PRIVACY POLICY 

Pharma-e Limited (trading as Clever Beauty) 
www.cleverbeauty.com
Last reviewed: June 2026 

Contents 

  1. About Us and This Policy
  2. The Legal Framework
  3. What Information Do We Collect?
  4. Cookies and Tracking Technologies
  5. How Do We Use Your Information?
  6. Lawful Basis for Processing
  7. How Do We Handle Your Information?
  8. International Data Transfers
  9. Data Retention
  10. To Whom May We Disclose Your Information?
  11. Your Rights
  12. Changes to This Policy
  13. Your Right to Complain

1. About Us and This Policy 

Pharma-e Limited, trading as ‘Clever Beauty’ (‘We’, ‘Us’, ‘Our’), is committed to protecting your personal data. This Privacy Policy explains how We collect, use, store and share your personal data when you use Our website at www.cleverbeauty.com (the ‘Website’). 

Please read this Policy carefully. By using Our Website, you acknowledge that you have read and understood how We process your personal data as described here. If you do not agree, please do not use Our Website. 

1.1  Who We Are 

Pharma-e Limited is a company registered in Guernsey (company number 36207) with its registered office at Albert House, South Esplanade, St Peter Port, Guernsey, GY1 1AJ. 

We are registered as a data controller with the Office of the Data Protection Commissioner (ODPA) in Guernsey. Our ODPA registration number is 10629. 

1.2  Contact and DPO 

Any questions, comments or requests regarding this Privacy Policy should be addressed to Our Data Protection Officer: 

Data Protection Officer 

Pharma-e Limited, Albert House, South Esplanade, Guernsey, GY1 1AJ 
Email: dpo@healthxchange.com 
Telephone: 0808 189 0795 

2. The Legal Framework 

We process your personal data in accordance with: 

  • The Data Protection (Bailiwick of Guernsey) Law 2017 (‘the Guernsey Law’), as the primary framework applicable to Our Guernsey-registered operations; 
  • The EU General Data Protection Regulation 2016/679 (‘EU GDPR’), as applicable to Our processing of personal data of individuals in EU member states; and 
  • The UK General Data Protection Regulation (‘UK GDPR’) and the UK Data Protection Act 2018, as applicable to Our processing of data concerning UK residents (including as updated by the Data (Use and Access) Act 2025).  

This Policy sets out: the categories of personal data We collect; the purposes for which We process it; the lawful basis on which We rely; how long We retain it; and your rights in relation to your personal data. 

3. What Information Do We Collect? 

3.1  Information You Provide to Us 

We may collect and process the following data that you give us when you create an account, nominate a prescriber, place an order, or correspond with us by phone, email or otherwise: 

  • name, date of birth and job title; 
  • contact information including address, email address and phone number; 
  • information necessary for submitting a prescriber application — including medical registration numbers, PIN numbers, professional details, and an image of your passport or driving licence; 
  • patient names and address; prescriber name; and medication prescribed with directions for use; 
  • payment card information; and 
  • recordings of phone calls to Our offices or Customer Service Centre and other communications such as email and electronic messaging, which may be used for staff training and audit purposes. Our recording equipment is muted while bank or payment card details are being discussed. 

3.2  Sensitive Personal Data 

We understand that the data collected at 3.1(c) and 3.1(d) above constitutes Special Category Data (also referred to as Sensitive Personal Data) under data protection law, and it is subject to additional protections as set out in Section 6.4 below. 

3.3  Information Collected Automatically 

We will collect and process the following data automatically from your visit to Our Website: 

  • technical information, including the internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and 
  • information about your visit, including the full URL, clickstream to, through and from Our Website (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs), methods used to browse away from the page, and any phone number used to call Our customer service number. 

4. Cookies and Tracking Technologies 

4.1  Cookie Consent via Cookiebot 

Our Website uses Cookiebot, a cookie consent management tool, to obtain and record your consent before setting any non-essential cookies. When you first visit Our Website, a consent banner will be displayed. You may accept all cookies, decline non-essential cookies, or customise your preferences by category. 

You can change or withdraw your consent at any time by clicking the ‘Cookie Settings’ link in the footer of Our Website, which will reopen the Cookiebot preference centre. 

4.2  Categories of Cookie We Use 

Category 

Purpose 

Consent Required? 

Strictly Necessary 

Essential for the website to function — e.g. session management, security, checkout. Cannot be disabled. 

No – set automatically 

Preferences / Functional 

Remember your settings and preferences (e.g. language, region). 

Yes 

Statistics / Analytics 

Collect anonymous data on how visitors use the site (e.g. Google Analytics). Used to improve performance. 

Yes 

Marketing 

Track browsing activity to deliver relevant advertising and measure campaign performance. 

Yes 

 

4.3  Google Analytics 

Our site uses Google Analytics to analyse usage. Collection of this data is used to report and analyse Website performance. Google is responsible for securely storing this information; further details are available at https://policies.google.com/privacy. 

Google Analytics cookies will only be set after you have given your consent via the Cookiebot banner. 

4.4  Full Cookie Declaration 

A detailed, auto-updated list of every cookie in use on this Website – including its name, provider, purpose and expiry – is maintained by Cookiebot and is embedded on Our Cookie Policy page. This declaration is updated automatically each time Cookiebot scans the Website. 

4.5  Disabling Cookies via Your Browser 

You may also manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. However, disabling certain cookies may affect the functionality of Our Website. For guidance, visit www.allaboutcookies.org. 

5. How Do We Use Your Information? 

We shall use the data and information you give to Us: 

  • to allow you to create an account and nominate prescribers on the Website; 
  • to process and fulfil your orders, including dispensing and dispatching products and processing your payments; 
  • to keep and maintain Our internal business records; 
  • for Our internal training purposes; 
  • to provide you with Our own tailored marketing information that We think may suit your interests and needs, where you have given your consent; 
  • to provide you with marketing and promotional information from carefully selected third-party pharmaceutical manufacturers and medical software providers, where you have given your consent; 
  • to carry out automated analytics and CRM communications (e.g. via Google Analytics and Klaviyo), where applicable on the basis described in Section 6; and 
  • to comply with Our legal and regulatory obligations. 

 

We reserve the right to add to the list of uses above. We shall not use pre-collected data for any new purposes without consulting you and obtaining your express consent if required under the applicable Regulations. 

We reserve the right to anonymise your data for analytical purposes while retaining your privacy. Once anonymised, data is no longer personal data and may be retained indefinitely. 

6. Lawful Basis for Processing 

6.1  General 

We will only use your Personal Data when the law allows us to do so. Most commonly We will use your Personal Data where: 

  • you have consented before the processing; 
  • We need to perform a contract We are about to enter or have entered into with you; 
  • it is necessary for Our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; or 
  • We need to comply with a legal or regulatory obligation. 

6.2  Processing Activity Table 

Processing Activity 

Lawful Basis (Art. 6) 

Notes 

Account creation and management 

Contract — Art. 6(1)(b) 

Necessary to perform Our contract with you 

Processing and fulfilling orders 

Contract — Art. 6(1)(b) 

Necessary to perform Our contract with you 

Dispensing prescription products 

Contract — Art. 6(1)(b) + Art. 9(2)(h) for health data 

Special Category Data — see Section 6.4 

Maintaining internal business records 

Legitimate interests — Art. 6(1)(f) 

LIA held on file with the DPO 

Customer service and enquiry handling 

Contract — Art. 6(1)(b) / Legitimate interests — Art. 6(1)(f) 

Depends on whether query relates to an existing order 

Direct marketing communications 

Consent — Art. 6(1)(a) 

You may withdraw consent at any time 

Website analytics (Google Analytics) 

Consent — Art. 6(1)(a) 

Obtained via Cookiebot prior to any analytics cookies being set 

CRM service messages (e.g. Klaviyo) 

Legitimate interests — Art. 6(1)(f) 

Service-related messages about your order or account. LIA held on file 

CRM marketing messages (e.g. Klaviyo) 

Consent — Art. 6(1)(a) 

Only where you have given express consent to marketing 

Prescriber registration and verification 

Legitimate interests — Art. 6(1)(f) + Art. 9(2)(h) 

Necessary to verify professional credentials 

Fraud prevention and site security 

Legitimate interests — Art. 6(1)(f) 

LIA held on file with the DPO 

Compliance with legal obligations 

Legal obligation — Art. 6(1)(c) 

e.g. tax, pharmacy, and regulatory requirements 

Business sale or transfer 

Legitimate interests — Art. 6(1)(f) 

Disclosure to prospective buyers as part of due diligence 

 

6.3  Legitimate Interests 

Where We rely on legitimate interests as Our lawful basis, We have carried out a Legitimate Interests Assessment (LIA) to confirm that Our interests do not override your rights and interests. A copy of any relevant LIA is available on request from the DPO at dpo@healthxchange.com. 

6.4  Special Category Data — Prescription Products 

Where you order prescription products from Us, We collect and process data about your prescribed medication and directions for use, as well as your prescriber’s information. This constitutes Special Category Data under data protection law and is subject to additional protections. 

We process this data under Article 9(2)(h) of the applicable Regulation (medical diagnosis, provision of health care or treatment, or management of health care systems and services). Your Sensitive Personal Data will be stored securely and will not be passed on to third parties except as necessary for dispensing and fulfilling your prescription. 

7. How Do We Handle Your Information? 

7.1  Security Measures 

We are committed to ensuring that your data and information is secure. We have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information We collect, including: 

  • all data and information you provide to Us is stored on secure servers; 
  • any payment transactions will be encrypted using SSL technology; 
  • where We have given you (or where you have chosen) a password to access certain parts of Our Website, you are responsible for keeping this password confidential; 
  • regular review and updating of Our security procedures; and 
  • secure erasure and destruction of data when it is no longer needed. 

7.2  Data Storage 

The data and information We collect from you will be transferred to and securely stored by Our hosting third party: Alternative Solutions Limited, PO Box 176, Cirrus House, Garenne Park, Rue de la Gache, St Sampson, Guernsey GY1 3LQ. 

8. International Data Transfers 

Some of Our data processors are based outside the United Kingdom, Guernsey, or the European Economic Area. Where We transfer personal data internationally, We ensure appropriate safeguards are in place: 

  • Where the recipient country benefits from an adequacy decision by the relevant regulator (ODPA, ICO or European Commission), We may transfer data on that basis. 
  • Where We use service providers in non-adequate countries, We use standard contractual clauses or other appropriate transfer mechanisms to protect the data. 

Further information about specific international transfers is available from the DPO on request. 

9. Data Retention 

We will only retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected. The table below sets out Our standard retention periods for different categories of data. Where a legal obligation requires a longer period, We will retain data for that period instead. 

Data Category 

Retention Period 

Reason 

Customer account information 

Duration of account + 6 years from closure 

Contract limitation period 

Order records (non-prescription) 

6 years from date of order 

Contract limitation period (Guernsey) 

Prescription and medication records 

8 years from date of dispensing 

GPhC guidance / pharmacy regulatory requirements 

Payment and financial records 

7 years from transaction date 

Tax and VAT obligations 

Marketing consent records 

Until consent withdrawn + 1 year 

To demonstrate consent was validly obtained 

Analytics data (Google Analytics) 

26 months 

Google Analytics default retention setting 

Customer service correspondence 

3 years from resolution 

Limitation period for complaints 

Prescriber registration data 

Duration of relationship + 6 years 

Contract / regulatory obligation 

Fraud prevention records 

6 years 

Limitation period / regulatory requirement 

 

In some circumstances you can ask us to delete your data: see Section 11 (Your Rights) below for further information. 

In some circumstances We will anonymise your Personal Data (so that it can no longer be associated with you) for analytical purposes, in which case We may use this information indefinitely without further notice to you. 

10. To Whom May We Disclose Your Information? 

In providing us with data and information, you agree that We may disclose such information, where necessary for the purposes and uses listed in Section 5, to: 

  • Our employees, agents, representatives and any Data Processors officially contracted to process the data on Our behalf; 
  • selected third parties including: 
  • business partners, suppliers and sub-contractors for the performance of any contract We enter into with you; 
  • analytic and search engine providers that assist us in the improvement and optimisation of Our Website; 
  • payment card merchants who comply with PCI/DSS requirements; and 
  • any other third parties We are legally obliged to disclose your information to. 

 

We will only disclose your Personal Data to parties who bear sufficient legal responsibility for its protection and who have sufficient privacy and security measures in place to reasonably ensure that it will be protected and handled appropriately. 

We may disclose your Personal Data to third parties in the event that We sell or buy any business or assets; if Our assets are acquired by a third party; or if We are under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect Our rights, property or safety or those of Our customers or others. 

Subject to your express consent, We may also disclose your data and information to carefully restricted third-party pharmaceutical manufacturers and medical software providers for their marketing and promotional purposes. 

11. Your Rights 

11.1  Data Subject Rights 

You have the following rights in relation to your Personal Data: 

  • Right of access — to request a copy of the personal data We hold about you. 
  • Right to rectification — to ask Us to correct inaccurate or incomplete data. 
  • Right to erasure — to ask Us to delete your personal data in certain circumstances. 
  • Right to restriction of processing — to ask Us to restrict the processing of your data. 
  • Right to data portability — to receive your data in a structured, machine-readable format. 
  • Right to object — to object to processing based on legitimate interests (see Section 11.2 below). 
  • Rights related to automated decision-making — not to be subject to solely automated decision-making that produces legal or significant effects, unless you have consented or it is necessary for a contract. 

11.2  Right to Object 

Where We process your Personal Data on the basis of Our legitimate interests under Article 6(1)(f), you have the right to object to that processing at any time. If you object, We will cease processing your data unless We can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or where processing is necessary for legal claims. 

Processing activities We currently carry out on the basis of legitimate interests include: maintaining internal business records, certain customer service activities, fraud prevention, service-related CRM communications, and business sale or transfer. 

To exercise your right to object, please contact the Data Protection Officer at dpo@healthxchange.com, setting out the specific processing activity you object to and the grounds for your objection. We will respond within one calendar month. 

11.3  Exercising Your Rights 

To exercise any of the rights listed above, please write to or email: 

Data Protection Officer, Pharma-e Limited, Albert House, South Esplanade, Guernsey, GY1 1AJ 

Email: dpo@healthxchange.com 

Any access request will be free of charge. We will respond within one calendar month. We may decline a request, or charge a reasonable fee, where a request is vexatious or excessive. 

If you have previously agreed to Us using your Personal Data for direct marketing purposes, you may change your mind at any time by contacting the DPO at the address above. 

12. Changes to This Policy 

We reserve the right to make changes to this policy without notice from time to time by updating this page. Every time you wish to use Our Website, please check the statement to ensure you understand the terms that apply at that time. 

The current statement was made effective as of June 2026. 

13. Your Right to Complain 

If you believe that your information held by Us is not being handled properly, you have the right to complain to the competent data protection authority: 

  • Guernsey (ODPA): https://www.odpa.gg/contact 
  • UK (Information Commission): https://ico.org.uk 
    • EU (relevant national supervisory authority in your country of residence) 
0
    Basket
    Your basket is empty