1. GENERAL PROVISIONS
1.1. This privacy policy for the Online Store is for informational purposes only and does not impose obligations on users or customers of the Online Store. It primarily outlines the principles governing the processing of personal data by the Data Controller in the Online Store, including the legal bases, purposes, and retention periods of personal data processing, the rights of data subjects, and information regarding the use of cookies and analytical tools in the Online Store.
1.2. The Data Controller of personal data collected through the Online Store is ATOM HEALTHCARE LTD, a company registered in England and Wales (registered office and correspondence address: Royal Mail House, Terminus Terrace, Southampton, SO14 3FD); registered with Companies House under company number 13849176; VAT number: GB400333561; email address: info@otcdirect.plus; contact telephone numbers: +44 7507 132718. This entity is referred to as the “Data Controller” and also acts as the Service Provider of the Online Store and the Seller.
1.3. Personal data in the Online Store is processed by the Data Controller in accordance with applicable UK law, in particular the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For further information on the UK GDPR, please refer to: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/.
1.4. Using the Online Store, including making purchases, is voluntary. Similarly, providing personal data by users or customers of the Online Store is voluntary, subject to two exceptions: (1) entering into contracts with the Data Controller – failure to provide personal data required for concluding and performing a Sales Contract or a contract for the provision of Electronic Services, as specified on the Online Store’s website, in its Terms and Conditions, and in this privacy policy, will result in the inability to enter into such a contract. Providing personal data in such cases is a contractual requirement, and if the data subject wishes to enter into a contract with the Data Controller, they must provide the required data. The scope of data required for concluding a contract is specified on the Online Store’s website and in its Terms and Conditions; (2) statutory obligations of the Data Controller – providing personal data is a legal requirement under applicable UK laws that impose obligations on the Data Controller to process personal data (e.g., for maintaining tax or accounting records), and failure to provide such data will prevent the Data Controller from fulfilling these obligations.
1.5. The Data Controller takes utmost care to protect the interests of data subjects whose personal data is processed, ensuring that the data is: (1) processed lawfully; (2) collected for specified, lawful purposes and not subjected to further processing incompatible with those purposes; (3) accurate and adequate for the purposes for which it is processed; (4) stored in a form that permits identification of data subjects for no longer than necessary to achieve the purpose of processing; and (5) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage, through appropriate technical or organisational measures.
1.6. Considering the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of individuals, the Data Controller implements appropriate technical and organisational measures to ensure compliance with the UK GDPR and to demonstrate such compliance. These measures are reviewed and updated as necessary. The Data Controller employs technical measures to prevent unauthorised access to or modification of personal data transmitted electronically.
1.7. Any words, expressions, or acronyms used in this privacy policy with initial capital letters (e.g., Seller, Online Store, Electronic Service) shall be interpreted in accordance with their definitions provided in the Terms and Conditions of the Online Store, available on the Online Store’s website.
2. LEGAL BASES FOR DATA PROCESSING
2.1. The Data Controller is entitled to process personal data where at least one of the following conditions is met: (1) the data subject’s consent has been obtained to the processing of their personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is a party or to a contract to take steps at the request of the data subject prior to entering into a contract; (3) processing is a legal requirement for compliance with a legal obligation to which the Data Controller is subject to; or (4) processing is necessary for the purpose of the legitimate interests pursued by the Data Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, particularly where the data subject is a child.
2.2. Processing of personal data by the Data Controller always requires at least one of the legal bases listed in section 2. Specific legal bases for processing personal data of users and customers of the Online Store are outlined in the next section of this privacy policy, in relation to the specific purpose of the data processing of the data.
3. PURPOSE, LEGAL BASIS, AND RETENTION PERIOD OF DATA PROCESSING IN THE ONLINE STORE
3.1. The purpose, legal basis, retention period, and recipients of personal data processed by the Data Controller depend on the actions taken by the user or customer in the Online Store or by the Data Controller’s actions. For example, if a customer opts for in-person collection of a purchased product instead of courier delivery, their personal data collection will be processed to perform the Sales Contract but will not be shared with a courier service acting on behalf of the Data Controller.
3.2. The Data Controller may process personal data in the Online Store for the following purposes, on the legal bases, and for the retention periods specified in the table below:
Purpose of Data Processing | Legal Basis for Processing | Data Retention Period |
Performance of a Sales Contract or a contract for the provision of Electronic Services or taking steps at the request of the data subject prior to entering into such contracts | Article 6(1)(b) of the UK GDPR (performance of a contract) – processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract | Data is retained for the period necessary to perform, terminate, or otherwise expire the Sales Contract or contract for the provision of Electronic Services, typically up to six years from the end of the contract to comply with the Limitation Act 1980 for potential claims. |
Direct marketing | Article 6(1)(f) of the UK GDPR (legitimate interests pursued by the Data Controller) – processing is necessary for the purposes of the legitimate interests of the Data Controller, which include promoting the interests and positive image of the Data Controller, its Online Store, and the sale of products | Data is retained for the duration of the legitimate interests pursued by the Data Controller, but no longer than six years from the last interaction with the data subject, as per the Limitation Act 1980 for claims related to business activities. The Data Controller may not process data for direct marketing purposes if the data subject has effectively objected to such processing. |
Marketing | Article 6(1)(a) of the UK GDPR (consent) – the data subject has given consent to the processing of their personal data for marketing purposes by the Data Controller | Data is retained until the data subject withdraws their consent to further processing for this purpose. |
Obtaining customer feedback on a concluded Sales Contract | Article 6(1)(a) of the UK GDPR (consent) – the data subject has given consent to the processing of their personal data for the purpose of providing feedback | Data is retained until the data subject withdraws their consent to further processing for this purpose. |
Maintaining accounting records | Article 6(1)(c) of the UK GDPR in conjunction with Section 221 of the Companies Act 2006 and HMRC requirements – processing is necessary for compliance with a legal obligation to which the Data Controller is subject | Data is retained for at least seven years from the end of the financial year to which the records relate, as required by HMRC for tax purposes. |
Establishing, pursuing, or defending claims that the Data Controller may raise or that may be raised against the Data Controller | Article 6(1)(f) of the UK GDPR (legitimate interests pursued by the Data Controller) – processing is necessary for the purposes of the legitimate interests of the Data Controller, which include establishing, pursuing, or defending claims | Data is retained for up to six years from the event giving rise to the potential claim, as per the Limitation Act 1980. |
Operating the Online Store’s website and ensuring its proper functionality | Article 6(1)(f) of the UK GDPR (legitimate interests pursued by the Data Controller) – processing is necessary for the purposes of the legitimate interests of the Data Controller, which include operating and maintaining the Online Store’s website | Data is retained for up to six years from the last interaction with the data subject, as per the Limitation Act 1980 for claims related to business activities. |
Conducting statistics and analysing traffic on the Online Store | Article 6(1)(f) of the UK GDPR (legitimate interests pursued by the Data Controller) – processing is necessary for the purposes of the legitimate interests of the Data Controller, which include conducting statistics and analysing traffic on the Online Store to improve its functionality and increase product sales | Data is retained for up to six years from the last interaction with the data subject, as per the Limitation Act 1980 for claims related to business activities. |
4. RECIPIENTS OF DATA IN THE ONLINE STORE
4.1. For the proper functioning of the Online Store, including the performance of Sales Contracts, the Data Controller may engage external entities (e.g., software providers, couriers, or payment processors). The Data Controller only uses the services of processors that provide sufficient guarantees of implementing appropriate technical and organisational measures to ensure compliance with the UK GDPR and protect the rights of data subjects.
4.2. Personal data may be transferred by the Data Controller to a third country, provided that the transfer complies with the UK GDPR, including the use of UK-approved standard contractual clauses where necessary. The Data Controller ensures that data subjects can obtain a copy of their data. Personal data is transferred only when necessary and to the extent required to achieve the specific purpose of processing outlined in this privacy policy.
4.3. The Data Controller does not transfer data to all recipients or categories of recipients listed in this privacy policy in every case – data is transferred only when necessary to achieve the specific purpose of processing and only to the extent required.
4.4. Personal data of users and customers of the Online Store may be transferred to the following recipients or categories of recipients:
4.4.1. Carriers / freight forwarders / courier brokers / entities managing warehouses or shipping processes – for customers who opt for postal or courier delivery, the Data Controller shares the customer’s personal data with the selected carrier, freight forwarder, or intermediary acting on behalf of the Data Controller, or with the entity managing the warehouse or shipping process, to the extent necessary to complete the delivery.
4.4.2. Entities processing electronic or card payments – for customers who use electronic or card payment methods, the Data Controller shares the customer’s personal data with the selected payment processor acting on behalf of the Data Controller to the extent necessary to process the payment.
4.4.3. Providers of survey systems for feedback – for customers who consent to providing feedback on a Sales Contract, the Data Controller shares the customer’s personal data with the selected provider of the survey system to the extent necessary to enable the customer to provide feedback.
4.4.4. Providers of technical, IT, and organisational solutions enabling the Data Controller to conduct business activities, including the Online Store and Electronic Services (e.g., providers of software for operating the Online Store, email and hosting providers, or software for business management and technical support) – the Data Controller shares the customer’s personal data with the selected provider acting on its behalf only when necessary and to the extent required to achieve the specific purpose of processing outlined in this privacy policy.
4.4.5. Providers of accounting, legal, and advisory services supporting the Data Controller (e.g., accounting firms, law firms, or debt collection agencies) – the Data Controller shares the customer’s personal data with the selected provider acting on its behalf only when necessary and to the extent required to achieve the specific purpose of processing outlined in this privacy policy.
4.4.6. Providers of social media plugins, scripts, and similar tools embedded on the Online Store’s website that enable the visitor’s browser to retrieve content from the providers of such plugins (e.g., login via social media credentials) and transfer personal data to these providers, including:
4.4.6.1. Meta Platforms Ireland Ltd. – The Data Controller uses social media plugins from Facebook on the Online Store’s website (e.g., Like button, Share button, or login via Facebook credentials) and collects and shares the personal data of users visiting the Online Store’s website with Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) in accordance with the privacy principles available here: https://www.facebook.com/privacy/policy/ (this data includes information about activities on the Online Store’s website, such as device information, visited pages, purchases, displayed ads, and how services are used, regardless of whether the user has a Facebook account or is logged in).
4.4.6.2. Google Ireland Ltd. – The Data Controller uses Google’s social media plugins on the Online Store’s website (e.g., login via Google credentials) and collects and shares the personal data of users visiting the Online Store’s website with Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland) in accordance with the privacy principles available here: https://policies.google.com/privacy?hl=en-GB (this data includes information about activities on the Online Store’s website, such as device information, visited pages, purchases, displayed ads, and how services are used, regardless of whether the user has a Google account or is logged in).
5. PROFILING IN THE ONLINE STORE
5.1. The UK GDPR requires the Data Controller to inform data subjects about automated decision-making, including profiling, as referred to in Article 22 of the UK GDPR, and, at least in those cases, to provide meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject. With this in mind, the Data Controller provides information regarding possible profiling in this section.
5.2. The Data Controller may use profiling in the Online Store for direct marketing purposes, but decisions based on such profiling do not concern the conclusion or refusal of a Sales Contract or the ability to use Electronic Services in the Online Store. The effects of profiling may include, for example, offering a discount, sending a discount code, reminding about incomplete purchases, suggesting a product that matches the user’s interests or preferences, or offering better terms compared to the standard offer of the Online Store. Despite profiling, the data subject freely decides whether to use the discount or better terms and make a purchase in the Online Store.
5.3. Profiling in the Online Store involves the automatic analysis or prediction of a person’s behaviour on the Online Store’s website, such as adding a specific product to the cart, viewing a specific product page, or analysing the history of purchases made in the Online Store. Such profiling requires the Data Controller to have the data subject’s personal data to, for example, send a discount code.
5.4. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
6. RIGHTS OF DATA SUBJECTS
6.1. Right of access, rectification, restriction, erasure, or portability – The data subject has the right to request from the Data Controller access to their personal data, its rectification, restriction of processing, erasure (“right to be forgotten”), or portability. The conditions for exercising these rights are outlined in Articles 15–21 of the UK GDPR.
6.2. Right to withdraw consent at any time – Where personal data is processed based on consent (pursuant to Article 7 of the UK GDPR), the data subject has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
6.3. Right to lodge a complaint with a supervisory authority – The data subject has the right to lodge a complaint with a supervisory authority in the manner and form specified in the UK GDPR and UK law, particularly the Data Protection Act 2018. The supervisory authority in the UK is the Information Commissioner’s Office (ICO). Further details are available at: https://ico.org.uk/make-a-complaint/.
6.4. Right to object – The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on Article 6(1)(e) (public interest or tasks) or (f) (legitimate interests) of the UK GDPR, including profiling based on those provisions. In such cases, the Data Controller may no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defence of legal claims.
6.5. Right to object to direct marketing – Where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such marketing, including profiling, to the extent that it is related to direct marketing.
6.6. To exercise the rights outlined in this section, the data subject may contact the Data Controller by sending a written message or email to the address provided at the beginning of this privacy policy or by using the contact form available on the Online Store’s website.
7. COOKIES IN THE ONLINE STORE AND ANALYTICS
7.1. Cookies are small text files sent by a server and stored on the device of a person visiting the Online Store’s website (e.g., on the hard drive of a computer, laptop, or smartphone’s memory card, depending on the device used). For detailed information about cookies and their history, please refer to: https://en.wikipedia.org/wiki/HTTP_cookie.
7.2. Cookies that may be sent by the Online Store’s website can be categorised as follows:
By provider: | By storage duration on the visitor’s device: | By purpose: |
|
|
|
7.3. The Data Controller may process data contained in cookies when visitors use the Online Store’s website for the following specific purposes:
Purposes of using cookies in the Data Controller’s Online Store
- Identifying logged-in users and showing that they are logged in (essential cookies)
- Remembering products added to the cart for placing an order (essential cookies)
- Storing data from completed order forms, surveys, or login details for the Online Store (essential and/or functional/preference cookies)
- Customising the Online Store’s website to the user’s preferences (e.g., colours, font size, layout) and optimising the use of the website (functional/preference cookies)
- Conducting anonymous statistics on how the Online Store’s website is used (analytical and performance cookies)
- Displaying and rendering ads, limiting the number of ad displays, ignoring ads the user does not wish to see, measuring ad effectiveness, and personalising ads by anonymously analysing the visitor’s behaviour (e.g., repeated visits to specific pages, keywords) to create a profile and deliver ads tailored to their predicted interests, including on other websites within the advertising networks of Google Ireland Ltd. and Meta Platforms Ireland Ltd. (marketing, advertising, and social media cookies)
7.4. You can check which cookies (including their duration and provider) are being sent by the Online Store’s website in the following ways in popular browsers:
In Chrome: (1) Click the padlock icon in the address bar, (2) Go to the “Cookies” tab. | In Firefox: (1) Click the shield icon in the address bar, (2) Go to the “Allowed” or “Blocked” tab, (3) Click “Cross-site tracking cookies,” “Social media trackers,” or “Content with trackers.” | In Microsoft Edge: (1) Click the “Tools” menu, (2) Go to “Settings,” (3) Go to “Cookies and site permissions,” (4) Click “Manage and delete cookies and site data,” (5) Click “See all cookies and site data.” |
In Opera: (1) Click the padlock icon in the address bar, (2) Go to the “Cookies” tab. | In Safari: (1) Click the “Preferences” menu, (2) Go to the “Privacy” tab, (3) Click “Manage Website Data.” | Using external tools, such as: https://www.cookiemetrix.com/ or https://www.cookie-checker.com/ |
7.5. Most web browsers available on the market accept cookies by default. Users can define how cookies are used through their browser settings, such as partially restricting (e.g., temporarily) or completely disabling cookies. However, disabling cookies may affect some functionalities of the Online Store (e.g., it may prevent completing an order through the order form if products in the cart are not saved during the order process).
7.6. Browser settings regarding cookies are significant for consenting to the use of cookies by our Online Store – under UK law, such consent may also be expressed through browser settings. For detailed information on changing cookie settings and deleting cookies in popular web browsers, refer to the browser’s help section or the following pages:
In Chrome
In Firefox
In Internet Explorer
In Opera
In Safari
In Microsoft Edge
7.7. The Data Controller may use the following services in the Online Store:
7.7.1. Google Analytics and Universal Analytics, provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland).
7.7.1.1. Data collected is processed within these services to generate statistics for managing the Online Store and analysing website traffic. This data is aggregated. The Data Controller collects data such as the source and medium of website visitors, their behaviour on the Online Store’s website, information about devices and browsers used, IP address and domain, geographic and demographic data (age, gender), and interests.
7.7.1.2. Users can easily block the sharing of their activity on the Online Store’s website with Google Analytics, for example, by installing the browser add-on provided by Google Ireland Ltd., available here: https://tools.google.com/dlpage/gaoptout?hl=en-GB.
7.7.1.3. For full information on how Google Ireland Ltd. processes data of visitors to the Online Store (including data stored in cookies), refer to Google’s privacy policy: https://policies.google.com/technologies/partner-sites?hl=en-GB.
7.7.2. Meta Pixel, provided by Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland).
7.7.2.1. This service helps the Data Controller measure ad effectiveness, understand visitor actions on the Online Store, and display tailored ads to those visitors.
7.7.2.2. Users can manage Meta Pixel settings through their ad preferences on their Facebook account: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.
7.7.2.3. For full information on how Meta Platforms Ireland Limited processes data of visitors to the Online Store (including data stored in cookies), refer to Meta’s privacy policy: https://www.facebook.com/privacy/policy/.
7.7.3. Microsoft Clarity, provided by Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, USA).
7.7.3.1. This service helps the Data Controller understand visitor actions on the Online Store and optimise the purchasing process.
7.7.3.2. For detailed information about Microsoft Clarity, refer to: https://learn.microsoft.com/en-us/clarity/faq.
7.7.3.3. For full information on how Microsoft Corporation processes data of visitors to the Online Store (including data stored in cookies), refer to Microsoft’s privacy statement: https://privacy.microsoft.com/en-GB/privacystatement.
8. FINAL PROVISIONS
8.1. The Online Store may contain links to other websites. The Data Controller encourages users to review the privacy policies of those websites. This privacy policy applies solely to the Data Controller’s Online Store.