Privacy Policy
1. Controller
1.1. Oversight
Leo Hair Limited (“Leo Hair”) is the data controller responsible for personal information collected via this website. Leo Hair is registered with the Information Commissioner’s Office (ICO) where required and complies with all applicable data protection laws. For all privacy-related enquiries, including Data Subject Access Requests (DSAR), please contact us directly via email, WhatsApp or by post at our registered address.
1.2. Our commitment
Leo Hair is committed to protecting personal information in accordance with the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). This Privacy Policy explains what personal information is collected, how it is used, the lawful basis for processing, how it is protected, and your rights. This Privacy Policy complements the Terms and Conditions and does not override them.
2. Categories
2.1. Types of personal information
Personal information, also known as personal data, means any information that identifies or can identify an individual.
We may collect and process the following types of personal information:
Identity: First name, last name, date of birth, gender
Contact: Billing address, shipping address, email address, phone number
Financial: Transaction details
Technical: IP address, operating system, browser, device
Usage: Consultations, subscription, orders, feedback, complaints
Communication: Marketing preferences, correspondence history
This information is collected and used only to provide and improve our products and services.
2.2. Health and special category information
Health information is collected only where necessary to provide consultations and related services. It is processed in accordance with UK GDPR requirements for special category data and is not used for marketing purposes. Provision of health information is necessary to assess suitability for treatment. Failure to provide required information may prevent us from providing services.
2.3. Sensitive information and children
We do not collect information relating to sexual orientation, religious beliefs, political opinions, trade union membership, or criminal convictions. This website is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that such data has been collected, it will be deleted promptly.
2.4. Aggregated and anonymised information
We may use aggregated or anonymised data for analytics, research, service improvement, and reporting. This data does not identify individuals. Where anonymised data is combined with personal information in a way that could identify an individual, it will be treated as personal information and protected accordingly.
3. Collection
3.1. Information you provide directly
Personal information may be collected through direct interactions with Leo Hair, including via website forms, email, telephone, social media, or post. This personal information is collected solely for the purposes of providing our services, responding to inquiries, and managing your account or subscription. All personal information is handled in accordance with applicable data protection laws and our Privacy Policy.
3.2. Cookies and automated technologies
Leo Hair uses cookies, server logs, and other automated technologies to collect technical information about your browsing activities and devices. Cookies are small data files stored on your browser or device to improve your browsing experience. You may disable cookies by adjusting your browser settings, however some features of the website may not function correctly if cookies are disabled.
The following outlines the types of cookies used and their purpose:
Essential: Enables core website functions, including checkout and account
Performance: Tracks usage to improve functionality
Functional: Recognises returning customers and remembers preferences
Targeting: Tailors content and promotions
The following third-party platforms may place cookies or process information on our behalf:
Shopify: Manages personal information
Chargebee: Supports billing and subscription management
Jelly: Handles consultations and prescribing
Meta: Personalises advertising
Google: Personalises advertising, analyses website and performance.
These providers act under contractual obligations and process personal information only in accordance with applicable law.
4. Use
4.1. Lawful bases for processing
Personal information is processed in accordance with applicable law, for purposes including the performance of contractual obligations, protection of legitimate interests, and compliance with legal obligations, as outlined below:
4.2. Change of purpose
Personal information is only used for its intended purpose unless a compatible purpose arises. If use is required for an unrelated purpose, notice and explanation will be provided unless otherwise permitted by law.
4.3. Information sharing and disclosure
Information may be shared with employees, contractors, service providers, and legal and regulatory authorities, and during business restructuring. All third parties are contractually required to respect the security of personal information and process it only according to documented instructions.
4.4. International information transfers
Where personal information is transferred outside the UK, appropriate safeguards are implemented. These may include transfers to countries recognised as providing adequate protection or the use of approved International Data Transfer Agreements (IDTA’s) or Standard Contractual Clauses (SCC’s).
4.5. Marketing communications
Direct communications are only sent with your consent, except where allowed under PECR soft opt-in rules. You may withdraw consent at any time, and your marketing preferences will always be respected. Personal information will not be shared with third parties for marketing without opt-in consent. You can opt out of marketing communications at any time via the unsubscribe link in emails or by contacting Leo Hair directly. Opting out does not affect service-related messages.
5. Security
5.1. Account responsibilities
Users are responsible for maintaining account security by using trusted devices, up-to-date security software, secure passwords, and two-factor authentication where available. Guidance is available via the National Cyber Security Centre (NCSC).
5.2. Compliance measures
Appropriate technical and organisational measures are implemented to prevent unauthorised access, loss, misuse, alteration, or disclosure of personal information. Access is restricted to individuals with a legitimate business need and who are subject to confidentiality obligations. Procedures are in place to respond to suspected data breaches and to notify regulators and individuals where legally required.
5.3. Information retention
Identity, contact, and usage information is retained only for as long as necessary to fulfil its intended purpose and comply with legal obligations. Financial records are typically retained for six years for tax and accounting purposes. Technical and communications information is retained until consent is withdrawn. Anonymised data may be used for research or statistical purposes indefinitely.
6. Rights
6.1. Exercising your rights
Customers have the legal right to access, correct, erase, restrict, or object to the processing of their personal information. They can also request data portability and withdraw consent. Further information about these rights can be found on the ICO website. DSAR’s can be made by contacting Leo Hair.
6.2. Response verification and timelines
We do not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive. Identity verification may be required before fulfilling requests. We aim to respond within one month, although complex requests may require additional time.
6.3. Disputes
If you have concerns about how we handle personal information, please contact us in the first instance. If the matter remains unresolved, you have the right to file a complaint with the ICO.
