GDPR Compliance

GDPR Compliance & Data Protection

Last updated: December 2025

At Skin Elixir, I take your privacy and data protection seriously. This page explains how I comply with the UK General Data Protection Regulation (UK GDPR) and your rights regarding your personal data.

My Commitment to Data Protection

I am committed to:

  • Protecting your personal data
  • Being transparent about how I collect and use your data
  • Giving you control over your data
  • Complying with UK GDPR and data protection laws
  • Keeping your data secure

What Personal Data I Collect

When you visit my Site or make a purchase, I may collect the following personal data:

Information You Provide:

  • Contact details: Name, email address, phone number, shipping address, billing address
  • Order information: Products purchased, order history, payment details (processed securely by Shopify Payments)
  • Account information: Username, password (encrypted), preferences
  • Communication: Messages you send me via email, contact forms, or social media

Information Collected Automatically:

  • Device information: IP address, browser type, device type, operating system
  • Usage data: Pages visited, time spent on Site, links clicked, referral source
  • Cookies: See my Cookie Policy for details

Why I Collect Your Data (Legal Basis)

I collect and use your personal data for the following purposes:

1. To Fulfill Your Orders (Contract Performance)

  • Process and deliver your orders
  • Send order confirmations and shipping updates
  • Handle returns, refunds, and customer service inquiries

Legal basis: Performance of a contract (to fulfill your order).

2. To Communicate With You (Legitimate Interest)

  • Respond to your questions and requests
  • Provide customer support
  • Send important updates about your order or account

Legal basis: Legitimate interest in providing good customer service.

3. To Send Marketing Communications (Consent)

  • Send you newsletters, product updates, and promotional offers (only if you've opted in)
  • Share new product launches and special offers

Legal basis: Your consent (you can unsubscribe at any time).

4. To Improve My Site and Services (Legitimate Interest)

  • Analyze how visitors use the Site
  • Improve Site performance and user experience
  • Develop new products and services

Legal basis: Legitimate interest in improving my business.

5. To Comply With Legal Obligations (Legal Requirement)

  • Comply with tax, accounting, and legal requirements
  • Prevent fraud and ensure Site security

Legal basis: Legal obligation.

Who I Share Your Data With

I do not sell your personal data to third parties. However, I may share your data with trusted service providers who help me run my business:

Service Providers:

  • Shopify – E-commerce platform (hosts my Site, processes payments, stores customer data)
  • Payment processors – Shopify Payments, PayPal (process payments securely)
  • Shipping carriers – Royal Mail, courier services (deliver your orders)
  • Email marketing – Klaviyo or Shopify Email (send newsletters and marketing emails, only if you've opted in)
  • Analytics – Google Analytics (analyze Site usage)
  • Advertising – Facebook/Meta, Google Ads (show relevant ads, only if you've consented to marketing cookies)

These service providers are contractually obligated to protect your data and use it only for the purposes I specify.

Legal Requirements:

I may disclose your data if required by law, court order, or government authority.

How I Protect Your Data

I take data security seriously and use appropriate technical and organizational measures to protect your personal data, including:

  • Secure hosting – Shopify's secure servers with SSL encryption
  • Encrypted passwords – Your account password is encrypted
  • Secure payment processing – Payment details are processed securely by Shopify Payments (I never see or store your full card details)
  • Access controls – Only I have access to customer data
  • Regular backups – Data is backed up regularly

However, no method of transmission over the internet is 100% secure. While I strive to protect your data, I cannot guarantee absolute security.

How Long I Keep Your Data

I retain your personal data only for as long as necessary to fulfill the purposes outlined above:

  • Order data: 7 years (for tax and accounting purposes, as required by UK law)
  • Marketing data: Until you unsubscribe or request deletion
  • Account data: Until you request account deletion
  • Analytics data: Anonymized and retained for up to 26 months (Google Analytics default)

Your Data Protection Rights (UK GDPR)

Under UK GDPR, you have the following rights regarding your personal data:

1. Right to Access

You have the right to request a copy of the personal data I hold about you.

2. Right to Rectification

You have the right to request that I correct any inaccurate or incomplete data.

3. Right to Erasure ("Right to be Forgotten")

You have the right to request that I delete your personal data (subject to legal obligations, such as tax records).

4. Right to Restrict Processing

You have the right to request that I limit how I use your data.

5. Right to Data Portability

You have the right to request a copy of your data in a structured, machine-readable format.

6. Right to Object

You have the right to object to my processing of your data for marketing purposes or based on legitimate interests.

7. Right to Withdraw Consent

If I process your data based on your consent (e.g., marketing emails), you have the right to withdraw consent at any time.

How to Exercise Your Rights:

To exercise any of these rights, please contact me at:

Email: shona@skinelixir.co.uk

I will respond to your request within 30 days.

Marketing Communications

I will only send you marketing emails if you have opted in to receive them. You can unsubscribe at any time by:

  • Clicking the "Unsubscribe" link in any marketing email
  • Contacting me at shona@skinelixir.co.uk
  • Updating your preferences in your account settings

Children's Privacy

My Site is not intended for children under 16. I do not knowingly collect personal data from children. If you believe I have collected data from a child, please contact me immediately.

International Data Transfers

Your data is stored on Shopify's secure servers, which may be located outside the UK/EU. Shopify is certified under the EU-US Data Privacy Framework and complies with GDPR requirements for international data transfers.

Changes to This Policy

I may update this GDPR Compliance page from time to time to reflect changes in legislation or my business practices. Any changes will be posted on this page with an updated "Last updated" date.

Contact Me

If you have any questions about GDPR compliance, data protection, or your rights, please contact me:

Email: shona@skinelixir.co.uk
Website: skinelixir.co.uk

Skin Elixir
Nottingham, UK

Supervisory Authority

If you believe I have not handled your data properly, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113

💚 Thank you for trusting Skin Elixir with your data.

x
No Thanks
x
x
No Thanks