1.1.1. Contact details: This may include name, address, email address and telephone number. This information will be collected by us when you create an account on our Website, purchase products from Website or book an appointment through our Website. We may also collect your email address if you log in through your Facebook account, but we won’t receive any other data from Facebook. We use this information so that we can communicate with you in relation to the products you have purchased, the appointments you have booked and then your relationship with Dermoi! going forward. Where you have opted-in we will also use your contact details to send you marketing material. Certain contact details are also shared with therapists providing treatments to you. This allows the Dermoi! approved therapists to identify you and the location of your chosen address in relation to such treatments.
1.1.2. Treatment profile: When you register with Dermoi! and/or book an appointment for a treatment we will collect your date of birth to allow us to confirm that you are over the age of 18. We will also collect your gender as some of therapists using the Dermoi! Platform can only treat clients of a specific gender and we need to make sure that we match you with the appropriate therapist.
1.1.3. Purchase history: We will keep a record of the products you have purchased from our Website and a record of the appointments you have booked through our Website. This will include a record of any purchases, returns, payments, refunds and details of any referral codes or discount codes used. For the avoidance of doubt, we need this for our accounting and record keeping purposes, however we do not store credit card details nor do we share financial details with any third parties. We will also use this information to optimise our treatment menu from time to time based on the popularity of treatments and to understand the frequency of use of discount and referral codes and to optimise future use of such codes.
1.1.4. Reviews and feedback: You will be invited to submit a review of the therapists who provide treatments and products you have purchased through the Website. We will use this information to improve the Dermoi! Platform.
1.1.5. Correspondence: We will keep records of any correspondence between you and us. This might include emails you send us or phone calls you make to us. It will also include any messages you send to us through functionality on our Website (where available). We will use this as part of our record of our relationship with you and may refer back to queries you had about products or treatments to help us improve the Dermoi! Platform.
1.1.6. Session data: This includes your device’s unique identifier details, device operating system, time zone setting and time/date of access requests, the amount of data transmitted and the requesting provider. We may also capture other information about use of our Website such as pages viewed and traffic patterns. The purpose of collecting session data is to administer, maintain and improve our Website.
1.1.7. Marketing data: We may ask you to participate in marketing or promotional initiatives, for example by contributing to blog posts or being interviewed by members of the media. This is to promote and advertise Dermoi and will only be done with your consent.
1.2.1. Skin conditions: We will ask you to share information on any skin conditions or health related concerns which you have which might be impacted by the treatments that therapists deliver. This is to ensure that there are no contra-indications or other conditions which might be adversely impacted by the treatments. Following the treatment, therapists will write notes on the treatment and any skin responses or other pertinent information that would benefit your future treatments.
2.1. We may need to share your personal data with selected third parties in the following limited circumstances:
2.1.1. Therapists: Certain information that you enter when booking a treatment (including your contact details and information relevant to any skin conditions), as well as information gathered during the treatment and the therapists’ notes referred to in clause 1.2.1, will be viewable and accessible by therapists who have been scheduled to deliver a treatment to you, for a period of time commencing at the point of your booking and ending at the time your treatment ends. This sharing of information is necessary for the completion of booking appointments and the carrying out of treatments.
2.1.2. Third party service providers: This may include providers of certain systems and services that we use to build, host, administer and maintain our Website, third party logistics providers who deliver products to you which you have purchased through the Website, those who assist us in providing the Dermoi! platform and services to clients (including but not limited to back office service providers, our hosting providers and the third party who hosts and/or runs our ecommerce site), external legal, accounting, financial or other professional service providers, or who provide payment services (including but not limited to our banks and direct debit service providers). This will also include email services in order to manage the dissemination of information to therapists and to communicate with you.
2.1.3. To comply with legal or regulatory requests: If we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation, we may share your personal data with a regulator or law enforcement agency.
2.1.4. Prospective buyers or sellers: In the event that Dermoi! buys or sells any business or assets, we may disclose your personal data to the prospective buyer or seller of such business or assets. So far as possible we will share anonymised data with the other parties before the transaction completes. If Dermoi! (or substantially all of its assets) is acquired by a third party, your personal data held by Dermoi!, or within such assets, may be transferred to such third party.
3.1. We will not transfer your personal data outside of the UK, except to selected third parties that we have instructed to help us provide services to you, for example if we utilise cloud-based platforms to store data, which may involve use of geographically distributed data centres.
3.2. Where such transfers are to a country outside the European Union, we rely on one of the European Commission’s adequacy decisions (for example, relying on a Privacy Shield certification where the transfer contains a US entity) or we will use reasonable efforts to put in place appropriate safeguards to cover transfers of your personal data including, for example, signing standard contractual clauses/data protection clauses adopted by the European Commission.
3.3. If there are any other circumstances (for example where we are not processing your personal data in relation to the Dermoi! platform ) which would require us to transfer your personal data outside of the UK, we will seek your consent to transfer your personal data outside of the UK. In the event of such a transfer, where applicable, we will put appropriate safeguards in place to cover transfers of your personal data including, for example, signing standard contractual clauses/data protection clauses adopted by the European Commission, or where applicable, relying on a Privacy Shield certification where the transfer involves a US entity.
4.1. We take appropriate measures to ensure that your personal data is kept secure. We will store your personal data for as long as is necessary to fulfil the purpose we collected it for, including for the purposes of satisfying any legal, regulatory, financial and good-practice requirements.
4.2. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting firstname.lastname@example.org.
4.3. In some circumstances you can ask us to delete your data: see Accessing Your Personal Data and Your Rights below for further information.
4.4. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
5.2. We use the following cookies:
5.2.1. Strictly necessary cookies. These are cookies that are required for the operation of our Website. They include, for example, cookies that enable you to log into secure areas of our Website, use a shopping cart or make use of e-billing services.
5.2.2. Analytical cookies. These allow us to recognise and count the number of visitors and to see how visitors move around the Website when they are using it. This helps us to improve the way our Website works, for example by ensuring that users are finding what they are looking for easily.
5.3. You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our Website.
We have put in place safeguards to prevent your personal data from being lost, used or accessed in an unauthorised way. We limit access to your personal data to those employees, agents or contractors who have a business need to access it.
7.1. As a result of us collecting and processing your personal data, you have the following legal rights:
7.1.1. to access personal data held about you;
7.1.2. to request us to make any changes to your personal data if it is inaccurate or incomplete;
7.1.3. to request your personal data is erased where we do not have a compelling reason to continue to process such data in certain circumstances;
7.1.4. to receive your personal data provided to us as a data controller in a structured, commonly used and machine-readable format where our processing of the data is carried out by automated means and is based on: (i) your consent; (ii) our necessity for performance of a contract to which you are a party; or (iii) steps taken at your request prior to entering into a contract with us;
7.1.5. to object to, or restrict, our processing of your personal data in certain circumstances;
7.1.6. if we use your personal data for direct marketing, to ask us to stop and we will comply with your request;
7.1.7. if we use your personal data on the basis of having a legitimate interest, to object to our use of it for those purposes, giving an explanation of your particular situation, and we will consider your objection;
7.1.8. to object to, and not be subject to a decision which is based solely on, automated processing (including profiling), which produces legal effects or could significantly affect you; and
7.1.9. to lodge a complaint with a data protection supervisory body, which at present is the Information Commissioner’s Office.
7.2. To exercise any of your rights set out above please contact us at email@example.com.
7.3. We try to respond to all legitimate requests within one month. Occasionally it may take us longer where your request is particularly complex, in such cases, we will keep you updated on timescales. Such requests will be responded to free of charge, but a small administration fee may apply where requests are excessive.
If you have any questions about this privacy notice, please contact firstname.lastname@example.org.