Last updated: 22/04/2026

1. INTRODUCTION

The HeliosX group of companies is committed to protecting your privacy. This Privacy Policy describes our policies and procedures on the collection, use and disclosure of your information when you use our services. It also outlines your rights and choices with respect to your Personal Data, and how to contact us if you have any queries or concerns.
  
Across each of the services we provide, we are dedicated to maintaining the confidentiality and rights to privacy of all our patients, service users, and other individuals we engage with. 
  
We take our responsibilities in relation to data protection and information rights seriously and maintain robust processes for safeguarding the Personal Data we hold in order to carry out our services and provide easy access to the information rights of individuals. 

This website and our services are not intended for children and we do not knowingly collect data relating to children. Please do not access our services or provide data to use unless you are at least 18 years of age.

2. PURPOSE

This policy explains how we Process your Personal Data and the steps we take to protect it. This Privacy Policy explains how we handle information about you when you visit our websites, mobile apps, services and health services.  

3. SCOPE AND RESPONSIBILITIES

This Privacy Policy is published by HeliosX on behalf of itself and its subsidiaries (together “HeliosX”). The “controller” of your Personal Data for the purposes of the UK GDPR and the EU GDPR will depend on the HeliosX service you interact with as follows:

4. DEFINITIONS

Key terms used within this policy are defined in the glossary (Appendix 1)

5. PERSONAL DATA WE COLLECT

We collect and process Personal Data about you in the ways outlined below. Where applicable, we indicate whether and why you must provide us with your Personal Data, as well as the consequences of failing to do so. If you do not provide Personal Data when requested, you will not be able to use our services if that information is necessary to provide you with them or if we are legally required to collect it.

Information provided by you:

• Registration - When you register to use a service provided by HeliosX (e.g., when you create an account on a website, or contact us by other means), we will collect Personal Data to provide you with access to the services you require. The information we collect will include identity and contact data such as your name, address, email, date of birth and phone number.
• Requesting Healthcare Services - If you request healthcare services from us including prescription-only medication, we may ask you to “complete a consultation”, or to otherwise provide us with information about you. We will collect sensitive Personal Data (special category data) about you when you complete the  consultation form, including information about your body composition (potentially with pictures), medical conditions (including previous diagnoses you’ve received), ethnicity (if relevant to the prescription), current medications and allergies.
• Ordering Goods from Us - If you order goods or services from us, we will collect information we require to complete your purchase, including financial and billing data such as your payment details, address, email, ID (for verification), date of birth and other contact details.
• Contacting Us - If you contact us via social media, email, telephone or otherwise, we will collect any Personal Data you choose to disclose to us. We use this information to help us respond effectively to your comments, questions, or feedback.
• Marketing and Communications Data - We will collect your marketing and communication preferences.
• Responding to Surveys and Prize Draws - We will collect information about you if you respond to surveys on our site, or otherwise enter any competition, promotion or survey we run.

This information may be combined with other information you provide to us.

Information we receive from other sources

We also work closely with third parties (including, for example, business partners, service providers, advertising networks, analytics providers, and search information providers) and may receive information about you from them. If you choose to sign in using a third party (for example your Gmail account), we will also receive information from them.

This may be combined with other information you provide to us, as described above.

Information about other people

If you provide information to us about any person other than yourself, you confirm that you have permission to do so and that they have acknowledged this Privacy Policy.

Information collected via automated means

We use tools like cookies and similar technologies (collectively “cookies”), as well as server-side events, to ensure that our Services function properly and to improve our products and Services. Cookies are small pieces of information that are stored by your browser on your computer’s hard drive and record how you navigate this website on each visit.

This may include technical information about your computer or device, internet connection and browser, the country where your computer or device is located, your IP address, the pages viewed during your visit, the advertisements you clicked on, any search terms you may enter on our website or app, and other information about your visit and how you used our website or app, which may include health data. We use this information to provide you with the best possible web experience.

To find out how we use cookies on this site, see our Cookie Policy.

6.  HOW WE WILL USE YOUR PERSONAL DATA

Purposes for Processing your Personal Data

We will primarily use your Personal Data for the following purposes:

• To fulfill your purchase/order.
• To register your account and keep it secure.
• To verify your identity. This may include using a partner company to check your ID.
• To create and maintain your patient record once you have registered.
• To help us make decisions about your medical diagnosis, healthcare or treatment.
• To process and fulfil any orders that you place with us (through our website).
• To communicate with you and respond to any queries, requests or complaints you may have. This may happen through both human and AI agents.
• To contact you in the event that any services requested are unavailable or if there is a query or problem with your order.
• To notify you about any changes to our services and to send you service emails relating to said services, like payment confirmations, delivery updates, and similar.
• To send you promotional messages. We may contact you about relevant products and services including special offers, discounts, promotions, events, surveys, and competitions tailored to you up to two years after your last purchase. This may include promotions offered by other entities in the HeliosX group of companies. You can opt out of hearing from us about these at any time.
• To utilise third party suppliers/software for the dispensing of your prescribed medication.
• To carry out market research so that we can improve the services we offer. 
• To improve our products. For example, we may capture your product reviews when you buy goods and services from us by following up with an inquiry about your experience of the product to help us gauge customer satisfaction. We may also conduct customer surveys or otherwise conduct market research. You are not obligated to leave reviews or complete surveys.
• To train our Machine Learning (ML) or Artificial Intelligence (AI) models. We may use your Personal Data to train our ML/AI models, which we use to improve, promote and provide our services, as well as for analytics. For example, we use AI to spot bad quality verification pictures uploaded by our customers. We will anonymise data used for model training whenever possible.
• For clinical research. For example, we may use your Personal Data for the development of products used to diagnose and treat your symptoms or to study the effectiveness of our existing products and services. We will anonymise data used for medical research whenever possible.
• To allow you to participate in interactive features of our services when you choose to do so.
• To personalise customer experience and inform marketing strategies.
• To continuously improve our service to our customers by monitoring and recording telephone calls which we receive at our call centres for the purposes of staff training, quality control and service improvement. 
• To track and analyse activity on our website.
• As part of our efforts to keep our website safe and secure.
• To prevent fraud. Where relevant, we will compare customer uploaded images with each other to ensure they show to the same person. This may rely on facial recognition software making an assessment that is then manually reviewed.
• To comply with applicable law. For example, in response to a request from a court or regulatory body, where such request is made in accordance with law.
• To send you app notifications and reminders that you set up on your device.

Testimonials

If you provide us with a testimonial, which may include Personal Data such as your name or alias, location, age, treatment details, and photographs, we will retain this data for as long as necessary to fulfil the purposes for which it was collected. We will always process this data in accordance with our data retention policies, and you may be contacted after a certain period to ask if you wish to provide an updated testimonial.

The primary purpose of collecting and using testimonials (including related photographs, and data) is for marketing purposes. This may include displaying the materials on our website, social media platforms (including but not limited to Facebook, Instagram, and Reddit), and within marketing emails. Additional marketing channels may also be utilised as part of our broader marketing strategy and business needs.

Lawful grounds for Processing

To Process your Personal Data, we rely on one or more of the following legal grounds:

• Your consent to specific Processing activities. For example, where you have consented to us using your information for marketing purposes. You may withdraw your consent at any time by contacting us. If you opt out of receiving marketing communications, you will still receive service-related communications that are essential for administrative or customer service purposes.
• We will process your Personal Data where it is necessary to perform a contract with you and fulfil your request for content, products or services from HeliosX.
• Legitimate interests we or a third party pursue as a business, except any overridden by your interests and fundamental rights. We may rely on this legal ground to, for example, keep business records, assert our legal rights and obtain professional advice.
• Compliance with any legal obligation to which we are subject. For example, we may process your Personal Data to comply with tax and accounting obligations.

To Process your Special Category (health, ethnicity, biometric) Data, we rely on the following legal conditions:

• It is necessary in connection with your medical diagnosis or for the provision of your healthcare or treatment. We never hold more health data than we need for these purposes and we have assessed that processing this data is a reasonable and proportionate way of providing your healthcare. Without this information, we would not be able to diagnose you, nor prescribe or send you your medication.
• You give us explicit consent to do so. This may be where you agree to us sending you marketing information or where you choose to participate in some of our market research.
• There is a reason of substantial public interest, for example preventing or detecting fraud.
• We are conducting scientific research in the public interest. We ensure that this is done in a reasonable and proportionate way, with appropriate safeguards in place.

Disclosing your Personal Data

In order to provide our products and services, we may, occasionally, appoint other organisations to carry out some of the Processing activities on our behalf. We will not share your Personal Data with any organisation, other than those directly involved in delivering these services.

We may also share your personal data with:

• Our advertising partners, including providers of social media platforms, who enable us to deliver personalised ads to your devices or similar advertising.
• Our outsourced service providers or suppliers to facilitate the provision of our products and/or services to you.
• Third party providers of healthcare services (e.g., your GP) where necessary to provide a service to you (e.g., verifying medical details to provide an appropriate prescription), or to prevent fraud.
• Our marketing partners, who may contact you by post, email, telephone, SMS or by other means. If you do not wish to be contacted, you may unsubscribe by clicking “unsubscribe” in the message concerned.
• Analytics and search engine providers that assist us in the improvement and optimisation of our website.
• Our data centre provider for the safe keeping of your Personal Data and our web hosting provider through which your Personal Data may be collected and surfaced.
• Third party service providers and consultants in order to protect the security or integrity of our business, including our databases and systems and for business continuity reasons.
• Another legal entity, on a temporary or permanent basis, for the purposes of a joint venture, collaboration, financing, sale, merger, reorganisation, change of legal form, dissolution, or similar event. In the case of a merger or sale, your Personal Data will be permanently transferred to a successor company and the new owners may use your personal data in the same way as set out in this privacy policy.
• Public authorities and regulatory bodies where we are required by law to do so or to otherwise fulfil regulatory obligations.
• If required, in order to receive legal advice.
• Any other third party where you have provided your consent.

Security of Personal Data

HeliosX has appropriate technical and organisational measures in place to ensure the confidentiality, integrity and availability of all data we hold.

We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

International Transfers of Personal Data

In the course of our operations, your personal data may be Processed within our group of companies located in the United Kingdom (UK).

Some of our partners to whom we may disclose Personal Data are located within the European Economic Area (EEA). For transfers within the EEA and UK, we rely on adequacy decisions made by the United Kingdom Government or the European Commission, confirming that the data protection standards in those countries are sufficient.

For transfers to third countries outside the UK and EEA and which are not covered by an adequacy decision, such as the United States, South Africa, and India, we ensure that appropriate safeguards are in place. These safeguards include using the UK’s International Data Transfer Agreement (IDTA) and Addendum,Standard Contractual Clauses (SCCs) approved by the UK Secretary of State or the European Commission, or other mechanisms permitted under Article 46 of the UK or EU GDPR (which now include self-certification to the EU-U.S. Data Privacy Framework or UK-US Data Bridge).

Retention of Personal Data

We keep personal data for as long as necessary to fulfil the purpose for which it was collected and in line with industry standards. When it is no longer necessary, we take measures to delete your personal data, or keep it in a form that does not permit identifying you.

We also store your personal data where we have a continued legitimate and lawful purpose to do so, as required by law. This includes, but is not limited to, complying with tax requirements, meeting regulatory requirements, resolving disputes, preventing fraud and abuse, and enforcing our terms and conditions.

When determining the specific retention period, we take into account various criteria, such as the type of service provided to you, the nature and length of our relationship with you, mandatory retention periods provided by law and the relevant statute of limitations.

Once the retention period expires, your data will be deleted or anonymised, as relevant.

Your Rights

If you wish to exercise any rights that you may have under the UK GDPR or the EU GDPR, you can do so by contacting us at help@dermatica.co.uk:  

Right to access (Subject Access Request).

You may request a copy of the Personal Data we hold about you. For example, this could include a copy of your medical record, a transcript of a phone call, and so on.

Right to rectification.

You may request that we rectify any inaccurate and/or complete any incomplete Personal Data.

Right to erasure. 

You may request that we erase your Personal Data and we will comply, unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping your Personal Data, such as, a legal obligation that we have to comply with, or if retention is necessary for us to comply with our legal obligations.

Right to restrict and withdraw consent.

You may, as permitted by applicable law, withdraw your consent to the Processing of your Personal Data at any time. Such withdrawal will not affect the lawfulness of Processing based on your previous consent. Please note that if you withdraw your consent, you may not be able to benefit from certain service features for which the Processing of your Personal Data is essential.

Right to data portability. 

In certain circumstances, you may request that we provide your Personal Data to you in a structured, commonly used and machine readable format and have it transferred to another provider of the same or similar services. We will comply with such transfer where required by law as far as it is technically feasible. Please note that a transfer to another provider does not imply erasure of your Personal Data which may still be required for legitimate and lawful purposes.

Right to object to Processing. 

You have the option, as permitted by applicable law, to request that we stop Processing your Personal Data. In certain situations where our service may not be suitable for you, we use automated Processing and profiling to support our clinical team. Occasionally, this involves automated decision-making without direct input from a clinician. You have the right to object to this Processing and request that a clinician reviews the decision.

Your right to log a complaint.

We suggest that you contact us about any questions or if you have a complaint in relation to how we Process your Personal Data. However, you do have the right to contact the relevant supervisory authority directly. To contact the Information Commissioner’s Office (ICO), the supervisory authority in the United Kingdom, please visit the ICO website for instructions.

You will not have to pay a fee to access your data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take up longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

7. MONITORING AND COMPLIANCE

We may amend this Privacy Policy at any time. Any changes we may make will be posted on this page, so please check back frequently. Your continued use of our website and our services after posting will constitute your acceptance of, and agreement to, any changes.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

8. APPENDICES

Appendix One – Terms and Definitions