# Skinform – Privacy Policy (UK GDPR + DPA 2018)

> **Summary (not a substitute for the full policy):** We collect limited personal data to operate a professional, subscription-based knowledge platform. We use it to create and manage accounts, process payments, provide support, improve the Service, and (with consent) send marketing. We don’t sell personal data. You have rights over your data. This policy explains what we collect, why, for how long, who we share it with, and your choices.

—

## 1) Who we are (Data Controller)

**Skinform** (“Skinform”, “we”, “us”, “our”) is the **data controller** for personal data described in this policy.

* **Legal entity:** \[Insert legal entity name]

* **Registered address:** \[Insert full address]

* **Company number:** \[Insert] (if applicable)

* **VAT number:** \[Insert] (if applicable)

* **ICO Registration:** \[Insert]

* **Contact (privacy):** \[[privacy@skinform.example](mailto:privacy@skinform.example)]

If any of the above changes, we will update this policy.

## 2) Scope

This policy applies when you visit **skinform.\[tld]**, create an account, use our platform, contact us, or receive our communications. It does **not** cover websites, services, or tools we link to that we do not control.

## 3) Children & special category data

* The Service is for **adults (18+)**. We do not knowingly collect data from children.

* We do **not** intend to process **special category data** (e.g., health data about your clients). Please **do not upload** patient information or special category data to the Service. If you believe you have provided such data in error, contact us to request deletion.

## 4) How we collect data

We collect data in the following ways:

* **Directly from you**: when you register, subscribe, manage your profile, contact support, or opt into marketing.

* **Automatically**: via cookies and similar technologies (see **Cookies** below) when you use the website.

* **From third parties**: payment processors (payment status, last 4 digits, expiry, billing address), authentication providers (if SSO is offered), and analytics/advertising partners where you consent.

## 5) What data we collect

### a) Account & profile

* Name, email address, password (hashed), organisation/role, seat assignments, plan details.

* Optional: display name, profile photo, country/timezone.

### b) Billing & subscriptions

* Transaction IDs, plan, price, currency, VAT status, billing address, last 4 digits of card and expiry (stored by our payment processor), payment status, invoices/receipts.

### c) Usage & device

* Log data (IP address, device/browser type, operating system), timestamps, pages viewed, features used, referral/UTM, error/diagnostic logs.

* Approximate location derived from IP for fraud prevention/locale.

### d) Support & communications

* Messages you send us (email, chat), form submissions, feedback, survey responses, and preferences (e.g., marketing opt‑in/opt‑out).

### e) Content you upload or generate

* Notes, saved results, internal library items, or other content you choose to store on the Service (avoid any client‑identifiable data).

## 6) Why we use your data (purposes & lawful bases)

We process personal data only where we have a lawful basis under the **UK GDPR**. Below are our main purposes and bases:

| Purpose                               | Examples                                                                                     | Lawful basis                                                                                                  |

| ————————————- | ——————————————————————————————– | ————————————————————————————————————- |

| **Account creation & administration** | Registering users, managing seats/permissions, authentication, emails about account/security | **Contract** (Art. 6(1)(b))                                                                                   |

| **Providing the Service**             | Delivering features, saved results, libraries, downloads, API access                         | **Contract**                                                                                                  |

| **Payments & billing**                | Processing subscriptions, VAT, invoices, fraud prevention                                    | **Contract**; **Legal obligation** (tax)                                                                      |

| **Customer support**                  | Responding to queries, troubleshooting, incident response                                    | **Legitimate interests** (to operate our Service) or **Contract**                                             |

| **Service improvement & analytics**   | Aggregate usage stats, error logs, A/B testing                                               | **Legitimate interests** (to improve and secure the Service) – balanced against your rights                   |

| **Security & abuse prevention**       | Detecting scraping, suspicious logins, rate‑limiting                                         | **Legitimate interests** (to protect the Service and users)                                                   |

| **Marketing communications**          | Newsletters, product updates, offers                                                         | **Consent** (opt‑in) or **Legitimate interests** for existing customers (soft opt‑in under PECR) with opt‑out |

| **Compliance & enforcement**          | Enforcing ToS, handling legal requests                                                       | **Legal obligation**; **Legitimate interests**                                                                |

You can withdraw consent at any time (see **Your rights**). Where we rely on legitimate interests, we assess and balance potential impact and your reasonable expectations.

## 7) Cookies & similar technologies

We use essential cookies to run the site and (with your consent) analytics/functional/advertising cookies. For details on each cookie, retention periods, and how to manage your preferences, see our **Cookie Policy** and the **Consent Manager** presented on first visit and available in the site footer.

## 8) How long we keep data (retention)

We keep data only for as long as needed for the purposes listed above:

* **Account data:** for the life of your account, then deleted or anonymised within **12 months** of closure (backups may take up to 30 days to cycle).

* **Billing/financial records:** at least **6 years** to comply with tax law.

* **Support tickets & emails:** typically **24 months** after resolution.

* **Marketing preferences:** until you opt out; suppression list retained to honour opt‑out.

* **Security logs:** typically **12 months** unless needed to investigate incidents.

  We may keep data longer where required by law or to establish, exercise, or defend legal claims.

## 9) Who we share data with (processors & recipients)

We **do not sell** personal data. We may share limited data with:

### a) Processors (service providers acting on our instructions)

* **Payment processing:** *e.g., Stripe Payments Europe, Ltd.* (cards, payment status, invoices).

* **Hosting & infrastructure:** *e.g., cloud hosting/CDN provider*.

* **Email delivery & CRM:** *e.g., transactional email provider; marketing email platform*.

* **Analytics & performance:** *e.g., analytics platform with IP anonymisation where configured*.

* **Support tools:** *e.g., helpdesk or chat provider*.

> We maintain contracts (Data Processing Agreements) with processors to ensure appropriate security and confidentiality. A current list of key processors is available here: **\[link to live vendor list]** and may change over time.

### b) Other recipients

* **Professional advisors** (legal, accounting) under confidentiality.

* **Authorities or courts** when required by law.

* **Business transferees** in connection with a merger, acquisition, or sale of assets (we will notify you where required).

## 10) International data transfers

Some processors may be located outside the UK/EEA. Where we transfer personal data internationally, we use appropriate safeguards, such as:

* **UK Addendum / International Data Transfer Agreement (IDTA)** or **EU Standard Contractual Clauses (SCCs)**; and

* Additional technical/organisational measures (encryption, access controls).

  Where applicable, we may rely on the **UK–US Data Bridge** for certified US recipients. You can request details of applicable safeguards.

## 11) Security

We use appropriate **technical and organisational measures** to protect personal data, including encryption in transit, access controls, least‑privilege principles, regular patching, backups, and staff training. No system is 100% secure; please protect your credentials and tell us immediately if you suspect unauthorised access.

## 12) Your rights

Under the UK GDPR, you have the right to:

* **Access** your personal data and receive a copy;

* **Rectify** inaccurate or incomplete data;

* **Erase** your data (where applicable);

* **Restrict** processing (temporarily limit use of your data);

* **Object** to processing based on legitimate interests or to direct marketing;

* **Data portability** (receive your data in a structured, commonly used format, where processing is by consent or contract and automated);

* **Withdraw consent** at any time (where processing is based on consent);

* **Lodge a complaint** with the UK Information Commissioner’s Office (ICO).

We respond to rights requests within **one month** (extendable by two months for complex requests). To exercise your rights, contact us at **\[[privacy@skinform.example](mailto:privacy@skinform.example)]**. We may need to verify your identity.

**ICO contact:**

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

ico.org.uk | Telephone: 0303 123 1113.

## 13) Marketing communications

You can manage your preferences via links in our emails or in your account settings. If you opt out of marketing, we may still send **service** and **transactional** emails (e.g., receipts, security alerts, policy updates).

## 14) Automated decision‑making

We do **not** perform automated decision‑making that produces legal or similarly significant effects. Some processors may use automated fraud checks; these should not have significant effects on you. Contact us if you have questions.

## 15) Do‑Not‑Track and signals

Our site does not respond to “Do Not Track” signals. You can manage cookies via the Consent Manager and your browser settings.

## 16) Changes to this policy

We may update this policy from time to time. Material changes will be notified in‑product or by email. Please review this page for the latest version.

## 17) Contact us

Questions or requests about this policy or your data:

**Email:** \[[privacy@skinform.example](mailto:privacy@skinform.example)]

**Post:** \[Insert postal address]

—

**Effective date:** \[Insert date]

—

### Appendix: Data map & retention (optional, internal summary)

> This appendix is a helpful internal summary and may be published for transparency.

| Category  | Examples                              | Source            | Typical retention                    |

| ——— | ————————————- | —————– | ———————————— |

| Account   | Name, email, password (hashed), seats | User              | Account life + 12 months             |

| Billing   | Invoices, payment status, VAT         | Payment processor | 6+ years                             |

| Usage     | Logs, IP, device, events              | Automatic         | 12 months                            |

| Support   | Emails, attachments                   | User              | 24 months                            |

| Marketing | Email preferences, events             | User/analytics    | Until opt‑out (suppression retained) |