Privacy Policy

Clever Aesthetic Tech Limited (trading as Pure Obagi)
www.pureobagi.com
Last reviewed: June 2026

Contents

About Us and This Policy
About Us and This Policy
The Legal Framework
What Information Do We Collect?
Cookies and Tracking Technologies
How Do We Use Your Information?
Lawful Basis for Processing
How Do We Handle Your Information?
International Data Transfers
Data Retention
To Whom May We Disclose Your Information?
Your Rights
Changes to This Policy
Your Right to Complain

1. About Us and This Policy

Clever Aesthetic Tech Limited, trading as “Pure Obagi” (“We”, “Us”, “Our”), is committed to protecting your personal data. This Privacy Policy explains how We collect, use, store and share your personal data when you use Our website at www.pureobagi.com (the “Website”).

Please read this Policy carefully. By using Our Website, you acknowledge that you have read and understood how We process your personal data as described here. If you do not agree, please do not use Our Website.

1.1 Who We Are

Pure Obagi is a brand of Clever Aesthetic Tech Limited, a company incorporated in Ireland (company number 676949), with its registered office at Unit 16 The Exchange, Calmount Business Park, Ballymount, Dublin, D12 RF43, Ireland.

We are registered with the Office of the Data Protection Authority (ODPA) in Guernsey under registration number DPA2706. As a controller established in Ireland, We are subject to the EU GDPR, and Our lead supervisory authority in the EU is the Irish Data Protection Commission (DPC).

1.2 UK Representative

Because We are established in Ireland (an EU Member State) and process personal data of individuals in the United Kingdom, We are required under Article 27 of the UK GDPR to designate a UK representative. Our designated UK representative is:

Healthxchange Pharmacy UK Limited 1st Floor Sackville House, 143–149 Fenchurch Street, London, EC3M 6BL Email: dpo@healthxchange.com

UK data subjects may contact Our UK representative in respect of any matter relating to Our processing of their personal data.

1.3 Contact and DPO

Any questions, comments or requests regarding this Privacy Policy should be addressed to Our Data Protection Officer:

Data Protection Officer Clever Aesthetic Tech Limited Unit 16 The Exchange, Calmount Business Park, Ballymount, Dublin, D12 RF43 Email: dpo@healthxchange.com

2. The Legal Framework

We process your personal data in accordance with:

The EU General Data Protection Regulation 2016/679 (“GDPR”), as it applies to Our processing of data concerning EU residents;
The UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018, as applicable to Our processing of data concerning UK residents; and
Any other applicable data protection laws.

This Policy sets out:

the categories of personal data We collect;
the purposes for which We process it;
the lawful basis on which We rely;
how long We retain it; and
your rights in relation to your personal data.

For the purposes of this Policy, We act as the Data Controller in respect of the personal data of Our customers and website users.

3. What Information Do We Collect?

3.1 Information You Give Us

If you register an account, place an order, or correspond with Us, We may collect:

Name and date of birth
Contact information: postal address, email address, telephone number
Order information: products ordered, delivery address, payment details
Any other information you voluntarily provide when contacting Us

3.2 Information We Collect Automatically

When you visit Our Website, We may automatically collect:

Technical data: IP address, browser type and version, operating system, device type, time zone setting, browser plug-in types and versions
Usage data: pages visited, clickstream data (URLs, time and date of visit), products viewed or searched, page response times, download errors, length of visits, page interaction data (scrolling, clicks, mouse-overs), and how you navigate away from the page
Marketing and analytics data: traffic source, referral data, session data

This data is collected via cookies and similar tracking technologies. Please see Section 4 for full details.

3.3 Information from Third Parties

We may receive information about you from third-party analytics and marketing platforms (such as Google Analytics, Meta/Facebook, Klaviyo and ActiveCampaign) where you have interacted with Our advertising or marketing content. This data is used only where you have given your consent via Our cookie consent tool.

4. Cookies and Tracking Technologies

4.1 How We Use Cookies

Our Website uses cookies and similar tracking technologies to distinguish you from other users, to remember your preferences, and to help Us improve the Website and deliver relevant advertising. Cookies are small text files placed on your device when you visit a website.

We use the following categories of cookies:

Category	Purpose	Examples
Strictly Necessary	Essential for the Website to function. Cannot be disabled.	Session cookies, language preference (WPML), security tokens
Analytics / Statistics	Help Us understand how visitors use the Website. Only set with your consent.	Google Analytics (ga), Sourcebuster (sbjs*)
Marketing / Targeting	Used to deliver relevant advertising and to track conversions. Only set with your consent.	Facebook Pixel (_fbp), Google Ads (_gcl_au), Klaviyo (__kla_id), ActiveCampaign (prism_*)
Unclassified	Cookies whose purpose We are still investigating.	data-timeout

4.2 Your Cookie Choices — Cookiebot

We use Cookiebot as Our Consent Management Platform (CMP). When you first visit Our Website, Cookiebot will present you with a banner that allows you to:

Accept all cookies
Reject all non-essential cookies
Manage your preferences by category (Analytics, Marketing, Unclassified)

No analytics or marketing cookies will be set until you have given your consent. Strictly necessary cookies may be set without consent as they are essential for the Website to operate.

You can change or withdraw your consent at any time by clicking the “Manage Cookies” link in the footer of every page on Our Website. Withdrawing consent will not affect the lawfulness of processing carried out before withdrawal.

4.3 Cookie Retention Periods

Full details of all cookies in use on Our Website, including their names, providers, purposes and retention periods, are set out in Our Cookie Policy, available at www.pureobagi.com/cookie-policy.

4.4 Google Consent Mode

We have implemented Google Consent Mode v2 via Google Tag Manager. This means that Google Analytics 4 and Google Ads will only operate in full data-collection mode where you have consented to analytics and/or marketing cookies respectively. Where consent is withheld, these tools operate in a cookieless, modelled mode that does not set cookies or transmit identifiable data.

5. How Do We Use Your Information?

We use the information We collect to:

Allow you to create and manage an account on Our Website
Process, fulfil and deliver your orders
Verify the information you have provided
Keep and maintain Our internal business records
Provide customer service and respond to your enquiries
Send you service-related communications about your order or account
Send you marketing communications, where you have given your consent or where We have a legitimate interest in doing so
Deliver targeted advertising and measure its effectiveness, where you have given your consent
Analyse website usage and improve the Website and Our services
Detect and prevent fraud and abuse
Comply with Our legal and regulatory obligations

We will not use your data for any new purpose that is incompatible with the purposes for which it was collected without first notifying you and, where required, obtaining your consent.

6. Lawful Basis for Processing

We only process your personal data where We have a lawful basis to do so under Article 6 of the GDPR/UK GDPR. The table below sets out the lawful basis We rely on for each processing activity.

Processing Activity	Lawful Basis (Art. 6)	Notes
Account creation and management	Contract — Art. 6(1)(b)	Necessary to perform Our contract with you
Processing and fulfilling orders	Contract — Art. 6(1)(b)	Necessary to perform Our contract with you
Customer service and enquiry handling	Contract — Art. 6(1)(b) / Legitimate interests — Art. 6(1)(f)	Depends on whether query relates to an existing order
Maintaining internal business records	Legitimate interests — Art. 6(1)(f)	LIA held on file with the DPO
Direct marketing communications	Consent — Art. 6(1)(a)	You may withdraw consent at any time
Website analytics (Google Analytics)	Consent — Art. 6(1)(a)	Obtained via Cookiebot before any analytics cookies are set
Targeted advertising (Facebook, Google Ads)	Consent — Art. 6(1)(a)	Obtained via Cookiebot before any marketing cookies are set
CRM service messages (Klaviyo)	Legitimate interests — Art. 6(1)(f)	Service messages about your order or account. LIA held on file
CRM marketing messages (Klaviyo)	Consent — Art. 6(1)(a)	Only where you have given express consent to marketing
Fraud prevention and site security	Legitimate interests — Art. 6(1)(f)	LIA held on file with the DPO
Compliance with legal obligations	Legal obligation — Art. 6(1)(c)	e.g. tax and regulatory requirements
Business sale or transfer	Legitimate interests — Art. 6(1)(f)	Disclosure to prospective buyers as part of due diligence

Where We rely on legitimate interests as Our lawful basis, We have carried out a Legitimate Interests Assessment (LIA) to confirm that Our interests do not override your rights and interests. A copy of any relevant LIA is available on request from the DPO at dpo@healthxchange.com.

7. How Do We Handle Your Information?

7.1 Security

The data and information We collect from you is transferred to and securely stored by Our hosting provider. We are committed to ensuring that your information is protected. In order to prevent unauthorised access or disclosure, We have put in place suitable physical, electronic and managerial procedures, including:

Storage of all data on secure servers
Encryption of payment transactions using SSL/TLS technology
Password protection of relevant areas of the Website (you are responsible for keeping your password confidential)
Secure erasure and destruction of data when no longer required
Regular review and updating of Our security procedures

7.2 Your Responsibilities

Where We have given you (or where you have chosen) a password that enables you to access certain parts of Our Website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

8. International Data Transfers

Your personal data may be transferred to and processed by third-party service providers located outside the European Economic Area (EEA) or United Kingdom, including to the United States. The following third-party tools may involve international transfers of personal data:

Service	Provider	Location	Transfer Mechanism
Google Analytics / Ads	Google LLC	USA	Standard Contractual Clauses (SCCs)
Facebook/Meta Pixel	Meta Platforms Inc.	USA	Standard Contractual Clauses (SCCs)
Klaviyo	Klaviyo Inc.	USA	Standard Contractual Clauses (SCCs)
ActiveCampaign	ActiveCampaign LLC	USA	Standard Contractual Clauses (SCCs)
ContentSquare	Contentsquare SAS	France/USA	SCCs / EU adequacy decision
Hosting	Linode (Akamai)	Frankfurt, Germany	Within the EEA — no transfer

Where personal data is transferred outside the EEA or UK, We ensure that appropriate safeguards are in place, including the use of Standard Contractual Clauses (SCCs) approved by the European Commission, or that a UK adequacy decision applies. Further details are available on request from the DPO.

9. Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected. The table below sets out Our standard retention periods. Where a legal obligation requires a longer period, We will retain data for that period instead.

Data Category	Retention Period	Reason
Customer account information	Duration of account + 6 years	Limitation period for contractual claims
Order records	6 years from date of order	Contract limitation period
Payment and financial records	7 years from transaction date	Revenue / tax obligations
Marketing consent records	Until consent withdrawn + 1 year	To demonstrate consent was validly obtained
Analytics data (Google Analytics)	26 months	Google Analytics default retention setting
Customer service correspondence	3 years from resolution	Limitation period for complaints
Fraud prevention records	6 years	Limitation period / regulatory requirement

In some circumstances We will anonymise your personal data so that it can no longer be associated with you, in which case We may use such anonymised data indefinitely without further notice.

10. To Whom May We Disclose Your Information?

10.1 General

We may share your personal data where necessary for the purposes described in Section 5 with:

Our employees, agents and Data Processors who are contractually required to process your data only on Our instructions and in accordance with applicable data protection law
Third-party service providers and sub-contractors engaged to perform services on Our behalf (including website hosting, payment processing, order fulfilment, email marketing and analytics)
Analytic and search engine providers that assist Us in improving and optimising Our Website
Payment card merchants who comply with PCI/DSS requirements
Any other third parties to whom We are legally obliged to disclose your information

10.2 Third-Party Advertising and Analytics Platforms

Where you have given your consent via Cookiebot, your data may be shared with the following third-party platforms for advertising and analytics purposes: Google LLC (Google Analytics, Google Ads), Meta Platforms Inc. (Facebook Pixel), Klaviyo Inc., ActiveCampaign LLC, and Contentsquare SAS. Please refer to the respective privacy policies of these providers for further details of how they process your data.

10.3 Business Transfers

We may disclose or transfer your personal data to a third party in the event of a sale, merger, acquisition, or other corporate transaction involving Our business or assets. In such circumstances, We will take reasonable steps to ensure that any acquirer is subject to appropriate data protection obligations.

10.4 Legal Requirements

We may disclose your personal data where We are under a legal duty to do so, or where necessary to enforce Our terms of use, or to protect the rights, property or safety of Our customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud prevention and credit risk reduction.

10.5 Standards of Care

We will only disclose your personal data to parties who provide sufficient guarantees regarding the protection and appropriate handling of personal data, and who have sufficient privacy and security measures in place.

11. Your Rights

11.1 Summary of Rights

Under the GDPR and UK GDPR, you have the following rights in relation to your personal data:

Right of access — you may request a copy of the personal data We hold about you
Right to rectification — you may ask Us to correct inaccurate or incomplete data
Right to erasure — you may ask Us to delete your personal data in certain circumstances
Right to restriction — you may ask Us to restrict processing of your data in certain circumstances
Right to data portability — you may request a copy of certain data in a structured, machine-readable format
Right to object — you may object to processing based on legitimate interests or direct marketing
Rights relating to automated decision-making — you have the right not to be subject to decisions made solely by automated means where those decisions have a significant effect on you
Right to withdraw consent — where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing

11.2 Right to Object

Where We process your personal data on the basis of Our legitimate interests (Article 6(1)(f)), you have the right to object at any time. If you object, We will cease processing unless We can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or where processing is necessary for legal claims. To exercise this right, please contact the DPO (see Section 1.3).

11.3 Marketing

You may opt out of receiving marketing communications from Us at any time by:

Clicking the “Unsubscribe” link in any marketing email We send
Contacting the DPO at dpo@healthxchange.com

Opting out of marketing will not affect service-related communications relating to your orders or account.

11.4 Cookie Consent

You can manage or withdraw your cookie consent at any time via the “Manage Cookies” link in the footer of Our Website. You may also control cookies by adjusting your browser settings, though this may affect the functionality of the Website.

11.5 How to Exercise Your Rights

To exercise any of the above rights, please contact Our DPO at dpo@healthxchange.com or write to the address in Section 1.3. There is normally no charge. We will respond within one calendar month. We may ask you to verify your identity before acting on your request.

12. Changes to This Policy

We reserve the right to update this Privacy Policy from time to time. When We make changes, We will update the “Last reviewed” date at the top of this page. We encourage you to review this Policy periodically to stay informed about how We are protecting your personal data.

Your continued use of Our Website following any changes constitutes your acknowledgement of the updated Policy.

13. Your Right to Complain

If you believe that We are not handling your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with the relevant supervisory authority.

For EU residents: Irish Data Protection Commission (DPC), 6 Pembroke Row, Dublin 2, D02 X963, Ireland — www.dataprotection.ie

For UK residents: Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom — www.ico.org.uk

We would appreciate the opportunity to address your concerns before you contact the supervisory authority, so please contact Our DPO in the first instance.

Clever Aesthetic Tech Limited (trading as Pure Obagi) | Unit 16 The Exchange, Calmount Business Park, Ballymount, Dublin, D12 RF43, Ireland | Company No. 676949 | dpo@healthxchange.com