GDPR

We always take great care with your personal data, and the UK GDPR only strengthens your rights and our obligations. We never sell your personal data. We only share it with trusted service providers where this is necessary to run our website, process your orders, and meet our legal obligations — and always under appropriate contracts.

What we collect

Depending on how you use our site, we may collect:

  • Contact & delivery details: name, email, billing/delivery address, phone (when provided).

  • Order details: items purchased, order numbers, totals, delivery status.

  • Professional-use confirmation (if applicable): a required tick-box confirming you are qualified to use professional-use products (we record a boolean confirmation, time, and IP as evidence).

  • Technical/usage data: IP address, device/browser info, pages viewed and interactions (used for security and site performance; analytics only with consent where required).

  • Communications: messages you send us (e.g., order queries, support).

We do not store full payment card details. Payments are processed securely by PayPal or Stripe.

How we use your data (lawful bases)

  • To process and deliver your orders (contract).

  • To keep our site secure, prevent fraud, and improve performance (legitimate interests).

  • To send service messages about your order (contract/legitimate interests).

  • To send marketing emails only if you’ve opted in or where permitted by soft opt-in (you can unsubscribe at any time) (consent/legitimate interests).

  • To comply with the law (legal obligation), e.g., tax/audit.

Who we share data with (no selling, ever)

We share only what’s necessary with:

  • Payment processors: PayPal and Stripe (payments/refunds, fraud checks).

  • Couriers/fulfilment: e.g., Royal Mail and Evri/MyHermes (delivery updates, address labels).

  • IT, hosting, security, and analytics providers (site hosting, email, performance/security, analytics where consented).

  • Professional advisers/insurers and public authorities when legally required.

All such partners are bound by contracts that protect your data.

Cookies

We use necessary cookies to run the site (basket, checkout, security). Analytics cookies (e.g., Google Analytics) run only with your consent where required. You can change your choices any time via “Cookie Settings”. See our full Cookie and Privacy policies for details.

Your choices & rights

  • Unsubscribe from marketing at any time using the link in our emails.

  • Access, rectify, erase, restrict, object, and port your data in line with the UK GDPR.

  • Withdraw consent at any time (where processing relies on consent).
    To exercise your rights, email cs (at) edendermatology.co.uk. We may need to verify your identity and will respond within one month.

How long we keep your data

  • Orders, invoices & tax records: typically 6–7 years (legal requirement).

  • Accounts & support messages: for as long as needed to manage your account/support, then deleted per our retention schedule.

  • Marketing: until you unsubscribe (we keep minimal suppression data to honour your choice).

  • Professional-use confirmations: kept with order records (typically up to 7 years).

International transfers

Where we use suppliers outside the UK/EEA, we use approved safeguards (e.g., UK International Data Transfer Agreement, EU Standard Contractual Clauses with UK Addendum, and/or adequacy decisions such as the UK–US Data Bridge).

Security

We use appropriate technical and organisational measures (encryption in transit, access controls, least-privilege, patching). No system is perfect; please keep your account details secure.

Who we are (for GDPR queries)

  • Controller: Eden Dermatology

  • Registered office (legal seat): Äussere Weberstr. 57, 02763 Zittau, Germany

  • UK representative office (customer contact): 83 Ducie Street, Manchester, M1 3JQ, England, UK

  • Email: cs (at) edendermatology.co.uk

  • Regulatory representative: Goldschmidt Distribution, POBOX 8294 Belfast, BT1 1AA, Northern Ireland (regulatory matters only; not customer service/cancellations).

This GDPR Statement is a summary. For full details, please read our Privacy Policy.