IMPORTANT INFORMATION This policy (together with our Terms of Website Use), and any other documents referred to within) sets out the basis on which any Personal Data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our practices regarding your Personal Data. By visiting www.opatra.com (our site) you are accepting and consenting to the practices described in this policy. For the purpose of the General Data Protection Regulations (GDPR), the data controller is Opatra Ltd, 447 high road London N12 0AF, United Kingdom. Opatra Ltd has appointed a Data Protection Officer (DPO) who can be contacted at :firstname.lastname@example.org. We know that you value your privacy and the security of personal information held about you. We are committed to handling your Personal Data and personal sensitive data in line with data protection law and principles, which means that your data will be:
Used lawfully, fairly and in a transparent way.
Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
Relevant to the purposes we have told you about and limited only to those purposes.
Accurate and kept up to date.
Kept only as long as necessary for the purposes we have told you about.
apply for or buy our products or services;
create an account on our website;
subscribe to our service or publications;
request marketing to be sent to you; or
give us some feedback.
register your product warranty.
Automated technologies or interactions: As you interact with our website, we may automatically collect data about your equipment, browsing actions and patterns. We collect this Personal Data by using cookies, and other similar technologies.
Third parties or publicly available sources: We may receive personal data about you from various third parties and public sources as set out below:
Technical data from analytics providers such as Google based outside the EU.
Contact and financial data from providers of technical, payment and delivery services such as our bank based inside the EU.
Contact data from publicly availably sources such as Companies House based inside the EU.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time. To see what personal data we collect, for what purpose, how we use it, retain it and secure it, please see the different categories below. RETAIL CUSTOMERS AT OPATRA LTD In order to provide the highest quality service, we may use our analyser to know your skin type. As part of providing a professional, safe and efficient service, there is certain information that we record. Such information may include:
basic details about you, such as name, address, date of birth, next of kin;
other details and notes about your skin type
Processing Information We process your personal data, which includes :
We hold your Personal Data on a secure system.
Your Rights You have the right to confidentiality under the General Data Protection Regulation and the common law duty of confidence. All of our staff contracts of employment contain a requirement to keep customers information confidential. All staff must comply with the Code of Practice on Confidential Information. Our guiding principle is that we process your records in strict confidence. You have the right to ask for a copy of all records about you (generally in paper or electronic form).
Generally, there will be no charge for a printed copy of the information we hold about you. We are required to respond to your request within one month. You will need to give adequate information in order for office staff to identify you (for example, full name, address and date of birth). You will be required to provide ID, for example a passport, full driving licence or credit/debit card before any information is released to you. If you think any information we hold on you is inaccurate or incorrect, please let us know. You may object to us holding your information. If you have any further queries about this policy, or wish to find out more about your rights, please contact the Data Protection Officer at email@example.com. 2. Retail orders placed in the office or over the telephone What information is collected? When you place an order for, or apply for a VAT refund for products purchased we may collect the following Personal Data from you: Name, title, postal address, email address, home telephone, mobile number, payment information (i.e. bank or credit card details), order history, age/date of birth, information on the handling of your request, and other Personal Data you voluntarily provide to us. What is the purpose of the processing? We process this Personal Data to provide you with our products or services and take payment for such products or services that you have requested from us. Where and for how long is the data stored? We store your Personal Data securely on site or securely archived off-site in the UK as long as we are required to keep the information by law, normally up to six years. Who may the information be shared with? We may share this information with our employees to provide a safe and secure services, as well as our merchant payment services provider, and delivery provider. What is the legal basis for processing the Personal Data? We need this information to process your order or any other service you request from us (performance of a contract). If we need information about you that is considered sensitive (e.g. information on your skin) we will inform you in a transparent manner about our legal obligations to process such personal data. Your data is not used for any further purpose including marketing.
WHOLESALE AND ACCOUNT CUSTOMERS What information is collected? When you apply for Opatra Ltd account (on-line or off-line), we may collect the following Personal Data from you: name, title, professional registration number, postal address for deliveries, invoice address, email address, business telephone number, mobile number, prescriber name, prescriber title, prescriber professional registration number, bank reference, trade reference, signature, photographic identification, date of birth, gender. When you use your account to place an order, we may collect the following further Personal Data from you: prescriptions for your patients (including their name, address, date of birth, skin information), payment information (i.e. bank, debit/credit card, cheque details), and a further delivery address. We may also collect further information in the event of a dispute, return, refund or complaint. You must ensure that the information you provide is accurate and complete. Failure to provide accurate information may lead to your account being closed. With regard to each of your visits to our site we may automatically collect the following information:
technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
What is the purpose of the processing? We process this Personal Data to provide you with an account at Opatra Ltd, including an account identifier, so that you can place orders for our products. We process this further Personal Data to provide you with your orders, dispense medication for your patients, take payment for your orders, and deal with any queries or returns or complaints. Where and for how long is the data stored? On-line applications are kept on a secure European-based server and cloud. Off-line applications are kept securely on-site. After two years, off-line applications are moved to a secure archive off-site. Access to such information is limited to those members of staff that need to access them. All applications are kept as long as the account remains in use, and up to seven years after the last transaction. You are responsible for updating your key contact information on your account. Such updates may only be accepted in writing. Orders sent through the Opatra Ltd Portal at opatra.com kept encrypted on a secure EU-based server and cloud. Access to such orders/prescriptions are limited to those members of staff that need to access them.
Order and payment details, as well as complaints and credit notes are kept on our secure accounts EU-based server and cloud system for as long as is legally required, normally up to seven years as per HMRC guidelines. Debit or credit card details are not retained at any point, except for the merchant receipt.
If you opt-in (on-line or off-line) to receive on-line marketing and offers we will add your name and email address to our marketing database, which maintains equivalency to EU data protection under the Shield certification. Please review their data policy here https://mailchimp.com/legal/terms/. You can change your marketing preferences at any time and will always be offered the opportunity to unsubscribe. We process your name and email address on this basis under your positive consent to do so. Under EU direct marketing laws we may also send you on-line marketing if you have previously placed an order with us. You can change your marketing preferences at any time and will always be offered the opportunity to unsubscribe. We may from time to time sent direct print marketing to you, under our legitimate interests. We will still contact you regarding your account or orders even if you have opted out of receiving marketing from us. Who may the information be shared with? We may share Personal Data that we receive from account holders including information used to set-up their account with the following third parties: Our group companies -we may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006. Where our group members are not based in the EEA we will ensure that any transferred data is treated in a manner commensurate with EU data protection laws. Our service providers -This includes external third-party service providers, such as accountants, auditors, experts, lawyers, credit reference agencies, and other outside professional advisors; IT systems, support and hosting service providers; printing, advertising, marketing and market research and analysis service providers; document and records management providers; technical engineers; data storage and cloud providers and similar third-party vendors and outsourced service providers that assist us in carrying out business activities. All our on-line service providers are based in the EU or have equivalency to EU data protection under the Shield certification. Our website has implemented Google Analytics Demographics and Interest Reporting. Any demographic reports produced using this data will be used to determine a better understand of our website traffic. You can opt-out of Google Analytics for Display Advertising and customize Google Display Network ads using the Ads Settings. In addition, you can use the Google Analytics Opt-Out Browser Add-on to disable tracking by Google Analytics. Please also see our Cookies policy for further information. Government or other public authorities -including, but not limited to, HMRC, law enforcement or other agencies to which we are required to disclose Personal Data by law, or by a warrant, subpoena or court order. Professional regulators -This includes the MHRA, GPhC, Royal Pharmaceutical Society, GMC, GDC, and NMC, who ensure we maintain appropriate professional and service standards and that your declarations and ours are accurate for compliance and enforcement purposes. Our Suppliers -Occasionally, we may share Personal Data limited to your account number and partial post code with our suppliers to fulfil our and your legitimate interests. We will always do this under contract and you may write to us to opt-out. Third parties -In the event that we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets. If Opatra Ltd or substantially all of its assets are acquired by a third party, Personal Data held by it about its customers will be one of the transferred assets. What is the legal basis for processing the Personal Data? We may process your Personal Data on the following bases:
To carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;
Process prescriptions in the performance of a task in the public interest for the provision of skincare and treatment and to comply with our legal obligations. Office members are responsible for the confidentiality of your information;
Fulfil our legal and regulatory obligations such as preventing, investigating and detecting crime, fraud or anti-social behaviour and prosecuting offenders, including working with law enforcement agencies or the regulators.
Exercise tasks under our legitimate interests such as to:
enforce our terms and conditions, notably conditions of returns, refunds and payments;
handing customer contacts, queries and complaints or disputes;
to protect our operations or those of any of our group companies;
to protect our rights, privacy, safety of property, and that of our group companies, you or others;
to allow us to pursue available remedies or limit our damages;
ensure the security and integrity of our services and ensuring our websites operate effectively;
to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
to improve our website to ensure that content is presented in the most effective manner for you and for your computer;
where we extend credit to you for the products we may pass your Personal Data to credit reference agencies and they may keep a record of any search that they do. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Your consent in relation to marketing; to deliver relevant on-line advertising to you; to make suggestions and recommendations to you and other users of our site about goods or services that may interest you or them.
TRAINING AND EVENT DAY What information is collected? When you book onto a training course or an Event day run or hosted by Opatra Ltd we may collect the following Personal Data from you:
Name, title, postal address, email address, home telephone, mobile number, payment information (i.e. bank or credit card details), order history, professional registration and qualification, training history, information on the handling of your request and any other Personal Data you voluntarily provide to us.
When you volunteer to be a model on a training course at our premises or off-site we may collect the following Personal Data from you:
Name, title, postal address, email address, home telephone, mobile number, treatment history, data, complaints, reactions, age / date of birth, information on the handling of your request and any other Personal Data you voluntarily provide to us.
What is the purpose of the processing? We process this Personal Data to book you onto a course or event day, ensure that you have the necessary qualifications and experience to join the course, and take payment if required. Also, we keep a record of attendees and can issue a certificate for training on OPATRA products.
ACCESS TO INFORMATION Under the General Data Protection Regulations you have the following rights:
Obtain from us confirmation as to whether or not we process Personal Data from you and, where that is the case, access to your Personal Data;
Rectification of inaccurate Personal Data;
Erasure of Personal Data;
Objection to the processing of Personal Data;
Restriction of processing of Personal Data; and
Portability of Personal Data – to receive the Personal Data you have provided to us in a structured, commonly used and machine-readable form and transmit it to another data controller.