Privacy
1.1. Oversight
Monderma Limited (“Monderma”, “we”, “us”, or “our”) is the data controller responsible for the personal information collected through this website.
Monderma is registered with the Information Commissioner’s Office (ICO) under registration reference ZB570848.
For all privacy-related enquiries, please contact us by email, social media, or post.
1.2. Commitment
We are committed to protecting personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
This Privacy Policy explains what personal data we collect, how it is used, the lawful bases for processing, how it is protected, and the rights available to individuals.
This Privacy Policy should be read together with our Terms and Conditions and Information Leaflet, and does not override or replace them.
2.1. Categories
Personal information, also known as personal data, refers to any information relating to an identified or identifiable individual.
We may collect and process the following types of personal information:
| Type | Examples |
| Identity | First name, last name, date of birth, gender |
| Contact | Billing address, shipping address, email address, phone number |
| Financial | Transaction details |
| Technical | IP address, operating system, browser, device |
| Usage | Consultations, subscriptions, orders, feedback, complaints |
| Communication | Marketing preferences, correspondence history |
This information is collected and used only where necessary to provide, operate, and improve our products and services.
2.2. Health
Health information is collected as special category personal data only where necessary to provide consultations and ongoing treatment, and is never used for marketing purposes.
Provision of health information is necessary to assess suitability for treatment. Failure to provide required information may prevent us from providing consultations or treatment services.
2.3. Sensitive
We do not intentionally collect special category data relating to sexual orientation, religious beliefs, political opinions, trade union membership, or criminal conviction data.
This website is not intended for individuals under the age of 16, and we do not knowingly collect personal data from children under the age of 16. If we become aware that such data has been collected, we will delete it promptly.
2.4. Aggregation
We may use aggregated or anonymised data for analytics, research, service improvement, and reporting. This data does not directly identify individuals.
Where anonymised data is combined with personal information in a manner that could identify an individual, it will be treated as personal data and protected accordingly.
3.1. Direct
Personal information may be collected through direct interactions with us, including via website forms, email, telephone, social media, or post.
This information is collected for the purposes of providing our services, responding to enquiries, processing consultations or orders, and managing your account or subscription.
3.2. Automated
We use cookies, server logs, and other automated technologies to collect technical information about your browsing activities and devices.
Cookies are small data files stored on your browser or device which help enable website functionality, improve performance, and support analytics and marketing activities.
You may disable cookies by adjusting your browser settings. However, certain features of the website may not function properly if cookies are disabled.
The following table outlines the types of cookies used and their purpose:
| Type | Purpose |
| Essential | Enables core website functions, including checkout and account |
| Performance | Tracks usage to improve functionality |
| Functional | Recognises returning customers and remembers preferences |
| Targeting | Tailors content and promotions |
The following third-party platforms may place cookies or process personal information on our behalf:
| Name | Purpose |
|---|---|
| WordPress | Provides core website infrastructure and content management |
| WooCommerce | Manages subscriptions and orders |
| Pay360 | Processes secure payments and financial transactions |
| LexisNexis | Verifies identity and performs fraud and compliance checks |
| Microsoft | Hosts cloud infrastructure and email services |
| Analyses website usage and measures advertising performance | |
| Meta | Personalises advertising and tracks campaign performance |
| Royal Mail | Delivers orders and provides shipment tracking services |
These providers act as data processors under contractual obligations and process personal information only in accordance with our instructions and applicable data protection law.
4.1. Purpose
Personal information is processed only where a lawful basis applies, including the performance of a contract, legitimate interests, or compliance with legal obligations, as outlined below:
| Type | Purpose | Basis |
| Identity, Contact | Account registration | Contract |
| Identity, Financial, Usage | Order fulfilment | Contract and explicit consent |
| Identity, Usage | Customer support | Contract |
| Technical | Website security | Legitimate interest |
| Technical, Usage | Analytics | Consent |
| Contact, Communications | Marketing communications | Consent |
4.2. Changes
Personal information is used only for the purposes for which it was collected unless a compatible purpose is identified in accordance with applicable data protection law.
If personal information is required for an unrelated purpose, we will notify you and explain the legal basis for that processing, unless otherwise permitted by law.
4.3. Third-parties
Personal information may be shared with our employees, contractors, service providers, professional advisers, and relevant legal or regulatory authorities, and in connection with corporate transactions such as business restructuring, mergers, or acquisitions.
All third parties are contractually required to respect the security of personal information and to process it only in accordance with our documented instructions and applicable data protection law.
4.4. Transfers
Where personal information is transferred outside the UK, appropriate safeguards are implemented.
These may include transfers to countries recognised as providing an adequate level of data protection or the use of approved International Data Transfer Agreements (IDTA’s) or Standard Contractual Clauses (SCC’s).
4.5. Marketing
Direct marketing communications are sent only with your consent, except where permitted under the Privacy and Electronic Communications Regulations (PECR) soft opt-in provisions.
You can opt out of marketing communications at any time using the unsubscribe link in emails or by contacting us directly. Opting out does not affect essential service-related communications.
5.1. Account
You are responsible for maintaining account security by using trusted devices, up-to-date security software, secure passwords, and two-factor authentication where available.
Further guidance on protecting personal information online is available from the National Cyber Security Centre (NCSC) website.
5.2. Compliance
We implement appropriate technical and organisational measures to prevent unauthorised access, loss, misuse, alteration, or disclosure of personal information.
Access to personal information is restricted to individuals with a legitimate business need and who are subject to confidentiality obligations.
Procedures are in place to detect, investigate, and respond to suspected data breaches, and to notify regulators and affected individuals where required by law.
5.3. Retention
Identity, contact, and usage information is retained only for as long as necessary to fulfil the purposes for which it was collected and to comply with legal obligations.
Financial records are typically retained for up to six years for tax and accounting purposes.
Technical and communications information is retained for as long as necessary to provide services or until consent is withdrawn, where processing is based on consent.
Anonymised data may be used for research or statistical purposes indefinitely.
6.1. Requests
You have the legal right to request access to, correction of, or deletion of your personal data. You may also request restriction of processing, object to processing, request data portability, or withdraw consent where processing is based on consent.
Data Subject Access Requests (DSAR’s) can be made by contacting us by email, social media, or post.
6.2. Response
We do not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive.
We aim to respond to requests within one month, although complex requests may require additional time as permitted under applicable data protection law.
6.3. Disputes
If you have concerns about how we process your personal data, please contact us in the first instance so we can attempt to resolve the issue.
If the matter remains unresolved, you have the right to file a complaint with the Information Commissioner’s Office (ICO) on their website.
