Privacy Policy

Pharma-e Limited (trading as Clever Beauty)
www.cleverbeauty.com
Last reviewed: June 2026

1. About Us and This Policy

Pharma-e Limited, trading as “Clever Beauty” (“We”, “Us”, “Our”), is committed to protecting your personal data. This Privacy Policy explains how We collect, use, store and share your personal data when you use Our website at www.cleverbeauty.com (the “Website”).

Please read this Policy carefully. By using Our Website, you acknowledge that you have read and understood how We process your personal data as described here. If you do not agree, please do not use Our Website.

1.1 Who We Are

Pharma-e Limited is a company registered in Guernsey (company number 36207) with its registered office at Albert House, South Esplanade, St Peter Port, Guernsey, GY1 1AJ.

We are registered as a data controller with the Office of the Data Protection Authority (ODPA) in Guernsey. Our ODPA registration number is DPA3739.

1.2 Contact and DPO

Any questions, comments or requests regarding this Privacy Policy should be addressed to Our Data Protection Officer:

Data Protection Officer
Pharma-e Limited
Albert House, South Esplanade
St Peter Port
Guernsey
GY1 1AJ
Email: dpo@healthxchange.com
Telephone: 0808 189 0795

1.3 UK and EU Representatives

Pharma-e Limited is established in Guernsey and is not established in the United Kingdom or the European Union. As required by Article 27 of the UK GDPR and Article 27 of the EU GDPR, Pharma-e has designated representatives in the UK and the EU who may be contacted by data subjects, and by the relevant supervisory authorities, in respect of Our processing of personal data.

UK Representative (Article 27 UK GDPR): Healthxchange Pharmacy UK Limited, 1st Floor Sackville House, 143–149 Fenchurch Street, London, EC3M 6BL.

Data subjects located in the United Kingdom may contact the UK Representative in relation to Pharma-e’s processing of their personal data, as may the Information Commissioner’s Office (ICO). The UK Representative acts in a representative capacity only; Pharma-e remains solely responsible for its own compliance with the UK GDPR.

EU Representative (Article 27 EU GDPR): Healthxchange Ireland Limited, Unit 16 The Exchange, Calmount Business Park, Ballymount, Dublin, D12 RF43, Ireland.

Data subjects located in the European Union may contact the EU Representative in relation to Pharma-e’s processing of their personal data, as may EU supervisory authorities. The EU Representative acts in a representative capacity only; Pharma-e remains solely responsible for its own compliance with the EU GDPR.

3. What Information Do We Collect?

3.1 Information You Provide to Us

We may collect and process the following data that you give us when you create an account, place an order, or correspond with us by phone, email or otherwise:

  • Name, date of birth and job title;
  • Contact information including address, email address and phone number;
  • Payment card information; and
  • Recordings of phone calls to Our offices or Customer Service Centre and other communications such as email and electronic messaging, which may be used for staff training and audit purposes. Our recording equipment is muted while bank or payment card details are being discussed.

3.2 Information Collected Automatically

We will collect and process the following data automatically from your visit to Our Website:

  • Technical information, including the internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and
  • Information about your visit, including the full URL, clickstream to, through and from Our Website, products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information, methods used to browse away from the page, and any phone number used to call Our customer service number.

4. Cookies and Tracking Technologies

4.1 Cookie Consent via Cookiebot

Our Website uses Cookiebot, a cookie consent management tool, to obtain and record your consent before setting any non-essential cookies. When you first visit Our Website, a consent banner will be displayed. You may accept all cookies, decline non-essential cookies, or customise your preferences by category.

You can change or withdraw your consent at any time by clicking the “Cookie Settings” link in the footer of Our Website, which will reopen the Cookiebot preference centre.

4.2 Categories of Cookie We Use

Category Purpose Consent Required?
Strictly Necessary Essential for the website to function, including session management, security and checkout. These cannot be disabled. No — set automatically
Preferences / Functional Remember your settings and preferences, such as language or region. Yes
Statistics / Analytics Collect anonymous data on how visitors use the site, including Google Analytics, to help improve performance. Yes
Marketing Track browsing activity to deliver relevant advertising and measure campaign performance. Yes

4.3 Google Analytics

Our site uses Google Analytics to analyse usage. Collection of this data is used to report and analyse Website performance. Google is responsible for securely storing this information. Further details are available at Google’s Privacy Policy.

Google Analytics cookies will only be set after you have given your consent via the Cookiebot banner.

4.4 Full Cookie Declaration

A detailed, auto-updated list of every cookie in use on this Website, including its name, provider, purpose and expiry, is maintained by Cookiebot and is embedded on Our Cookie Policy page. This declaration is updated automatically each time Cookiebot scans the Website.

4.5 Disabling Cookies via Your Browser

You may also manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. However, disabling certain cookies may affect the functionality of Our Website. For guidance, visit www.allaboutcookies.org.

5. How Do We Use Your Information?

We shall use the data and information you give to Us:

  • To allow you to create an account on the Website;
  • To process and fulfil your orders, including dispatching products and processing your payments;
  • To keep and maintain Our internal business records;
  • For Our internal training purposes;
  • To provide you with Our own tailored marketing information that We think may suit your interests and needs, where you have given your consent;
  • To provide you with marketing and promotional information from carefully selected third-party pharmaceutical manufacturers and medical software providers, where you have given your consent;
  • To carry out automated analytics and CRM communications, such as via Google Analytics and Klaviyo, where applicable on the basis described in Section 6; and
  • To comply with Our legal and regulatory obligations.

We reserve the right to add to the list of uses above. We shall not use pre-collected data for any new purposes without consulting you and obtaining your express consent if required under the applicable Regulations.

We reserve the right to anonymise your data for analytical purposes while retaining your privacy. Once anonymised, data is no longer personal data and may be retained indefinitely.

6. Lawful Basis for Processing

6.1 General

We will only use your Personal Data when the law allows us to do so. Most commonly We will use your Personal Data where:

  • You have consented before the processing;
  • We need to perform a contract We are about to enter or have entered into with you;
  • It is necessary for Our legitimate interests, or those of a third party, and your interests and fundamental rights do not override those interests; or
  • We need to comply with a legal or regulatory obligation.

6.2 Processing Activity Table

Processing Activity Lawful Basis Notes
Account creation and management Contract — Art. 6(1)(b) Necessary to perform Our contract with you.
Processing and fulfilling orders Contract — Art. 6(1)(b) Necessary to perform Our contract with you.
Maintaining internal business records Legitimate interests — Art. 6(1)(f) LIA held on file with the DPO.
Customer service and enquiry handling Contract — Art. 6(1)(b) / Legitimate interests — Art. 6(1)(f) Depends on whether query relates to an existing order.
Direct marketing communications Consent — Art. 6(1)(a) You may withdraw consent at any time.
Website analytics Consent — Art. 6(1)(a) Obtained via Cookiebot before analytics cookies are set.
CRM service messages, such as Klaviyo Legitimate interests — Art. 6(1)(f) Service-related messages about your order or account. LIA held on file.
CRM marketing messages, such as Klaviyo Consent — Art. 6(1)(a) Only where you have given express consent to marketing.
Fraud prevention and site security Legitimate interests — Art. 6(1)(f) LIA held on file with the DPO.
Compliance with legal obligations Legal obligation — Art. 6(1)(c) For example, tax, pharmacy and regulatory requirements.
Business sale or transfer Legitimate interests — Art. 6(1)(f) Disclosure to prospective buyers as part of due diligence.

6.3 Legitimate Interests

Where We rely on legitimate interests as Our lawful basis, We have carried out a Legitimate Interests Assessment (LIA) to confirm that Our interests do not override your rights and interests. A copy of any relevant LIA is available on request from the DPO at dpo@healthxchange.com.

7. How Do We Handle Your Information?

7.1 Security Measures

We are committed to ensuring that your data and information is secure. We have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information We collect, including:

  • All data and information you provide to Us is stored on secure servers;
  • Any payment transactions will be encrypted using SSL technology;
  • Where We have given you, or where you have chosen, a password to access certain parts of Our Website, you are responsible for keeping this password confidential;
  • Regular review and updating of Our security procedures; and
  • Secure erasure and destruction of data when it is no longer needed.

7.2 Data Storage

The data and information We collect from you will be transferred to and securely stored by Our hosting third party: Alternative Solutions Limited, PO Box 176, Cirrus House, Garenne Park, Rue de la Gache, St Sampson, Guernsey GY1 3LQ.

8. International Data Transfers

Some of Our data processors are based outside the United Kingdom, Guernsey, or the European Economic Area. Where We transfer personal data internationally, We ensure appropriate safeguards are in place:

  • Where the recipient country benefits from an adequacy decision by the relevant regulator, including the ODPA, ICO or European Commission, We may transfer data on that basis.
  • Where We use service providers in non-adequate countries, We use standard contractual clauses or other appropriate transfer mechanisms to protect the data.

Further information about specific international transfers is available from the DPO on request.

9. Data Retention

We will only retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected. The table below sets out Our standard retention periods for different categories of data. Where a legal obligation requires a longer period, We will retain data for that period instead.

Data Category Retention Period Reason
Customer account information Duration of account + 6 years from closure Contract limitation period.
Order records 6 years from date of order Contract limitation period, Guernsey.
Payment and financial records 7 years from transaction date Tax and VAT obligations.
Marketing consent records Until consent withdrawn + 1 year To demonstrate consent was validly obtained.
Analytics data, such as Google Analytics 26 months Google Analytics default retention setting.
Customer service correspondence 3 years from resolution Limitation period for complaints.
Fraud prevention records 6 years Limitation period / regulatory requirement.

In some circumstances you can ask us to delete your data. See Section 11, “Your Rights”, for further information.

In some circumstances We will anonymise your Personal Data so that it can no longer be associated with you for analytical purposes, in which case We may use this information indefinitely without further notice to you.

10. To Whom May We Disclose Your Information?

In providing us with data and information, you agree that We may disclose such information, where necessary for the purposes and uses listed in Section 5, to:

  • Our employees, agents, representatives and any Data Processors officially contracted to process the data on Our behalf;
  • Business partners, suppliers and sub-contractors for the performance of any contract We enter into with you;
  • Analytic and search engine providers that assist us in the improvement and optimisation of Our Website;
  • Payment card merchants who comply with PCI/DSS requirements; and
  • Any other third parties We are legally obliged to disclose your information to.

We will only disclose your Personal Data to parties who bear sufficient legal responsibility for its protection and who have sufficient privacy and security measures in place to reasonably ensure that it will be protected and handled appropriately.

We may disclose your Personal Data to third parties in the event that We sell or buy any business or assets; if Our assets are acquired by a third party; or if We are under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect Our rights, property or safety or those of Our customers or others.

Subject to your express consent, We may also disclose your data and information to carefully restricted third-party pharmaceutical manufacturers and medical software providers for their marketing and promotional purposes.

11. Your Rights

11.1 Data Subject Rights

You have the following rights in relation to your Personal Data:

  • Right of access — to request a copy of the personal data We hold about you.
  • Right to rectification — to ask Us to correct inaccurate or incomplete data.
  • Right to erasure — to ask Us to delete your personal data in certain circumstances.
  • Right to restriction of processing — to ask Us to restrict the processing of your data.
  • Right to data portability — to receive your data in a structured, machine-readable format.
  • Right to object — to object to processing based on legitimate interests.
  • Rights related to automated decision-making — not to be subject to solely automated decision-making that produces legal or significant effects, unless you have consented or it is necessary for a contract.

11.2 Right to Object

Where We process your Personal Data on the basis of Our legitimate interests under Article 6(1)(f), you have the right to object to that processing at any time. If you object, We will cease processing your data unless We can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or where processing is necessary for legal claims.

Processing activities We currently carry out on the basis of legitimate interests include maintaining internal business records, certain customer service activities, fraud prevention, service-related CRM communications, and business sale or transfer.

To exercise your right to object, please contact the Data Protection Officer at dpo@healthxchange.com, setting out the specific processing activity you object to and the grounds for your objection. We will respond within one calendar month.

11.3 Exercising Your Rights

To exercise any of the rights listed above, please write to or email:

Data Protection Officer
Pharma-e Limited
Albert House, South Esplanade
St Peter Port
Guernsey
GY1 1AJ
Email: dpo@healthxchange.com

Any access request will be free of charge. We will respond within one calendar month. We may decline a request, or charge a reasonable fee, where a request is vexatious or excessive.

If you have previously agreed to Us using your Personal Data for direct marketing purposes, you may change your mind at any time by contacting the DPO at the address above.

12. Changes to This Policy

We reserve the right to make changes to this policy without notice from time to time by updating this page. Every time you wish to use Our Website, please check the statement to ensure you understand the terms that apply at that time.

The current statement was made effective as of June 2026.

13. Your Right to Complain

If you believe that your information held by Us is not being handled properly, you have the right to complain to the competent data protection authority:

  • Guernsey ODPA: www.odpa.gg/contact
  • UK Information Commissioner’s Office: ico.org.uk
  • EU: the relevant national supervisory authority in your country of residence.
0
    Basket
    Your basket is empty