1. Overview

Two Face Aesthetics Limited (“Two Face Aesthetics”, “we”, “us”, “our”) is committed to protecting and respecting your privacy. This Global Privacy Policy (“Policy”) explains, in detail, how we collect, use, disclose, retain, transfer and safeguard personal information and personal data (together, “Personal Information”) when you interact with our websites, ecommerce stores, customer service channels, pharmacy-related services, wholesale distribution services (including activities conducted under a Wholesale Distribution Authorisation), and our marketing and communications channels (including email, SMS/text messaging where implemented, and WhatsApp messaging where implemented).

This Policy is written to be clear, comprehensive and diligence-ready. It is designed to satisfy typical due-diligence requests from acquirers, auditors and regulators, and to provide meaningful transparency to individuals whose Personal Information we handle.

This Policy applies to Personal Information we collect from or about:
• Website visitors (including visitors who do not make a purchase);
• Ecommerce customers (business-to-business (“B2B”) and, where applicable, business-to-consumer (“B2C”));
• Pharmacy service users, including those completing clinical questionnaires or engaging with regulated supply pathways;
• Wholesale account holders and authorised purchasers;
• Marketing subscribers and individuals who opt in or are eligible for “soft opt-in” communications (where lawful);
• Individuals who contact us, including by telephone, email, web forms, chat, WhatsApp or SMS; and
• Representatives of suppliers, service providers and professional advisers.

This Policy does not apply to third-party websites, apps or services that may be linked from our sites. Those third parties have their own privacy policies and practices, and you should review them.

If you do not agree with this Policy, you should not use our websites or services. Where we rely on your consent (for example, for certain cookies or for marketing SMS), you may withdraw that consent at any time using the methods described in this Policy. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal.

2. Legal and Regulatory Framework

We operate primarily from the United Kingdom and, depending on your location and the nature of your interactions with us, our processing of Personal Information may be subject to multiple legal regimes. This Policy is intended to address and align with, at minimum, the following:
• UK General Data Protection Regulation (“UK GDPR”);
• Data Protection Act 2018;
• Privacy and Electronic Communications Regulations 2003 (“PECR”);
• EU General Data Protection Regulation (“EU GDPR”) where applicable (for example, where we target EU individuals or monitor behaviour within the EEA);
• California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”);
• Virginia Consumer Data Protection Act (“VCDPA”);
• Colorado Privacy Act (“CPA”);
• Connecticut Data Privacy Act (“CTDPA”);
• Utah Consumer Privacy Act (“UCPA”);
• Nevada Revised Statutes Chapter 603A (Nevada privacy law); and
• US Telephone Consumer Protection Act (“TCPA”), including rules and guidance relating to marketing text messages, automated telephone dialing systems, and consent requirements.

Nothing in this Policy is intended to reduce your rights under applicable law. Where a local law imposes additional requirements, we will comply with those requirements. Where there is a conflict, we will apply the standard that provides greater protection to individuals, unless we are legally required to do otherwise.

Important note on healthcare privacy laws:
We are a UK-regulated business and we are not a “Covered Entity” or “Business Associate” under the US Health Insurance Portability and Accountability Act (“HIPAA”) unless expressly agreed in a written contract for a specific service arrangement. However, we handle health-related information (where applicable) under strict confidentiality and security standards consistent with UK healthcare regulation and best practices, and in accordance with UK GDPR requirements for Special Category Data.

3. Who We Are and How to Contact Us

Data Controller:
Two Face Aesthetics Limited
Website: https://www.twofaceaesthetics.com
Email: admin@twofaceaesthetics.com

We operate as:
• an ecommerce retailer supplying aesthetic, skincare and medical products;
• a regulated pharmacy-related service pathway (where applicable), including collection of clinical information and facilitation of regulated supply; and
• a wholesale distributor operating under a Wholesale Distribution Authorisation (WDA), supplying eligible business customers.

If you have questions, requests or concerns about this Policy or our privacy practices, you can contact us at admin@twofaceaesthetics.com. We may ask for information to verify your identity before responding to certain requests (see Section 18).

4. Definitions

For clarity, this Policy uses certain defined terms:

“Personal Information” / “Personal Data” means information relating to an identified or identifiable individual. The terms are used interchangeably in this Policy to cover both UK/EU terminology (Personal Data) and US terminology (Personal Information).

“Special Category Data” (UK/EU) includes Personal Data revealing health information or other sensitive categories listed in UK GDPR Article 9.

“Sensitive Personal Information” (California) includes certain types of Personal Information listed in CPRA, such as health information, precise geolocation, and certain identifiers. Our processing may involve health-related information and other data that could be considered sensitive depending on context.

“Process” / “Processing” means any operation performed on Personal Information, including collecting, recording, storing, organising, using, disclosing, transferring, or deleting.

“Controller” means the entity that determines the purposes and means of processing (UK/EU concept). “Processor” means an entity that processes Personal Data on behalf of a Controller.

“Business”, “Service Provider”, “Contractor”, “Third Party” and “Sharing” have meanings as used in California privacy law (CCPA/CPRA). In particular, “Sharing” can include disclosure of Personal Information for cross-context behavioural advertising.

“Cross-context behavioural advertising” generally means targeting ads to you based on Personal Information obtained from your activity across businesses, distinct websites, applications or services.

“Global Privacy Control” or “GPC” refers to a browser/device signal that may communicate a user’s preference to opt out of certain data uses, such as sale/sharing under CPRA, where recognised.

“Soft opt-in” (UK/PECR concept) generally permits marketing to existing customers in limited circumstances where lawful conditions are met (for example, marketing similar products with a clear opt-out at the point of collection and in each message).

5. Categories of Personal Information We Collect

We collect Personal Information from several sources: directly from you; automatically when you use our websites; and from third parties where necessary to provide services, prevent fraud, or comply with law.

5.1 Information you provide directly
Depending on how you interact with us, you may provide:
A. Identifiers and contact information:
• Name
• Email address
• Telephone number
• Billing address
• Shipping/delivery address
• Account login credentials (where accounts are available)

B. Transaction and commercial information:
• Products purchased
• Order history
• Order notes and preferences
• Payment confirmations and limited payment metadata (note: we do not store full card numbers; payment processing is handled by payment providers)

C. Professional / business information (B2B / wholesale):
• Company name and role
• VAT number or business identifiers (where relevant)
• Wholesale account information and authorisations
• Professional registration details (where relevant to controlled supply pathways)

D. Pharmacy / clinical information (health-related):
• Clinical questionnaires and assessments
• Consultation responses and communications
• Suitability information and prescribing-related notes (where applicable)
• Regulated supply records and communications

E. Communications and support information:
• Emails, messages, call notes and correspondence with us
• Customer service history and dispute records
• Preferences for contact channels (email, phone, WhatsApp, SMS)

F. Marketing and consent information:
• Email marketing preferences
• SMS marketing consent status (where implemented)
• WhatsApp marketing consent status (where implemented)
• Consent timestamps, sources and preference logs

5.2 Information collected automatically (online identifiers and usage)
When you visit our websites, we may automatically collect:
• IP address
• Device type and identifiers
• Browser type and version
• Operating system
• Approximate location derived from IP (not precise geolocation)
• Website interaction data (pages viewed, time on page, clicks, scroll depth, cart events)
• Referring/exit pages and URLs
• Cookie identifiers and advertising identifiers (where applicable)
• Analytics and performance data

5.3 Information from third parties
We may receive Personal Information from third parties such as:
• Ecommerce platform providers (for example, Shopify)
• Payment processors (confirmation of payment status and fraud signals)
• Delivery and logistics partners (shipping updates, delivery confirmation, address validation)
• Advertising/analytics providers (for example, Google Ads/Analytics signals, subject to your cookie choices)
• Fraud prevention and security providers (risk indicators)
• Professional advisers (legal/accounting) where needed for compliance or disputes
• Regulators or law enforcement where legally required

5.4 Inferences
In some cases, we may derive inferences from other Personal Information (for example, likely product interests based on browsing behaviour). Where required by law, we will obtain appropriate consent and provide opt-out choices for targeted advertising/remarketing.

6. Special Category Data and Health-Related Information

If you access or attempt to access pharmacy-related services or regulated supply pathways, we may process health-related information. Under UK GDPR, health data is Special Category Data and is subject to enhanced protections.

6.1 Why we process health-related information
We process health-related information to:
• assess eligibility or suitability for regulated products or services;
• support safe supply and compliance with relevant medicines and pharmacy regulations;
• maintain required clinical and supply records;
• communicate with you about your clinical information or eligibility; and
• manage patient/customer safety, complaints and adverse event reporting where applicable.

6.2 Legal bases for health-related information (UK GDPR)
We process health-related information only where lawful and necessary. Typical legal bases include:
• Article 6(1)(b) UK GDPR (performance of a contract) — to provide requested services;
• Article 6(1)(c) UK GDPR (legal obligation) — compliance with pharmacy/medicines regulatory obligations;
• Article 6(1)(f) UK GDPR (legitimate interests) — for safety, fraud prevention, and service integrity (where appropriate);
and for Special Category Data:
• Article 9(2)(h) UK GDPR — processing for provision of health care or treatment and management of health systems/services;
• Article 9(2)(a) UK GDPR — explicit consent where required for certain processing activities.

6.3 Access controls and confidentiality
Health-related information is restricted to authorised personnel and, where relevant, qualified healthcare professionals or appropriately trained staff. We apply confidentiality obligations and secure handling requirements, and we limit access to a “need to know” basis.

6.4 Marketing restrictions for health-related information
We do not use health-related information for unrelated marketing. Where we communicate about regulated services, we do so in line with legal requirements, professional obligations, and your preferences/consents.

7. How We Use Personal Information

We use Personal Information for the following purposes:

7.1 Provide and deliver products and services
• Create and manage customer accounts (where available);
• Process orders, payments and refunds;
• Verify eligibility for wholesale access or regulated supply where required;
• Deliver products, manage shipping, and provide tracking updates;
• Provide customer support, handle queries and complaints;
• Communicate about orders, accounts, product availability and service notices.

7.2 Provide pharmacy-related services and meet regulatory obligations
• Collect and review clinical information;
• Make or support suitability assessments and regulated supply decisions (where applicable);
• Maintain required records and audit trails;
• Handle safety issues, adverse events and product recalls where necessary.

7.3 Operate, maintain and improve our websites and business
• Maintain IT systems, security and access controls;
• Diagnose technical issues and optimise performance;
• Conduct analytics to understand how users interact with our sites;
• Improve user experience and service quality;
• Maintain business records and reporting.

7.4 Fraud prevention and security
• Detect and prevent fraud, abuse and suspicious activity;
• Verify identity and payment authenticity;
• Protect the integrity of our websites and services;
• Enforce our terms and protect our legal rights.

7.5 Marketing and communications (subject to law and your choices)
• Send marketing emails where you have consented or where soft opt-in applies and you have not opted out;
• Where implemented, send marketing SMS/text messages only where required consents are obtained (see Section 12);
• Where implemented, send marketing WhatsApp messages only where required consents are obtained (see Section 13);
• Measure marketing effectiveness and improve campaigns;
• Manage suppression lists to ensure we respect opt-outs.

7.6 Legal and compliance
• Comply with legal obligations (tax, accounting, medicines regulation);
• Respond to lawful requests from authorities;
• Establish, exercise or defend legal claims;
• Conduct due diligence in corporate transactions (see Section 16).

8. UK/EU Lawful Bases for Processing

Where UK GDPR or EU GDPR applies, we only process Personal Data when we have a lawful basis.

8.1 Contract (Article 6(1)(b))
We process data as necessary to perform a contract with you or to take steps at your request prior to entering a contract, including:
• processing orders and payments;
• delivering goods;
• providing customer support;
• providing regulated supply pathways where requested.

8.2 Legal obligation (Article 6(1)(c))
We process data as necessary to comply with legal obligations, including:
• record-keeping requirements;
• compliance with medicines and pharmacy regulations;
• tax, accounting and audit requirements;
• responding to lawful requests by regulators or authorities.

8.3 Legitimate interests (Article 6(1)(f))
We may process data where necessary for our legitimate interests, provided those interests are not overridden by your rights. Legitimate interests may include:
• preventing fraud and protecting customers and our business;
• securing and improving our platforms;
• understanding customer behaviour to improve services;
• maintaining operational records;
• ensuring responsible marketing to relevant audiences (where allowed).
Where we rely on legitimate interests, we carry out a balancing test and implement safeguards.

8.4 Consent (Article 6(1)(a))
We rely on consent where required, for example:
• non-essential cookies and similar technologies;
• certain categories of direct marketing, including SMS marketing under PECR;
• explicit consent for certain health-related processing where required.
You can withdraw consent at any time. Withdrawal does not affect processing already carried out.

8.5 Special Category Data (Article 9)
For health data, we rely on Article 9 conditions (such as 9(2)(h) and/or 9(2)(a)) as described in Section 6.

8.6 Right to object (marketing and legitimate interests)
Where we process data based on legitimate interests, you have the right to object. You also have an absolute right to object to direct marketing at any time.

9. Cookies, Similar Technologies, Analytics and Advertising

We use cookies and similar technologies (such as pixels, tags, local storage and SDKs) to operate our websites, improve performance, understand usage, and support advertising and measurement. The specific tools used may change over time as our systems evolve.

9.1 Categories of cookies/technologies
A. Strictly necessary cookies:
Required to operate our websites and provide core functionality such as security, authentication, checkout and cart features. These cookies are typically always on because the site cannot function properly without them.

B. Functional cookies:
Help remember preferences (such as region, language, and other settings).

C. Analytics/performance cookies:
Help us understand how users interact with the site (for example, which pages are visited, where errors occur, and how pages load). We use these insights to improve the site.

D. Advertising/marketing cookies:
May be used to measure ads, limit frequency, and, where enabled, support remarketing/retargeting (for example, via Google Ads) by associating browsing behaviour with advertising identifiers.

9.2 Consent and choices (UK/EU)
Where UK/EU cookie rules apply, we obtain consent for non-essential cookies. You can manage preferences using our cookie banner and/or cookie settings tool (where available). You may also adjust browser settings to block cookies, although doing so may affect site functionality.

9.3 Google Analytics and Google Ads
We may use Google Analytics (including GA4) to measure site performance and user engagement. We may use Google Ads for advertising and measurement, which can include conversion tracking and remarketing. Google may process certain data as a separate controller in accordance with its own privacy policies and terms. Where required, we will obtain your consent before enabling analytics/advertising cookies.

9.4 Remarketing/retargeting clarification
Retargeting is not limited to Meta. Google Ads supports remarketing by using cookies or identifiers to show ads to users who previously visited a site. If remarketing is enabled, we will provide appropriate notices and choices through cookie settings and opt-out mechanisms.

9.5 Do Not Track
Some browsers include “Do Not Track” signals. There is no consistent industry standard for responding to Do Not Track. Where required by law (for example, CPRA/GPC), we may respond to relevant signals as described in Section 21.

9.6 Mobile devices
If you use a mobile device, your device may support advertising identifiers. You may control certain ad tracking settings through your device’s privacy settings.

10. Marketing Communications

We may send marketing communications to individuals in accordance with applicable law and your preferences.

10.1 Email marketing (Mailchimp)
We use Mailchimp for email marketing. We send marketing emails only where we have a lawful basis:
• Consent: where you have opted in to receive marketing emails; and/or
• Soft opt-in (UK/PECR): where you purchased similar products from us, were given clear notice and an opportunity to opt out at the time your details were collected, and are offered an opt-out in every message.
Every marketing email includes an unsubscribe link. You may also contact us to opt out.

10.2 Marketing suppression lists
If you opt out of marketing, we may retain limited information (such as your email address) on a suppression list to ensure we respect your opt-out. This is necessary to comply with law and your preferences.

10.3 Transactional communications
Even if you opt out of marketing, we may still send non-marketing communications necessary to provide services, such as order confirmations, delivery updates, important safety notices, regulatory communications, or changes to our terms/policies.

10.4 Preferences management
You can manage preferences by using unsubscribe links, replying STOP to SMS (where implemented), adjusting WhatsApp preferences (where implemented), or contacting us at admin@twofaceaesthetics.com.

11. SMS/Text Messaging (UK + US Compliance)

We currently use email marketing via Mailchimp and may implement SMS/text messaging in the future. Because SMS/text messaging is regulated differently in the UK and the US, we apply a conservative, compliance-forward approach.

11.1 UK (PECR) requirements
In the UK, marketing SMS requires prior consent unless a limited form of soft opt-in applies. We will obtain explicit opt-in consent before sending marketing SMS unless soft opt-in conditions are clearly satisfied and documented. You will be told at the point of collection what you are signing up for, and you will be able to opt out at any time.

11.2 US (TCPA) requirements
For recipients in the United States, we will obtain “prior express written consent” (where required) before sending marketing text messages, especially where automated systems are used. Our consent language will be clear and will include:
• that you agree to receive recurring marketing texts;
• that consent is not a condition of purchase;
• message frequency disclosure (for example, “message frequency varies”);
• “message and data rates may apply” where appropriate;
• opt-out instructions (reply STOP);
• help instructions (reply HELP); and
• a link or reference to this Privacy Policy and any SMS Terms (if published separately).

11.3 Consent records and audit trails
We will maintain logs of SMS consent, including the date/time, method of consent, and the wording shown at the time of consent. We retain these logs to demonstrate compliance and to manage opt-outs.

11.4 Opt-out and revocation
You can opt out of marketing SMS at any time by replying STOP (or as otherwise instructed). You may also contact us. Opt-outs are processed as soon as reasonably practicable. We may send a final confirmation message acknowledging your opt-out.

11.5 Service/transactional texts
Where permitted by law, we may send non-marketing SMS messages relating to your orders, deliveries, or customer support. These messages are distinct from marketing and are sent to fulfil our services. Where law requires consent for certain types of messages, we will obtain it.

12. WhatsApp Messaging (Where Implemented)

We may offer WhatsApp as a customer service and/or marketing communication channel. If we do:
• We will use official business accounts and comply with WhatsApp’s platform terms;
• We will obtain any required consent for marketing messages;
• We will provide clear opt-out instructions; and
• We will respect your preferences and maintain records of opt-in/opt-out where applicable.

WhatsApp is a third-party platform. Messages sent via WhatsApp may be processed by WhatsApp/Meta according to their own privacy practices. We recommend you review WhatsApp’s privacy information. We will not ask you to share unnecessary sensitive information over WhatsApp and may redirect you to more appropriate channels for regulated or confidential matters.

13. Sharing and Disclosure of Personal Information

We may disclose Personal Information to third parties in limited circumstances, including to provide services, comply with law, protect rights, and operate our business. We do not sell Personal Information.

13.1 Categories of recipients
We may disclose Personal Information to:
A. Ecommerce and platform providers:
• Shopify and related ecommerce tools that host our storefront and order systems.

B. Payment processors:
• To process payments and manage fraud and chargebacks (note: payment processors may act as independent controllers for certain processing).

C. Delivery and logistics partners:
• To deliver your products and provide tracking updates.

D. IT and security providers:
• Hosting, security monitoring, backups, fraud prevention, and customer support tools.

E. Marketing and communications providers:
• Mailchimp for email marketing;
• SMS/WhatsApp providers (where implemented) for messaging and consent management.

F. Professional advisers:
• Legal, accounting, regulatory and insurance advisers.

G. Regulators and authorities:
• Where required by law, court order, or regulatory request.

13.2 Service provider/processor contracts
Where we share data with service providers that act as processors (UK/EU) or service providers/contractors (California), we require contracts that restrict use of Personal Information, impose confidentiality and security obligations, and require assistance with rights requests and security incidents, as appropriate.

13.3 Wholesale and regulated supply disclosures
Where necessary for regulated supply or wholesale compliance, we may disclose information to relevant partners or authorities in accordance with law and professional obligations. We limit such disclosures to what is necessary and lawful.

13.4 No sale of Personal Information
We do not sell Personal Information for money. Where advertising/measurement involves disclosure of identifiers, we structure arrangements to comply with applicable law and provide required opt-outs (see Sections 9 and 21).

14. International Data Transfers (UK/EEA to US and Other Locations)

Our primary operations are based in the UK. However, some of our service providers (including ecommerce and email service providers) may process data in the United States or other countries.

14.1 UK transfers
Where UK GDPR applies and we transfer Personal Data outside the UK, we use appropriate safeguards, which may include:
• UK International Data Transfer Agreement (IDTA) and/or UK Addendum to EU SCCs;
• Adequacy regulations where applicable; and
• Additional technical and organisational measures (for example, encryption, access controls, and data minimisation).

14.2 EEA transfers
Where EU GDPR applies, we rely on:
• EU Standard Contractual Clauses (SCCs);
• Adequacy decisions; and
• Supplementary measures where appropriate.

14.3 Transparency
You can contact us to request information about the safeguards we use for international transfers, where required by law and subject to confidentiality constraints.

15. Data Retention and Disposal

We retain Personal Information only as long as necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law.

15.1 Core retention principles
• We retain data for as long as needed to provide services and manage relationships;
• We retain required records to comply with pharmacy, medicines, tax and accounting obligations;
• We retain data needed to establish, exercise or defend legal claims; and
• We securely delete or anonymise data when no longer needed.

15.2 Typical retention periods (detailed)
A. Ecommerce and customer records:
We typically retain order, invoice and account records for up to 6 years to comply with tax and accounting obligations and to manage warranty/complaint periods.

B. Pharmacy and regulated supply records:
We typically retain regulated supply and pharmacy-related records for at least 10 years (and sometimes longer if required by regulation or professional guidance).

C. Marketing records:
We retain marketing preference and consent logs for up to 6 years from the last interaction to demonstrate compliance and manage suppression lists.

D. Customer support and dispute records:
We retain support tickets, dispute records and chargeback records for up to 6 years where needed for legal defence and fraud prevention.

E. Security and fraud logs:
We retain security logs and fraud prevention data for a period appropriate to detect patterns and defend claims, typically up to 6 years, subject to proportionality.

15.3 Deletion and anonymisation
Where feasible, we anonymise data rather than deleting it, so it can be used for analytics without identifying individuals. Where deletion is required, we delete securely and, where appropriate, instruct processors to delete as well.

16. Corporate Transactions and Due Diligence

If we are involved in a merger, acquisition, financing, reorganisation, sale of assets, or similar corporate transaction, we may disclose Personal Information to professional advisers and prospective counterparties as part of due diligence and transaction execution, subject to appropriate confidentiality protections. If the transaction completes, Personal Information may be transferred as part of the assets, and we will require the recipient to continue to protect Personal Information in a manner consistent with this Policy and applicable law. If the transaction does not complete, we will require information disclosed for due diligence to be returned or securely destroyed where appropriate.

17. Security Measures

We implement appropriate technical and organisational measures to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Our security programme includes, where appropriate:
• Encryption in transit (for example, TLS/SSL);
• Access controls, including role-based access and least privilege;
• Multi-factor authentication where available;
• Secure hosting environments and patch management;
• Monitoring and logging for suspicious activity;
• Backups and disaster recovery measures;
• Staff training and confidentiality obligations;
• Vendor due diligence and contractual security requirements; and
• Incident response planning and breach logging.

No method of transmission or storage is completely secure. However, we take reasonable steps to protect Personal Information and continually improve our security controls.

18. Your Rights (UK/EU)

If UK GDPR or EU GDPR applies to you, you have rights that include:
• Right of access (to obtain a copy of your Personal Data);
• Right to rectification (to correct inaccurate or incomplete data);
• Right to erasure (in certain circumstances);
• Right to restrict processing (in certain circumstances);
• Right to data portability (in certain circumstances);
• Right to object to processing based on legitimate interests;
• Right to object to direct marketing (absolute right);
• Right to withdraw consent at any time where processing is based on consent.

To exercise these rights, contact us at admin@twofaceaesthetics.com. We may need to verify your identity. We will respond within the timeframes required by law (generally one month, subject to extensions where permitted).

19. US State Privacy Rights (California and Other States)

If you are a resident of certain US states, you may have additional rights under state privacy laws. These rights may vary by state and may depend on whether the business meets statutory thresholds. We provide the disclosures below to be transparent and future-ready; if a particular law does not apply to us at a given time, we will still strive to honour privacy choices consistent with this Policy.

19.1 California (CCPA/CPRA) rights
California residents may have the right to:
• Know what Personal Information we collect, use, disclose, and share, including the categories and specific pieces of Personal Information;
• Delete Personal Information, subject to exceptions;
• Correct inaccurate Personal Information;
• Opt out of the “sale” or “sharing” of Personal Information (as those terms are defined under CPRA);
• Limit the use and disclosure of Sensitive Personal Information (where applicable);
• Not be discriminated against for exercising these rights.

19.2 Virginia, Colorado, Connecticut and Utah rights
Residents of Virginia, Colorado, Connecticut and Utah may have rights to access, delete, correct and opt out of certain processing, including targeted advertising and certain data sharing. Virginia, Colorado and Connecticut also provide an appeals process if a request is denied.

19.3 Nevada
Nevada residents may have the right to opt out of the sale of certain covered information. We do not sell Personal Information.

19.4 How to submit US requests
You may submit a request by emailing admin@twofaceaesthetics.com with the subject line “US Privacy Request”. We may verify your identity, which may include confirming access to the email address used for your account or order, asking for order details, or other reasonable verification steps.

19.5 Authorised agents (California)
California residents may designate an authorised agent to make a request. We may require proof of authorisation and may also require the consumer to verify their identity directly.

19.6 Response timelines
We will respond within the timeframes required by applicable law. Where law requires, we may extend response periods and will notify you of extensions as appropriate.

19.7 Appeals (where required)
If your request is denied and you are entitled to appeal (for example, under Virginia, Colorado or Connecticut law), you may appeal by replying to our decision email and stating that you are requesting an appeal. We will review the appeal and respond as required by law.

20. California Notice at Collection and 12-Month Disclosure Summary

This section is intended to satisfy California “notice at collection” obligations by describing the categories of Personal Information we collect, the purposes for which we use it, and retention.

20.1 Categories collected (last 12 months)
We may have collected:
• Identifiers (name, email, phone, addresses, IP)
• Commercial information (purchase history)
• Internet/electronic network activity information (site interactions, cookies)
• Professional information (where relevant to wholesale)
• Sensitive Personal Information (health-related information where provided for pharmacy services)

20.2 Purposes of collection/use
We collect and use Personal Information for:
• Providing and delivering products/services;
• Processing transactions and customer support;
• Security and fraud prevention;
• Analytics and improving services;
• Marketing and advertising (subject to opt-outs and cookie choices);
• Legal compliance and business operations.

20.3 Retention
We retain Personal Information as described in Section 15. Where possible, we retain data only for as long as needed and then delete or anonymise it.

20.4 Categories disclosed
We may disclose the categories above to service providers and partners for the purposes described, including ecommerce platform providers, payment processors, delivery partners, IT/security providers, analytics/advertising partners (subject to cookie choices), and professional advisers.

20.5 Sale and sharing
We do not sell Personal Information for money. If our use of advertising partners constitutes “sharing” under CPRA for cross-context behavioural advertising, you may opt out through cookie settings and any available opt-out mechanisms, including GPC recognition where technically supported.

21. Do Not Sell or Share, Targeted Advertising, and Global Privacy Control

21.1 Do Not Sell or Share
We do not sell Personal Information. We aim to structure relationships with advertising and analytics providers to comply with applicable laws and contractual restrictions.

21.2 Opt-out of sharing/targeted advertising
Where required, you may opt out of “sharing” for cross-context behavioural advertising by:
• adjusting cookie preferences on our site (where available);
• using browser-based opt-out tools (where supported); and/or
• enabling Global Privacy Control (GPC) signals (see 21.3).

21.3 Global Privacy Control (GPC)
Where technically feasible and legally required, we will recognise GPC signals as a request to opt out of sale/sharing for the browser or device that sends the signal. Because GPC is a browser/device-level signal, it may not apply to offline processing or other contexts. We may require additional information to apply your preference more broadly.

21.4 Non-discrimination
We do not discriminate against individuals for exercising privacy rights. However, if you opt out of certain cookies or targeted advertising, some features or experiences may be different (for example, fewer personalised offers).

22. Sensitive Data / Special Category Handling

We treat health-related information as sensitive and apply enhanced protections. Where California’s “Sensitive Personal Information” concept applies, we limit use and disclosure of sensitive data to what is necessary for providing services, ensuring safety, compliance and security, and we do not use sensitive health information for unrelated marketing. Where an individual is entitled to request limitation of sensitive personal information, we will honour such requests to the extent required by law and consistent with our operational and regulatory obligations.

23. Children’s Privacy

Our services are intended for adults. We do not knowingly collect Personal Information from children under 13 and we do not market to children. If you believe a child has provided us with Personal Information, please contact us and we will take appropriate steps to delete the information unless we are required to retain it by law.

24. Third-Party Links and External Services

Our websites may include links to third-party websites or services. We are not responsible for the privacy practices of those third parties. If you choose to use third-party services, their privacy policies will apply to their processing of your information.

25. Changes to This Policy

We may update this Policy from time to time to reflect changes in law, technology, our services or our practices. We will post the updated Policy on our website and update the Effective Date. Where required by law, we will provide additional notice or obtain consent for material changes.

26. Contact Us

If you have questions or requests about privacy, contact:
Email: admin@twofaceaesthetics.com

If UK GDPR applies to you, you also have the right to lodge a complaint with the Information Commissioner’s Office (ICO): https://ico.org.uk.
If US state privacy law applies to you, you may also contact your state Attorney General where applicable.

27. Detailed Processing Activities and Legal Bases Matrix

The table below provides a detailed (but still readable) mapping of typical processing activities to purposes, categories, and legal bases. It is intended to be transparent and diligence-ready. If you require a formal Record of Processing Activities (ROPA) in Article 30 format, that is maintained internally and can be provided where appropriate under confidentiality.

27.1 Account creation and management
Purpose: Create and manage customer/wholesale accounts, authenticate users, maintain account settings and preferences.
Data: Identifiers, contact details, account credentials, professional information (where relevant).
Legal basis (UK/EU): Contract (Art 6(1)(b)); Legitimate interests (Art 6(1)(f)) for security and fraud prevention.
Recipients: Ecommerce platform (Shopify), IT/security providers.
Retention: For the life of the account plus up to 6 years for records/defence of claims.

27.2 Order processing and fulfilment
Purpose: Take orders, process payments, pack and ship products, provide customer updates.
Data: Identifiers, contact details, transaction data, delivery details.
Legal basis: Contract (Art 6(1)(b)); Legal obligation (Art 6(1)(c)) for tax/accounting; Legitimate interests for fraud prevention.
Recipients: Payment processors, delivery partners, ecommerce platform, customer support tools.
Retention: Typically up to 6 years (tax/accounting) plus longer if needed for disputes.

27.3 Wholesale onboarding and compliance (B2B)
Purpose: Verify eligibility, create wholesale accounts, manage authorisations and audit trails for wholesale distribution.
Data: Business identifiers, contact details, role/authority data, professional info (where relevant), transaction history.
Legal basis: Contract; Legal obligation (medicines/wholesale obligations where applicable); Legitimate interests (fraud prevention, business integrity).
Recipients: Internal compliance team, platform providers, professional advisers where necessary.
Retention: 6 years post-termination (or longer if required for regulatory reasons).

27.4 Pharmacy-related services and regulated supply pathways
Purpose: Assess suitability, support regulated supply decisions, maintain required clinical/supply records, manage safety and adverse events.
Data: Health data (Special Category), identifiers, contact details, communications, supply records.
Legal basis: Contract; Legal obligation; Special Category basis under Art 9(2)(h), and explicit consent where required.
Recipients: Authorised clinical personnel, regulated partners where applicable, regulators where required.
Retention: Minimum 10 years (or longer where required by regulation or professional guidance).

27.5 Customer service and communications
Purpose: Respond to enquiries, manage complaints, product queries, delivery issues, returns and refunds.
Data: Contact details, order history, communications content, dispute notes.
Legal basis: Contract; Legitimate interests; Legal obligation where complaints relate to regulatory matters.
Recipients: Customer support tools, professional advisers as necessary.
Retention: Up to 6 years (or longer if disputes continue).

27.6 Fraud detection and platform security
Purpose: Prevent unauthorised access, payment fraud, account takeover, abuse, and protect systems.
Data: Identifiers, technical data, risk indicators, device signals, log data.
Legal basis: Legitimate interests; Legal obligation (where security is required); Contract (where necessary to provide secure services).
Recipients: Security providers, payment processors, platform providers.
Retention: Proportionate period, typically up to 6 years for legal defence and pattern detection.

27.7 Website analytics and performance measurement
Purpose: Measure performance, improve UX, diagnose errors.
Data: Technical data, usage data, cookie identifiers (where enabled).
Legal basis: Consent for non-essential cookies (UK/EU); Legitimate interests where permitted without cookies; US state law opt-outs as applicable.
Recipients: Analytics providers (e.g., Google Analytics) and internal teams.
Retention: Typically 14–26 months for analytics event data (configuration dependent), plus aggregated/anonymised reporting.

27.8 Advertising, attribution and remarketing (Google Ads)
Purpose: Measure advertising performance, attribute conversions, and (if enabled) remarket to prior visitors.
Data: Cookie identifiers, advertising identifiers, event data, sometimes hashed identifiers for enhanced conversions (where enabled).
Legal basis: Consent for advertising cookies (UK/EU); opt-out rights (US); legitimate interests only where lawful.
Recipients: Advertising partners (e.g., Google), agencies (if used), internal marketing team.
Retention: Configuration dependent; advertising platforms may retain event data per their policies.

27.9 Marketing communications (Email via Mailchimp)
Purpose: Send promotions, product news, and relevant updates.
Data: Email address, name, marketing preferences, engagement data (opens/clicks), suppression list entries.
Legal basis: Consent or soft opt-in (UK/PECR); legitimate interests for suppression lists and compliance.
Recipients: Mailchimp, internal marketing team.
Retention: Until you unsubscribe/opt out, plus suppression list retention as needed to honour opt-outs.

27.10 SMS marketing (where implemented)
Purpose: Send promotional texts.
Data: Phone number, consent logs, message history.
Legal basis: Consent (UK/PECR); prior express written consent (US/TCPA) where required.
Recipients: SMS service provider(s), internal marketing/compliance team.
Retention: Consent logs typically up to 6 years; message logs proportionate and limited.

27.11 WhatsApp communications (where implemented)
Purpose: Customer support and/or marketing.
Data: Phone number, message content, consent/opt-out logs.
Legal basis: Contract for support; consent for marketing where required.
Recipients: WhatsApp platform; internal support team.
Retention: Proportionate; sensitive content should be minimised and redirected to secure channels where necessary.

27.12 Legal claims, compliance and auditing
Purpose: Establish, exercise or defend legal claims; comply with legal/regulatory obligations; conduct audits.
Data: Relevant categories depending on matter (order records, communications, logs).
Legal basis: Legal obligation; legitimate interests; establishment/defence of legal claims.
Recipients: Professional advisers, insurers, regulators, courts.
Retention: As required by law or for the duration of claims plus limitation periods.

28. Detailed Cookie and Advertising Disclosures

Because cookie and advertising ecosystems can create compliance risk, we provide expanded disclosures.

28.1 What “remarketing” means in practice
If remarketing is enabled, a cookie or identifier may record that a browser/device visited our site. Later, that browser/device may see ads on Google properties or partner sites. The ad is targeted to the browser/device, not necessarily to a named person. However, certain identifiers can still be treated as Personal Information.

28.2 Enhanced conversions and hashed identifiers
Some advertising configurations may use hashed contact information (such as an email address) to improve measurement. If we enable such features, we will do so only where lawful, with appropriate disclosures and choices, and we will apply minimisation (for example, hashing, limiting fields, and restricting access).

28.3 Consent and preference controls
UK/EU: Non-essential cookies (analytics and advertising) are enabled only after consent through our cookie banner, where required.
US: Where applicable, you can opt out of “sharing” for cross-context behavioural advertising via cookie settings and/or signals such as GPC. You can also use platform opt-outs (e.g., Google Ads settings) where available.

28.4 Browser/device controls
Most browsers allow you to delete or block cookies. If you block essential cookies, checkout and account functions may not work. If you block analytics/advertising cookies, you may receive less relevant advertising and some measurement may be limited.

28.5 Third-party platform processing
Google and other advertising/analytics providers may process certain information as controllers for their own purposes under their policies. We recommend reviewing their documentation and privacy notices for additional transparency.

29. Data Subject Request Handling and Verification

29.1 How to submit a request
You can submit privacy requests by emailing admin@twofaceaesthetics.com. Please include:
• Your full name;
• The email address and/or phone number you used with us;
• An order number (if available); and
• The type of request (access, deletion, correction, opt-out, etc.).

29.2 Identity verification
To protect individuals, we verify requests. Verification is risk-based:
• Low risk requests (e.g., marketing opt-out): minimal verification.
• Access/deletion requests: we may verify via account login, email confirmation, and order validation.
• Requests involving health data or high-risk data: we may request additional verification and may provide data through secure channels.

29.3 Response timelines
UK/EU: generally within one month, extendable where lawful.
US: within the timeframes required by applicable state laws (often 45 days, with possible extensions).

29.4 Exceptions and limitations
We may deny or limit a request where permitted by law, for example:
• to comply with legal obligations (pharmacy record retention);
• to complete transactions or provide services;
• for security and fraud prevention;
• to protect the rights of others; or
• where requests are manifestly unfounded or excessive (UK/EU).

29.5 Appeals (US states where required)
Where an appeals process applies (e.g., Virginia/Colorado/Connecticut), you may appeal by replying to our response and stating you wish to appeal. We will review and respond as required. If we deny an appeal, we will provide information on how to contact the relevant authority where required.

29.6 Record-keeping
We keep records of requests and outcomes to demonstrate compliance and improve processes, retained proportionately and securely.

30. Additional California Disclosures

30.1 “Do Not Sell or Share My Personal Information”
If we are required to provide a specific opt-out link or mechanism under CPRA due to “sharing” for cross-context behavioural advertising, we will provide it through our cookie/settings tools and/or a dedicated mechanism. We also recognise GPC signals where technically feasible as described in Section 21.

30.2 Sensitive Personal Information limitation
If applicable, California residents may request limitation of certain uses of Sensitive Personal Information. We do not use health-related information for unrelated marketing, and we limit sensitive data use to what is necessary for services, safety, compliance and security.

30.3 Non-discrimination
We do not discriminate against individuals for exercising CPRA rights. We do not offer financial incentives for personal information at this time. If we ever do, we will provide a compliant notice of financial incentive.

30.4 Shine the Light (California Civil Code §1798.83)
California residents may request information about certain categories of personal information disclosed to third parties for their direct marketing purposes during the prior calendar year. We do not disclose personal information to third parties for their direct marketing purposes without consent. Requests can be sent to admin@twofaceaesthetics.com with “Shine the Light Request” in the subject line.

31. Accessibility and Communication

We aim to make privacy information accessible. If you need this Policy in an alternative format or require assistance making a privacy request, contact admin@twofaceaesthetics.com and we will work with you to provide reasonable support.

For security reasons, we may need to communicate certain information via secure channels (for example, where health-related information is involved).

32. Profiling, Personalisation, and Automated Processing

We may use Personal Information to personalise your experience and to improve our services. “Profiling” can include evaluating certain personal aspects to predict preferences or interests (for example, showing products that are more likely to be relevant).

32.1 What we do
• We may personalise on-site content such as recommended products based on browsing and purchase history.
• We may segment marketing audiences (for example, “customers who purchased X”) to send more relevant emails.
• We may use fraud and security scoring to reduce risk of unauthorised transactions or account takeover.
• We may use automated tools to assist in triage of customer support messages (for example, routing a message to the right team).

32.2 What we do not do
• We do not make decisions that produce legal or similarly significant effects solely by automated means without human involvement, especially in relation to regulated supply decisions or decisions that could materially impact an individual.
• Where automation is used as an input, a suitably authorised human reviews and confirms outcomes where appropriate.

32.3 Your choices
Where personalisation relies on cookies or similar technologies, you can control this through cookie choices. You can also object to direct marketing and, where applicable, object to processing based on legitimate interests.

33. Data Breach and Security Incident Handling

We maintain an incident response process intended to detect, respond to, and learn from security incidents.

33.1 What is a breach?
A “personal data breach” (UK/EU) generally means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

33.2 How we respond
When we become aware of a suspected incident, we take steps to:
• contain and investigate;
• assess the type of data involved and potential risk to individuals;
• remediate vulnerabilities or restore system integrity;
• notify relevant partners/service providers where required;
• document the incident and our response; and
• implement improvements to reduce the likelihood of recurrence.

33.3 Regulatory notification (UK/EU)
Where UK/EU rules apply and a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the ICO (or relevant EU supervisory authority) without undue delay and, where required, within 72 hours of becoming aware. Where a breach is likely to result in a high risk to individuals, we will also notify affected individuals without undue delay, unless an exemption applies.

33.4 US state notification
US state breach notification laws vary. Where applicable, we will assess and comply with any notification obligations for affected US residents, including timing and content requirements, and we may notify state regulators or consumer reporting agencies where required.

33.5 Breach log
We maintain an internal log of security incidents and personal data breaches, including facts, effects, and remedial actions, as required under UK GDPR.

34. Subprocessors, Vendor Management, and Data Governance

We use third-party providers to run parts of our business. Strong vendor governance is essential to privacy compliance.

34.1 Due diligence and onboarding
We assess vendors for:
• security controls (technical and organisational);
• confidentiality commitments;
• compliance posture (including international transfer mechanisms where relevant);
• reliability and resilience; and
• ability to support rights requests and incident response.

34.2 Contractual controls
Where vendors act as processors/service providers, contracts typically address:
• processing instructions;
• confidentiality;
• security measures;
• subprocessing controls;
• assistance with rights requests;
• audit and inspection rights (risk-based);
• breach notification; and
• deletion/return of data at end of services.

34.3 Subprocessor transparency
Some core providers (such as ecommerce or email platforms) may use subprocessors. Where legally required, we rely on appropriate contractual mechanisms and provide transparency through provider documentation. If you require additional information about key subprocessors used for core services, you can contact us and we will provide what we reasonably can, subject to confidentiality and security considerations.

35. Jurisdiction-Specific Notes and UK Dispatch Model

We dispatch products from the United Kingdom. If you place an order for delivery outside the UK (including to the United States), your information will be processed for cross-border fulfilment, including customs/shipping documentation where applicable. This may involve international transfers as described in Section 14.

For B2B customers, certain information may relate to business roles. Even when information is business-related, it can still be Personal Information if it identifies an individual (for example, a named contact person). We therefore apply privacy protections to business contact information as described in this Policy.

If you are located outside the UK, your local laws may provide additional rights. We aim to provide privacy choices consistent with applicable requirements and the high standard reflected in this Policy.