Privacy policy

Privacy Statement

Skinstation Limited (“We”, “Us”, “Our”) Privacy Statement.

This is Our Privacy Statement which details how We use your personal data (“Personal Data”) when you use our Website www.skinstation.co.uk. We take Our data protection responsibilities seriously.

1. Privacy Statement

1.1 This Website is owned by Skinstation Limited (“SSL”) a company registered in Guernsey at Albert House, South Esplanade, St. Peter Port, Guernsey GY1 1AJ with company number 70194. SSL’s registration reference with the Office of the Data Protection Authority (ODPA) in Guernsey is DPA7275.

1.2 The Data Protection (Bailiwick of Guernsey) Law 2017 and the European and UK General Data Protection Regulation (the “Regulations”) set out the responsibilities We have to protect your data.

1.3 This Privacy Statement sets out the way we will obtain and hold your Personal Data. This is known as “Processing”. When read together with Our Terms and Conditions of Use and Cookie Policy, this Privacy Statement covers our relationship with you in relation to this Website.

1.4 Any questions, comments and requests you may have regarding this Privacy Statement are welcomed and should be addressed to: Data Protection Officer, Skinstation Limited, Albert House, South Esplanade, Guernsey, GY1 1AJ or email DPO@skinstation.co.uk.

1.5 Skinstation Limited is established in Guernsey and is not established in the United Kingdom. As required by Article 27 of the UK GDPR, Skinstation has designated a UK representative who may be contacted by data subjects in the United Kingdom and by the Information Commissioner’s Office. Our UK Representative is Healthxchange Pharmacy UK Limited, 1st Floor Sackville House, 143–149 Fenchurch Street, London, EC3M 6BL. Data subjects located in the United Kingdom may contact the UK Representative in relation to Skinstation’s processing of their personal data, as may the Information Commissioner’s Office (ICO). The UK Representative acts in a representative capacity only; Skinstation remains solely responsible for its own compliance with the UK GDPR.

2. Data Protection Regulations

2.1 For the purposes of this Privacy Statement:

  • We determine the purposes for which and the manner in which your Personal Data is, or is to be processed, and we are known as the data controller (“Data Controller”); and
  • In submitting your data and information to us to collect, handle and process, you will be the individual who is the subject of the data (the “Data Subject”); and
  • In processing your data and information, any other parties contracted to process data by the Data Controller will be known as (“Data Processors”).

3. What information do We collect from you?

3.1 We may collect and process the following data and information that you give us if you fill in the Account Registration Form, place an order for Goods, or if you submit content on Our Website or otherwise by corresponding with us by phone, email or otherwise:

  • Name and date of birth;
  • Contact information including address, email address, phone number;
  • Information necessary for the purposes of submitting an order for prescription products;
  • Prescribed medication and directions for use.

3.2 We understand that the data collected at 3.1(c) and 3.1(d) is Sensitive Personal Data.

3.3 We will collect and process the following data automatically from your visit to Our Website:

  • Technical information, including the internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
  • Information about your visit, including the full uniform resource locator (URL), clickstream to, through and from Our Website (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call Our customer service number and any other anonymised data or metrics that identify user behaviour and the habits of web visitors.

3.4 Some of the Personal Data we collect and process is necessary to enter into and perform Our contract with you or for us to meet our legal obligations.

4. Cookies

4.1 We use cookies on this Website to distinguish you from other users and to improve your experience. Non-essential cookies (including analytics and marketing cookies) will only be placed on your device after you have given your prior, informed consent using the Cookiebot consent tool (accessible via the privacy trigger icon in the bottom left-hand corner of the screen). Essential cookies, which are strictly necessary for the Website to function, do not require your consent. The use of cookies does not give Us access to your computer or any Personal Data beyond what you choose to share with Us.

4.2 You may choose to accept or decline cookies by using the Cookie Settings tool (accessible via the Cookiebot Privacy Trigger icon in the bottom left-hand corner of the screen) or modifying your own browser’s settings.

4.3 Further information of the cookies We use and how they work is available in Our Cookie Policy.

5. Third party links

5.1 The website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. Please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any Personal Data that may be collected through these websites or services. Please check these policies before you submit any Personal Data to these websites or use these services.

6. How do We use the information?

6.1 We shall use the data and information you give to Us:

  • To allow you to create an account;
  • To process and analyse your order(s) including dispensing and dispatching the products;
  • To keep and maintain Our internal business records;
  • To manage customer service enquiries, for our internal training purposes, and for analysis and improvement of our website and business;
  • If you give us express consent, to provide you with Our own tailored marketing information that We think may suit your interests and needs;
  • To analyse how you use our website through third‑party analytics tools (such as Google Analytics) so that we can improve site performance, user experience, and our services;
  • To manage and personalise our communications with you through customer relationship management (CRM) platforms (such as Klaviyo), including sending service‑related messages and—where you have given express consent—marketing communications tailored to your preferences.

6.2 We reserve the right to add to the list of uses in clause 6.1. We shall not use pre-collected data and information for any new uses of your data without consulting you and obtaining your express consent if we are required to do so under the Regulations.

6.3 Where you provide us with information for the purposes of account registration and orders described above, We may use such information provided in order to verify the information provided, process your application and order. We may also transfer the data to our Data Processors in order to fulfil or analyse your order.

6.4 We reserve the right to anonymise your data to obtain analysis while retaining your privacy.

7. Legal Basis for Processing

7.1 We will only use your Personal Data when the law allows us to do so. Most commonly we will use your Personal Data in one of the following circumstances:

  • Where you have consented before the processing.
  • Where we need to perform a contract we are about to enter or have entered with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.

7.2 The table below sets out the specific lawful basis We rely on for each processing activity:

Processing Activity Lawful Basis (Article 6) Notes
Creating and managing your account Contract — Art. 6(1)(b) Necessary to perform our contract with you
Processing and fulfilling your order Contract — Art. 6(1)(b) Necessary to perform our contract with you
Dispensing prescription products Contract — Art. 6(1)(b) + Art. 9(2)(h) for health data See Section 7.4 below for special category data
Maintaining internal business records Legitimate interests — Art. 6(1)(f) LIA held on file with the DPO
Customer service and enquiry handling Contract — Art. 6(1)(b) / Legitimate interests — Art. 6(1)(f) Depends on whether query relates to an existing order
Direct marketing communications Consent — Art. 6(1)(a) You may withdraw consent at any time
Website analytics (Google Analytics) Consent — Art. 6(1)(a) Obtained via Cookiebot prior to any analytics cookies being set
CRM service messages (Klaviyo) Legitimate interests — Art. 6(1)(f) Service-related messages about your order or account. LIA held on file
CRM marketing messages (Klaviyo) Consent — Art. 6(1)(a) Only where you have given express consent to marketing
Fraud prevention and site security Legitimate interests — Art. 6(1)(f) LIA held on file with the DPO
Compliance with legal obligations Legal obligation — Art. 6(1)(c) e.g. tax, pharmacy, and regulatory requirements
Business sale or transfer Legitimate interests — Art. 6(1)(f) Disclosure to prospective buyers as part of due diligence

7.3 Where We rely on legitimate interests as Our lawful basis, We have carried out a Legitimate Interests Assessment (LIA) to confirm that Our interests do not override your rights and interests. A copy of any relevant LIA is available on request from the DPO at DPO@skinstation.co.uk.

7.4 Special Category Data — Prescription Products

Where you order prescription products from Us, We collect and process data about your prescribed medication and directions for use. This constitutes Special Category Data (also referred to as Sensitive Personal Data) under data protection law and is subject to additional protections.

We process this data on the following Article 9 conditions:

  • Article 9(2)(h) — processing necessary for the purposes of the provision of health care and treatment and the management of health-care systems and services, pursuant to a contract with a health professional; and
  • Article 9(2)(a) — your explicit consent, obtained at the point of ordering.

This data is processed only to the extent necessary to dispense and fulfil your prescription order. It will not be used for any other purpose, including marketing, without your further explicit consent. Your prescription data will not be shared with third parties except where required to fulfil your order or where We are legally required to do so.

8. How do We handle your information?

8.1 The data and information We collect from you will be transferred to and securely stored by our hosting third party, Shopify UK.

8.2 We are committed to ensuring that your data and information is secure. In order to prevent unauthorised access or disclosure, We have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information We collect online, including:

  • All data and information you provide to us is stored on secure servers;
  • Any payment transactions will be encrypted Using SSL technology;
  • Where We have given you (or where you have chosen) a password which enables you to access certain parts of Our Website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone;
  • Erasing of information, and destruction of any copies kept;
  • Regularly updating our review procedure.

8.3 Any Sensitive Personal Data that we collect as described at clause 3.1(c) and 3.1(d) shall be processed in accordance with the Regulations, and only to permit Us to process your request or enquiry. Your Sensitive Personal Data will be stored securely and will not be passed on to third parties.

9. Data retention

9.1 We will only retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected. The table below sets out Our standard retention periods for different categories of data. Where a legal obligation requires a longer period, We will retain data for that period instead.

Data Category Retention Period Reason
Customer account information Duration of account + 6 years from closure Contract limitation period
Order records (non-prescription) 6 years from date of order Contract limitation period (UK/Guernsey)
Prescription and medication records 8 years from date of dispensing GPhC guidance / pharmacy regulatory requirements
Payment and financial records 7 years from transaction date HMRC / tax and VAT obligations
Marketing consent records Until consent withdrawn + 1 year To demonstrate consent was validly obtained
Analytics data (Google Analytics) 26 months Google Analytics default retention setting
Customer service correspondence 3 years from resolution Limitation period for complaints
Fraud prevention records 6 years Limitation period / regulatory requirement

9.2 In some circumstances you can ask us to delete your data: see Your legal rights below for further information.

9.3 In some circumstances we will anonymise your Personal Data (so that it can no longer be associated with you) for analytical purposes, in which case we may use this information indefinitely without further notice to you.

10. To whom may We disclose your information?

10.1 In providing us with data and information, you agree that We may disclose such information, where necessary for the purposes and uses listed in clause 6, to:

  • Our employees, agents, representatives and any Data Processors officially contracted to process the data on Our behalf;
  • Selected third parties including:
    • Business partners, suppliers and sub-contractors for the performance of any contract We enter into with you;
    • Analytic and search engine providers that assist us in the improvement and optimisation of Our Website;
    • Payment card merchants who comply with PCI/DSS requirements;
    • Any other third parties We are legally obliged to disclose your information to.

10.2 We will only disclose your Personal Data to parties who bear sufficient legal responsibility for its protection and who have sufficient privacy and security measures in place to reasonably ensure that it will be protected and handled appropriately.

10.3 We may disclose your Personal Data to third parties:

  • In the event that We sell or buy any business or assets, in which case We will disclose your Personal Data to the prospective seller or buyer of such business or assets;
  • If Our assets, or substantially all of Our assets are acquired by any third parties, in which case personal data held by it about Our customers will be one of the transferred assets;
  • If We are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or in order to enforce or apply Our terms of use; or to protect Our rights, property or safety of Our customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

10.4 In order to offer you Klarna’s payment methods, we might in the checkout pass your personal data in the form of contact and order details to Klarna, in order for Klarna to assess whether you qualify for their payment methods and to tailor those payment methods for you. Your Personal Data transferred is processed in line with Klarna’s own privacy policy which can be accessed here.

10.5 To facilitate your participation in our loyalty scheme Personal Data in the form of contact and order details will be passed to Yotpo, in order for it to calculate your loyalty points. Your Personal Data transferred is processed in line with Yotpo’s own privacy policy which can be accessed here.

11. International Transfers

11.1 Whenever we transfer your Personal Data out of the UK/EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission. For further details, see European Commission: Adequacy of the protection of Personal Data in non-EU countries.
  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give Personal Data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of Personal Data to third countries.

12. Your rights and how you can control use of your information

12.1 You have certain rights in relation to your Personal Data: to access your personal data, to erasure of your Personal Data, to restrict processing, to object to certain processing and to data portability.

12.2 You may choose to restrict the collection or use of your Personal Data in the following ways:

  • (a) By leaving the “third party opt-in” box EMPTY on the Account Registration Form. If you do not consent we shall assume that you do not want the data and information to be used by us or by third parties for analytical, marketing and promotional purposes;
  • (b) If you have previously agreed to us using your Personal Data for direct marketing purposes, you may change your mind at any time by writing to us at: Data Protection Officer, Skinstation Limited, Albert House, South Esplanade, St Peter Port, Guernsey GY1 1AW.

12.3 Your right of access can be exercised in accordance with the Regulations. Any access request will be free. If you would like a copy of the information held on you please write to us at Data Protection Officer, Skinstation Limited, Albert House, South Esplanade, St Peter Port, Guernsey GY1 1AW or email DPO@skinstation.co.uk.

12.4 If you believe that any information We are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.

12.5 Your Right to Object

Where We process your Personal Data on the basis of Our Legitimate Interests under Article 6(1)(f), you have the right to object to that processing at any time. If you object, We will cease processing your data unless We can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.

Processing activities We currently carry out on the basis of legitimate interests include: maintaining internal business records, certain customer service activities, fraud prevention, service-related CRM communications, and business sale or transfer (see Section 7.2).

To exercise your right to object, please contact the Data Protection Officer at DPO@skinstation.co.uk, setting out the specific processing activity you object to and the grounds for your objection. We will respond within one calendar month.

13. Changes to Privacy Statement

13.1 We reserve the right to make changes to this policy without notice from time to time by updating this page. Every time you wish to use Our Website, please check the statement to ensure you understand the terms that apply at that time.

13.2 The current statement was made effective as of June 2026.

14. Your right to complain

14.1 If you believe that your information held by us is not being handled properly, you have the right to complain to the competent data protection authority: