Short Version
At Superdrug, we take privacy seriously.
The categories of personal data that we process depends on how you use our services. We use your personal data to provide our online services in alignment with your preferences, to process your requests, to contact you regarding products and services which may be of interest to you, to provide prize draws or competitions, or to carry out relevant administrative services. All personal data is processed in accordance with applicable data protection laws.
We only disclose your personal data to third parties that assist us with providing you with our services and, if you authorise us explicitly, to our affiliated companies for the purpose of customer relationship management, analytics and marketing.
With your consent we also use cookies for marketing, performance and statistical purposes.
As our valued customer, we also offer you various choices to control how your personal data is used. For example, if you would like to update your ‘cookie preferences’, click on the Cookie Consent Tool located at the bottom right of our website.
In addition, if you have an electronic account with us (on the website or mobile app), you can update your contact information and your Privacy Preferences under the ‘My Account’ section. Alternatively you can contact our Customer Team via our Contact Us hub, and they will be able to help you.
If you would like more information about the processing of your personal data by us and on the cookies that we use, see below the full version of our Privacy Policy.
Long Version
Our Privacy Principles
At Superdrug we have 5 Privacy Promises which explain how we use and look after your information. We will:
- ALWAYS use your personal data in line with data protection law.
- ALWAYS tell you what information we collect, what we do with it, who we share it with and who to contact if you have any concerns.
- ALWAYS provide options to say ‘STOP’ if you don’t want marketing communications.
- ALWAYS take steps to protect your information and make sure no unauthorised person accesses it.
- ALWAYS respond to questions about your personal data without delay.
Our Privacy Policy
Last Updated: July 2021
We are committed to safeguarding your privacy rights and ensuring that your personal data is protected.
This Privacy Policy explains the types of personal data we collect and how we process and protect that data in connection with the services we offer. This includes information collected offline in our stores or through our customer services, and online through our websites, applications (including mobile apps) and third party platforms (“Sites”).
This Privacy Policy also applies to our targeted content, including online offers and advertisements for products and services, which you may see on third party websites, platforms and applications (“Third Party Sites”) based on your online activity. These Third Party Sites may have their own privacy policies and terms and conditions. We encourage you to read them before using those Third Party Sites.
1
Who is responsible for what happens with your data?
Superdrug Stores plc (“Superdrug” or “we”) are responsible for processing your personal data on our Sites. Superdrug is a member of the A.S. Watson group of companies (“ASW Group”), which is part of the multinational conglomerate CK Hutchison Holdings Limited (“CK Hutchison”).
2
How do I contact the Data Protection Officer?
If you have a question in relation to how we process your personal data you can contact our Data Protection Officer via email dataprotectionofficer@superdrug.com
3
What is Personal Data?
Personal Data means information that can directly or indirectly identify you (“Personal Data“). This typically includes information such as your name, address, email address, and telephone number, but can also include other information such as IP address, shopping habits, information about your health and information about your lifestyle or preferences such as your hobbies and interests. Information about health are called “special categories of Personal Data” that require special protection because of their sensitivity.
4
What happens when you provide us with your Personal Data or when we otherwise receive your personal data?
We collect your Personal Data directly in a number of ways, for example when you provide us with your information to register as a customer for our Sites or as a Health & Beautycard member, subscribe to our newsletter, receive information or mailings, use our applications, buy a product or service from us, complete a survey, complete a beauty or health diagnostic test, make a comment or enquiry or contact our Customer Team.
When you provide us with your Personal Data, we will process it in accordance with this Privacy Policy. If you do not wish us to process your Personal Data in this way, please do not provide us with your personal information.
We may also receive your Personal Data from other sources, including information from commercially available sources, such as public databases and data aggregators, and information from third parties. If you do not want us to receive your Personal Data from other sources, please communicate your preferences directly with the relevant sources.
We process your Personal Data to provide you with our services as further explained below. In certain instances, we only process your Personal Data if you have given us permission to do so, for example in most cases where we process your Personal Data for marketing purposes, use cookies or location data or where we process your sensitive personal information. In other instances we may rely on other legal grounds for processing your personal data, such as performance of the contract with you or legitimate interests, like fraud prevention.
Where we process your Personal Data on the basis of your consent, we will ask for your consent explicitly and only for a particular purpose. We will also ask you to provide additional consent if we need to use your Personal Data for purposes not covered by this Privacy Policy.
Please refer to the table in Section 6.1 for details of the various types of Personal Data we may collect, the relevant purposes and the legal basis for such processing.
5
What happens if our customer is a child?
You must be at least 16 years of age to register an account and to place an order on the Site. We therefore will not use the Personal Data of any person under the age of 16 which is obtained via the Site for marketing purposes.
To provide parental consent to marketing, please ask your parent or guardian to contact our Customer Team via our Contact Us hub, and they will be able to help you
6
For which purposes do we process your Personal Data?
6.1 To see which categories of Personal Data we collect for which purposes, click on the headings below:
Browsing on our sites
What personal information may we collect?
Information about the type of browser you use when visiting our Sites, your IP and device address, hyperlinks that you have clicked, websites you visited before arriving at our Sites and information collected by cookies or similar tracking devices. Your user name, profile picture, gender, networks and any other information you choose to share when using Third Party Sites (such as when you use the “Like” functionality on Facebook).
What is the Purpose of the processing?
We (and third party service providers acting on our behalf) use cookies and similar technologies to process data about you when you visit our Sites. We would like to know whether you have visited us before and your preferences to provide you with a tailored experience of our Sites.
See Section 6.2. below for more information about cookies.
How long do we store your Personal Data?
Please check the Cookie Consent Tool to learn about the storage periods for each cookie.
What is our legal basis for the processing?
Your consent when you click “agree and proceed” in our Cookie Consent Tool in our Sites. In some cases, and always when permitted by law, we will infer from your actions that you agree to Cookies. Please note that we need to process certain basic surfing data in order to provide core Sites functionalities such as secure log-in or remember how far you are through an order.
You can always revisit your cookie preferences via our Cookie Consent Tool or by changing your browser settings.
Purchase/ Agreeing to a Service
What Personal Data may we collect?
Name, title, postal address, email address, home telephone, mobile number, billing address, passwords, order history, payment history, payment method , order history/ wishlist, age/date of birth, gender, information on the handling of your request (including information relating to prescription or pharmacy medicines and other medicine or beauty products that you order), and other Personal Data you voluntarily provide to us.
What is the Purpose of the processing?
We process Personal Data to provide you with our products or services that you request from us, including sending you products you have purchased.
How long do we store your Personal Data?
As long as you keep shopping with us. If after three years, you have no transactions, we delete or anonymise your Personal Data, unless we are required by as a healthcare provider to retain certain electronic patient records. These patient records will include some Personal Data and your prescription / treatment history. We are required to retain these records for a minimum of 10 years after your death.
What is our legal basis for the processing?
We need this information to process your order or any other service you request from us (performance of a contract). For processing of information about health (your consent).
Customer Service
What Personal Data may we collect?
Name, title, postal address, email address, home telephone, mobile number, billing address, passwords, order history, payment history, payment method , order history/ wishlist, age/date of birth, gender, information on the handling of your query, posts and other content you submit to our Sites, and further information submitted by you in relation to a purchase or service request or other query (including sensitive personal information).
What is the Purpose of the processing?
We process your Personal Data whenever you contact us and when we respond to your enquiries and comments.
How long do we store your Personal Data?
General enquiries and comments relating to service issues etc. three years from last communication with you. Communications relating to personal injuries, accidents and other health and safety issues may need to be kept for a longer period in case of legal claims or settlements.
What is our legal basis for the processing?
To process your enquiries, comments or complaints at your request (performance of a contract or quasi-contract).
Suggesting products & services which may interest you
What Personal Data may we collect?
Name, title, postal address, email address, mobile number, order history, payment history, age, date of birth, gender, actions you take on our website or when viewing our emails, answers you provide in surveys, your shopping habits and preferences.
What is the Purpose of the processing?
To suggest tailored products or services (including those of relevant third parties) that we think may be of interest to you based on your shopping history and behaviour, your preferences, and our market segmentation strategies. We may do this by sending you – via post, email, newsletter, SMS, push notifications or phone – details of products, services, special offers, promotions and other information. We may also contact you to offer the opportunity to take part in customer research surveys, promotions, prize draws or competitions.
How long do we store your Personal Data?
As long as you keep shopping with us. If after three years, you have no transactions, we delete or anonymise your Personal Data, unless we are required by the law to store it for a longer period.
What is our legal basis for the processing?
You may authorise us to do so if you become a Health & Beautycard member by accepting our Terms & Conditions (performance of a contract).
If you are not a Health & Beautycard member, you will authorise us by signing up to our newsletters or creating an online account.
You can always opt-out of our marketing via your “Privacy Preferences” in your profile (if you have one), by contacting our Customer Team or via the unsubscribe button in any our marketing communications.
Online Shopping
What Personal Data may we collect?
Name, title, postal address, email address, billing address, home telephone or mobile number, information about products you order, (including health products or medicines if you order from our online pharmacy), order history, details about your purchase, payment information, payment history, age.
What is the Purpose of the processing?
How long do we store your Personal Data?
As long as you keep shopping with us. If after three years, you have no transactions, we delete or anonymise your Personal Data, except where we are required by law as a healthcare provider to retain certain electronic patient records. These patient records will include some Personal Data and your prescription / treatment history. We are required to retain these records for a minimum of 10 years after your death.
What is our legal basis for the processing?
We need this information to provide you with your online order (performance of a contract). For processing of information about health and beauty or diagnostic data (your consent).
Fraud prevention and other administrative services, such as registration
What Personal Data may we collect?
Name, title, postal address, email address, home telephone or mobile number, information about health or diagnostic data, NHS number (UK only), payment information (i.e. bank details), payment history, age.
What is the Purpose of the processing?
To carry out administrative services, including processing any application you submit to us for providing the services, preventing or detecting fraud or other crimes, verifying your identity and credit/payment status, or processing payment instructions. Your payment related Personal Data may be transferred to payment providers to process your payments or the police for fraud prevention purposes.
How long do we store your Personal Data?
As long as you keep shopping with us. If after three years, you have no transactions, we delete or anonymise your Personal Data, unless we are required by law as a healthcare provider to retain certain electronic patient records. These patient records will include some Personal Data and your prescription / treatment history. We are required to retain these records for a minimum of 10 years after your death.
What is our legal basis for the processing?
For the prevention and detection of fraud to ensure that your identity and transactions are secured (balancing of interest with our interest being to prevent fraud and protect our customers).
We perform other administrative services to provide you with the respective underlying services (performance of a contract).
When you visit our Sites you may access services which are provided on third party websites (for example, the Superdrug Online Doctor and Superdrug Online Opticians). In this instance these third parties will be responsible for your Personal Data and will act as Data Controller in respect of your Personal Data.
6.2 Cookies and Similar Technologies
We use cookies and similar technologies (“Cookies”) to improve our products and your experience on our Sites by collecting information on how you use our Sites. Some of the Cookies we use are required to enable core site functionality, for example to provide secure log-in or to remember how far you are through an order, but we also use Cookies that allow us to analyse site usage (so we can measure and improve performance), and advertisement Cookies which are used by advertising companies to serve ads that are relevant to your interests.
We may also tailor our Sites and our products to your interests and needs, by collecting information about your device and linking this to your Personal Data so as to ensure that our Sites present the best web experience for you.
Where we use Google Analytics, we have set up the service to anonymize your IP address as soon as data is received by the Analytics Collection Network https://support.google.com/analytics/answer/2763052?hl=en , before any storage or processing takes place. To opt out of being tracked by Google Analytics across all websites please visit http://tools.google.com/dlpage/gaoptout.
You can view more information on the Cookies we use and adjust your preferences via the Cookie Consent Tool on our Sites. Please note, however, that without cookies you may not be able to use all of the features of our Sites or online services.
6.3 Your Personal Data and Superdrug App
Our app does not collect or store pictures taken with your phone.
We will ask for your separate permissions for our app to open your camera. If you change your mind, you will be able to revoke them any time by changing the settings on your device. Please note that rejecting or switching off these permissions will limit the features you can use in our app.
We use face recognition technology already included in your phone (such as TrueDepth API) to create augmented reality effects within the App. We do not share information with third parties, do not store or process in any other way the data which we access and use via this technology.
7
Who do we share your Personal Data with?
7.1 Our Service Providers
You understand that in order to provide our services to you we may need to share your Personal Data (including special category Personal Data relating to your health) with your doctor and non-medical staff working at or with us as well as with pharmacies (including but not limited to pharmacies operated by us) or hospitals working with us to deliver medical services to you.
We share your Personal Data with the following data processors (i.e. service providers that help us to perform the above tasks):
- relevant companies of the ASW Group and subsidiaries of CK Hutchison for the purposes of Customer Relationship Management and analytics, in particular with A.S. Watson (Health & Beauty UK) Limited.
- relevant companies of the ASW Group and trusted third parties which directly support our promotional activities, Sites administration and the Health & Beautycard programme, in particular A.S. Watson (Health & Beauty Continental Europe) B.V. for IT management (hosting, maintenance and test).
- trusted third parties to help us process and analyse your Personal Data for us, to support us when suggesting products & services which may interest you in line with Section 6.1 above.
- if you order a product or service from us, trusted third parties to allow payment and delivery of the products and services you have ordered. Unless you provided consent, any such trusted third parties are not authorised by us to use your Personal Data in any other way and will be required by us to implement adequate technical and organisational measures to protect your Personal Data.
7.2 Other Recipients
We share your Personal Data with the following third parties that process your Personal Data for their own purposes (i.e. these third parties are no processors; they rather use your Personal Data because they have their own interest or because you had consented):
- interested third parties (that are not relevant companies of the ASW Group and subsidiaries of CK Hutchison) that will send you marketing, but only if you consented to receive such communications from them.
- law enforcement or other agencies if we are required to do so by law, or by a warrant, subpoena or court order to disclose your Personal Data.
Please note that we never share your Personal Data with social media platforms. When we engage in audience building or customer matching activities with social media platforms like Facebook or Google, your Personal Data is always anonymised before the transfer. If there are any changes in the future and we have to share your Personal Data with a social media platform, we will ask for your consent.
7.3 Sharing your Site Usage Information
With your consent, we will share Site usage information with trusted third parties (e.g. advertisers, advertising agencies, advertising networks, data exchanges, etc.) in order to offer you tailored content which may be of interest to you based on your prior activity on our Site. These trusted third parties may set and access their own Cookies, web beacons and similar tracking technologies on your device in order to help us deliver customised content and advertising to you when you visit our relevant Sites. Please see Section 6.2 for more information about Cookies and how to opt out.
You can also visit the website www.youronlinechoices.com to choose which companies can deliver customised advertisements.
Please note that even if you opt out, you may still receive advertisements from us that are not customised based on your Site usage information.
8
To which countries do we transfer your Personal Data?
Many of our trusted third parties and ASW Group companies and CK Hutchison companies are based in countries that provide an adequate level of data protection, such as the UK and the European Economic Area.
We also transfer your data to Ukraine (where our web development team sits), USA and India (where some of our suppliers have back office services), and Canada (where some of our suppliers that provide us with data analytics and personalisation services are located).
When we need to transfer your Personal Data to a trusted third party or ASW Group or CK Hutchison company based in a country where data protection laws are considered not to offer the same level of protection, we ensure adequate data protection safeguards by relying on other legitimate means, such as the Privacy Shield certification and/or Standard Contractual Clauses.
More details on the transfer mechanism can be obtained from our Data Protection Officer (see contact details in Section 2).
9
How long do we process your Personal Data?
We will store your Personal Data only until the aforementioned purposes for which we have collected or received your Personal Data are fulfilled and once our statutory obligations to preserve records have expired as further described in Section 6.1.
10
What are your rights?
If certain requirements are fulfilled, you have the right to:
- Obtain from us confirmation as to whether or not we process Personal Data from you and, where that is the case, access to your Personal Data;
- Rectification of inaccurate Personal Data;
- Erasure of Personal Data;
- Objection to the processing of Personal Data;
- Restriction of processing of Personal Data; and
- Portability of Personal Data – receive the Personal Data you have provided to us in a structured, commonly used and machine-readable form and transmit it to another data controller.
You can learn more about these rights here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/. To exercise your rights, please contact the Data Protection Officer (see Section 2 for contact details) or get in touch with our Customer Team on the details set out below.
Note that you do not need to contact our Data Protection Officer to exercise your rights to stop receiving marketing communications from us. You can opt out of receiving such communications by going to the Privacy Preferences section of your ‘My Account’ if you have an account with us, directly from the communications we send you or by contacting our Customer Team via our Contact Us hub.
11
Can you withdraw your consent to the processing of personal data?
Where your consent is the legal basis for the processing of your Personal Data, you can withdraw your consent for:
- Marketing communications: by logging into your account under Privacy Preferences or using the unsubscribe link in any of our marketing communications.
- Use of Cookies: via our Cookie Consent Tool at the bottom of our Sites.
- Other purposes: by sending us an email to dataprotectionofficer@superdrug.com or by contacting our Customer Team as detailed in Section 10.
Please note that withdrawing your consent will not affect the lawfulness of the processing before the withdrawal.
12
Can you complain with the data protection authorities?
If you think that the processing of Personal Data by us violates data protection laws, you can lodge a complaint with the Information Commissioner in the UK (www.ico.org.uk).
13
How do we protect your Personal Data?
We maintain appropriate technical and organisational measures to protect the Personal Data you provide to us against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to your Personal Data.
14
Can we change our Privacy Policy?
We may change this Privacy Policy from time to time by posting the updated version of the Privacy Policy here. We encourage you to visit this area frequently to stay informed.