Privacy Policy

1. Who we are (Data Controller)

The Website is owned and operated by COSMETICS SURGERY LIMITED (trading as My Cosmetic Pharma), Company No. 12404564, registered address: 158-160 Kenton Rd, Harrow, HA3 8AZ, United Kingdom (“we”, “us”, “our”). We are the data controller for the personal information processed via the Website and in connection with our services.

Contact: info@mycosmeticcentre.co.uk | Tel: +44 (0)20 3621 2370

ICO (Information Commissioner’s Office) registration: [insert ICO registration number].

2. Personal data we collect

• Identity & contact data: name, email, phone, address, date of birth (where needed for healthcare services or verification).
• Health & medical information (special category data): information you provide in consultation forms, health questionnaires, prescription requests, or during clinical care.
• Order & service data: services requested, appointments, communications, purchase history.
• Technical data: IP address, device identifiers, browser type/version, pages viewed, time zone, and similar information (via cookies/analytics).
• Marketing preferences: your choices for receiving updates, promotions, and reminders.
• Payment data: last 4 digits/transaction references from payment processors (we do not store full card details on our servers).

We collect data directly from you (forms, phone, email), automatically via cookies, and from partners such as laboratories, prescribers, and regulated healthcare providers where required to deliver care and with a lawful basis.

3. How we use your data & lawful bases

• Provide clinical/pharmacy services (consultations, prescription processing, dispensing, aftercare). Lawful basis: performance of a contract; and for special category health data: healthcare purposes by a health professional or under their responsibility (Art. 9(2)(h) UK GDPR).
• Manage your account and bookings and communicate about your care. Lawful basis: contract; legitimate interests.
• Regulatory, safety & audit (GPhC standards, pharmacovigilance, incident reporting). Lawful basis: legal obligation; public interest in public health; substantial public interest.
• Payments & invoicing. Lawful basis: contract; legal obligation (tax/records).
• Improve our Website & services (analytics, troubleshooting, security). Lawful basis: legitimate interests.
• Marketing (optional). With your consent (you can withdraw at any time). You may opt out of marketing emails by clicking “unsubscribe” or contacting us directly.

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

4. Special category (health) data

Health information is processed only when necessary to provide healthcare or pharmacy services, under the responsibility of a health professional or another person owing a duty of confidentiality. We apply enhanced safeguards and access controls to protect this data.

5. Cookies & analytics

We use cookies and similar technologies to operate the Website, remember preferences, and measure performance. Where required, we obtain your consent via a banner. You can manage preferences at any time.

For details, please see our Cookie Policy.

6. Disclosures & recipients

We may share data with:

• Prescribers, laboratories, and regulated healthcare professionals involved in your care.
• Payment processors, IT/cloud providers, communications and identity verification tools.
• Regulators and authorities (e.g., GPhC, MHRA, ICO) where legally required.
• Professional advisers (legal, compliance, auditors) under confidentiality obligations.

We do not sell your personal data. Third parties are bound by data protection obligations and process data only on our documented instructions where applicable (as processors).

7. International transfers

If we transfer data outside the UK, we will ensure appropriate safeguards (e.g., UK IDTA/Addendum, adequacy regulations, or equivalent) and conduct transfer risk assessments where required. You can contact us for details of current safeguards.

8. Data retention

We keep personal data only as long as necessary for the purposes collected and to meet legal, regulatory, and clinical record-keeping obligations. For example:

• Pharmacy/clinical records: typically retained for at least 10 years in line with professional guidance.
• General enquiry or marketing data: retained for up to 2 years unless you opt out sooner.

9. Security

We implement technical and organisational measures to protect your data, including encryption in transit, role-based access, staff training, and policies. While no system is completely secure, we work to prevent unauthorised access, alteration, disclosure, or loss.

10. Your rights

Under UK data protection law, you may have the right to:

• Access your personal data and receive a copy.
• Rectify inaccurate or incomplete data.
• Erase data in certain circumstances.
• Restrict or object to processing, including for direct marketing.
• Data portability (where applicable).
• Withdraw consent where processing is based on consent.

To exercise these rights, contact us at info@mycosmeticcentre.co.uk. We may need to verify your identity before responding.

You also have the right to lodge a complaint with the ICO: ico.org.uk.

11. Children

Our services are intended for individuals aged 18 and over. We do not knowingly collect or process data of children under 18.

12. Changes to this Policy

We may update this Policy from time to time. The latest version will always be available on this page with the “Last updated” date shown above.

13. Contact us

If you have questions about this Policy or how we handle your data, please contact our privacy team at info@mycosmeticcentre.co.uk.