Personal Data Policy
This Personal Data Protection and Privacy Policy (“Policy”) sets out the procedures and principles regarding personal data collected, processed and stored through the website www.drmomhand.com (“Site”) operated by Dr. MomHand Organic Cosmetics (“Company”, “Data Controller”), registered in the United Kingdom.
This Policy has been prepared in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR) to ensure compliance with global standards and UK law.
By using our website, making purchases, or creating an account, you declare that you have read and understood this Policy and agree to the processing of your personal data within the legal terms set forth herein.
ARTICLE 1 – DATA CONTROLLER INFORMATION
|
Data Controller: |
Dr. MomHand Organic Cosmetics |
|
Address: |
71-75 Shelton Street, Covent Garden, London, United Kingdom |
|
Telephone: |
+44 7848 99 6901 |
|
Email: |
uk@drmomhand.com |
You can submit all your questions, requests, and applications regarding your personal data to the Data Controller using the contact information above.
ARTICLE 2 – DEFINITIONS
|
Term |
Definition |
|
Personal Data |
Any information relating to an identified or identifiable natural person. |
|
Special Category Personal Data |
Sensitive data in special categories such as race, ethnicity, health, biometric or genetic data. |
|
Data Controller |
The natural or legal person who determines the purposes and means of processing personal data. |
|
Data Processing |
Any operation involving the collection, recording, storage, modification, transfer, or deletion of personal data. |
|
Data Subject / Relevant Person |
The natural person whose personal data is processed (User/Customer). |
|
Explicit Consent |
Informed and freely given consent regarding a specific matter. |
ARTICLE 3 – PERSONAL DATA COLLECTED
Our company adheres to the highest data minimization principles and collects only the following personal data that is necessary:
|
Category |
Data Collected |
Explanation |
|
3.1 Identity Information |
Name, surname, date of birth |
For age verification and campaigns |
|
3.2 Contact Information |
Email, phone number, delivery/billing address |
For orders and inquiries |
|
3.3 Financial Information |
Billing information and transaction amounts |
For accounting and legal obligations. |
|
3.4 Transaction Information |
Order history, purchased products, return records |
For order management |
|
3.5 Digital Footprint Information |
IP address, browser, operating system, visit durations |
For site analysis and security |
|
3.6 Communication Records |
Customer service correspondence and support requests |
For service quality |
IMPORTANT: Your credit card information is absolutely not stored by our company; it is only processed in real-time by payment infrastructure providers that comply with international security standards (PCI-DSS).
ARTICLE 4 – PURPOSES AND LEGAL BASIS FOR PROCESSING PERSONAL DATA
Your personal data is processed under the UK GDPR only on the following legal grounds:
|
Legal Basis |
Purpose of Processing |
|
Performance of the Contract |
Order taking, product delivery, return/exchange processes, and membership account creation. |
|
Legal Obligations |
Invoicing, HMRC accounting statements, and compliance with consumer rights legislation. |
|
Legitimate Interest |
Customer service support, site usage analytics, fraud prevention, and cybersecurity. |
|
Explicit Consent |
Electronic communication and direct marketing (e-newsletters, special discount and campaign notifications) |
ARTICLE 5 – PRINCIPLES OF PERSONAL DATA PROCESSING
Our company processes your data in accordance with the following fundamental principles:
Compliance with the law, the principle of honesty, and transparency,
Being accurate and up-to-date when necessary,
Gathering for specific, clear and legitimate purposes,
Being relevant to the purpose for which they are committed, limited and proportionate,
Retention for the period stipulated in the relevant legislation or for the period necessary for the purpose for which they were processed.
ARTICLE 6 – TRANSFER OF PERSONAL DATA AND THIRD PARTIES
6.1 Domestic (United Kingdom) Transfer
Your data may be shared with shipping/logistics companies for the delivery of your orders, with secure payment providers for payment processing, and with UK authorities (HMRC etc.) as required by law.
6.2 International Transfer
Because our company operates globally, data transfer can be carried out via cloud infrastructure, email marketing services, or international shipping companies. For data transfers outside the European Economic Area (EEA), transfers are made to countries with an Adequacy Decision under the UK GDPR or to institutions providing binding legal safeguards such as the International Data Transfer Agreement (UK IDTA/SCC).
Your data will under no circumstances be shared with third parties who sell data.
ARTICLE 7 – SECURITY OF PERSONAL DATA
Technical Measures
SSL/TLS end-to-end encryption, firewalls, database encryption, regular security scans, and authorization mechanisms are implemented.
Administrative Measures
Data protection training for employees, Data Processing Agreements (DPA), third-party audits, and strict privacy policies are implemented.
Data Breach Notification
In the event of a potential data breach, the situation will be reported to the UK Information Commissioner's Office (ICO) and, where there is a risk, to the directly affected data subjects within 72 hours at the latest, in accordance with Article 33 of the UK GDPR.
ARTICLE 8 – DATA RETENTION PERIODS
Your data will be stored for the following periods in accordance with our legal obligations:
|
Data Category |
Storage Time |
Rest |
|
Invoice, Financial and Accounting Records |
6 years from the end of the fiscal year |
HMRC laws |
|
Contract and Order Records |
6 years from the date of the transaction |
Consumer laws / Legal disputes |
|
Marketing Data |
Until you cancel the subscription |
Withdrawal of explicit consent |
Data whose retention period has expired is securely deleted or irreversibly anonymized in accordance with the Company's periodic data destruction policy.
ARTICLE 9 – COOKIE POLICY
Our website uses cookies under the UK Privacy and Electronic Communications Regulations (PECR) to provide you with a better user experience.
|
Cookie Type |
Aim |
Duration |
Approval Status |
|
Mandatory Cookies |
Necessary for the site's basic functions. |
Session duration |
Mandatory (no approval required) |
|
Analytical Cookies |
Site performance and usage analysis |
Up to 2 years |
Explicit approval is required. |
|
Marketing Cookies |
Personalized content and advertising |
Up to 1 year |
Explicit approval is required. |
You can change your cookie preferences at any time through our website's cookie management panel.
ARTICLE 10 – RIGHTS OF THE DATA SUBJECT (UK GDPR)
Under UK law, you have the following rights:
|
Right |
Explanation |
|
Information and Access Rights |
To find out if your data is being processed and to request a copy. |
|
Right of Correction |
Requesting correction of missing or incorrect data. |
|
The Right to Erase (The Right to be Forgotten) |
Requesting the deletion of your data that is not subject to legal retention requirements. |
|
Restriction of Processing |
Restricting the use of your data |
|
Data Portability |
Requesting transfer to another institution in machine-readable format. |
|
Don't object |
Objection to processing activities based on legitimate interest |
|
Withdrawal of Consent |
You can revoke your consent to receive marketing emails at any time. |
ARTICLE 11 – EXERCISE OF RIGHTS AND APPLICATION
To exercise your rights, you can apply by email to uk@drmomhand.com. Your applications will be processed free of charge within a maximum of 1 (one) month in accordance with UK GDPR.
If you are not satisfied with the processing of your data, you have the right to complain to the Information Commissioner's Office (ICO), the UK Data Protection Authority (www.ico.org.uk).
ARTICLE 12 – PRIVACY OF CHILDREN
Our website and products are not directly aimed at children. Our company does not knowingly collect personal data from individuals under the age of 13. If we become aware that personal data of a child under this age has been provided to us, that data will be immediately deleted from our systems.
ARTICLE 13 – POLICY CHANGES
Our company reserves the right to update this Policy in accordance with changes in legal regulations or technological requirements. Important changes will be announced on the Site or notified to you via email. The currency of this document can be tracked by the “Last Updated” date in the header.