no longer reference the invalid EU–US Privacy Shield.

4.4 User-published data. Personal data submitted for publication (e.g., reviews) may be available worldwide; we cannot prevent third-party use/misuse.

5) Retaining and deleting personal data

5.1 We keep personal data only as long as necessary for the purposes described in this policy and to meet legal/accounting requirements.

5.2 Typical retention periods:

• Orders, invoices & tax records: usually 6–7 years from the end of the financial year of your purchase.

• Account data: retained while your account is active; inactive accounts are reviewed and deleted per our schedule.

• Customer service correspondence: typically up to 3 years after resolution.

• Marketing data: until you unsubscribe or object (we keep minimal suppression records to honour your choice).

• Professional-use confirmations: retained with order/audit records (typically up to 7 years).

5.3 Where specific periods can’t be fixed in advance, we determine them based on business need, legal limitation periods and regulatory requirements.

5.4 We may retain data longer where necessary to comply with legal obligations or to establish/exercise/defend legal claims.

6) Changes to this policy

We may update this policy from time to time by publishing a new version on our website. Check this page occasionally. For material changes, we’ll notify you by email or a prominent website notice.

7) Your rights

You have the following rights under data protection law (subject to conditions/exemptions):

• Access to your personal data;

• Rectification of inaccurate/incomplete data;

• Erasure in certain circumstances;

• Restriction of processing in certain circumstances;

• Object to processing based on legitimate interests, and to direct marketing at any time;

• Data portability where processing is by automated means and based on consent or contract;

• Withdraw consent at any time where we rely on consent (does not affect lawfulness before withdrawal);

• Complain to a supervisory authority.

How to exercise your rights: email cs (at) edendermatology.co.uk. We may need to verify your identity. We aim to respond within one month.

Supervisory authorities:

• UK ICO: https://ico.org.uk / 0303 123 1113

• If you’re in the EEA, you may also complain to your local authority.

8) Cookies – about cookies

8.1 A cookie is a small text file stored by your browser.
8.2 Session cookies expire when you close your browser; persistent cookies remain until their set expiry or deletion.
8.3 Cookies typically don’t directly identify you, but may be linked to data we hold.

9) Cookies that we use

We use cookies for:

• Authentication / status / functionality (e.g., to recognise you as you navigate and to power basket/checkout):
  Examples (confirm with your platform): smSession, svSession, hs, XSRF-TOKEN, nlbi_{ID}, incap_ses_${Proxy-ID}_${Site-ID}, incap_visid_${Proxy-ID}_${Site-ID}.

• Security (protect accounts and the site generally): same as above plus any CDN/security provider cookies.

• Analytics (with consent where required): Google Analytics cookies such as _ga, _ga_*.

Your developer should confirm the exact cookies in use (names/durations) and keep this list current.

10) Cookies used by our service providers

10.1 Our providers may set cookies when you visit our site.

10.2 Google Analytics collects usage information to create reports about our website. Learn more at: https://www.google.com/policies/privacy/
We configure GA to respect applicable regional settings and rely on consent where required.

11) Managing cookies

11.1 You can manage cookies via your browser settings or our Cookie Settings link on-site.
11.2 Blocking non-essential cookies may affect site performance.
11.3 Blocking necessary cookies will prevent core features (like checkout) from working.

Browser help:

• Chrome: https://support.google.com/chrome/answer/95647

• Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

• Opera: http://www.opera.com/help/tutorials/security/cookies/

• Internet Explorer: https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies

• Safari: https://support.apple.com/kb/PH21411

• Edge: https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy

12) Our details

• Website owner/operator: Eden Dermatology

• Registered office: Äussere Weberstr. 57, 02763 Zittau, Germany

• UK customer contact: Eden Dermatology, 83 Ducie Street, Manchester, M1 3JQ, England, UK

• Email: cs (at) edendermatology.co.uk