Privacy Policy

References to the United Kingdom General Data Protection Regulation (UK GDPR) in the jurisdiction of the European Union (EU) and European Economic Area (EEA) are instead references to the EU General Data Protection Regulation (EU GDPR). The UK GDPR and the EU GDPR contain the same rules but apply to EU and the UK respectively.

The controller within the meaning of data protection laws, in particular the UK GDPR is:
 
Thornton and Ross Limited

Manchester Road

Huddersfield
HD7 5QH

E-Mail: thorntonross@medinformation.co.uk

Phone: + 44 (0)1484 842217

1. Your data subject rights

You can exercise the following rights at any time using the contact details provided for our Data Protection Officer:

  • Right to access (Art. 15 UK GDPR),
  • Right to rectification (Art. 16 UK GDPR),
  • Right to erasure (Art. 17 UK GDPR),
  • Right to restriction of processing (Art. 18 UK GDPR),
  • Right to object (Art. 21 UK GDPR) and
  • Right to data portability (Art. 20 UK GDPR).

The restrictions and exemptions pursuant to Schedules 2 to 4 of the Data Protection Act 2018 (DPA 2018) apply, as well as any further exemptions or restrictions provided for by relevant data protection laws.If you have given us your consent, you can revoke it at any time with effect for the future.

In addition, you have the right to lodge a complaint with the Information Commissioner (Art. 77 UK GDPR).
For the EU: https://edpb.europa.eu/about-edpb/about-edpb/members_en
For the UK: https://ico.org.uk/make-a-complaint/

Information Commissioner’s Office
Wycliffe House
Water Lane, Wilmslow
Cheshire, SK9 5AF

2. Collection of general information when visiting our website

(1) Nature and purpose of processing: When you access our website, i.e. even if you do not register or otherwise submit information, information of a general nature is automatically collected. This information (server log files) includes, for example, the type of web browser, the operating system used, the domain name of your Internet service provider, your IP address, referrer URL, date, and time of access and the like.
They are processed for the following purposes in particular:

  • Ensuring a smooth connection to the website,
  • Ensuring the smooth use of our website,
  • Ensuring and evaluating system security and stability,
  • for other administrative purposes.

We do not use your data to draw conclusions about you personally. However, we reserve the right to check the server log files retrospectively if there are concrete indications of unlawful use.

(2) Legal basis and legitimate interest: The processing is carried out in accordance with Art. 6 (1) (f) UK GDPR on the basis of our legitimate interest in improving the stability and functionality of our website and ensuring system security and abuse detection.

(3) Recipients: We use service providers for the operation and maintenance of our website, who act as our data processors.
All service providers are contractually obligated to treat your data confidentially.

(4) Storage duration: Data is stored in server log files in a form that allows identification of the data subjects for a maximum period of 30 days, unless a security-related event occurs (e.g. a DDoS attack).

In the event of such an event, server log files are stored until the elimination and complete clarification of the security-related event.

(5) Third Country Transfer: There is no third country transfer.

(6) Providing prescribed or required: The provision of the aforementioned personal data is neither legally nor contractually required. However, without the IP address and the cookie identifier, the service and functionality of our website is not guaranteed. In addition, individual services and services may not be available or may be limited.

(7) Right to object: Please read the information about your right to object according to Art. 21 UK GDPR below.

3. Contacting us

(1) Nature and purpose of processing: On our website there is a contact form which can be used for electronic contact. If a user takes advantage of this option, the data entered in the input mask will be transmitted to us and stored.

At the time the message is sent, the following data is also stored:

  • Date and time of the message
  • URL from which the message was sent
  • IP address from which the message was sent
  • Web browser and operating system used

Alternatively, it is possible to contact us via the E-Mail addresses provided. In this case, the user’s personal data transmitted with the E-Mail will be stored. This includes the date and time the E-Mail was sent, E-Mail address, IP addresses and information about the servers involved in the E-Mail communication.

In addition, you can contact us via the telephone number provided. In this case, we collect log data that includes your telephone number and the duration of the call. As a matter of principle, we do not record conversations.

Regardless of the type of communication you choose, we collect the content of your inquiry. Your data is stored for the purpose of individual communication with you.

(2) Legal Basis: The processing of the data entered in the contact form is based on a legitimate interest (Art. 6 (1) (f) UK GDPR).
Our legitimate interest in processing your data is the facilitation of uncomplicated contact with us.
If you contact us to request a quote, the data entered in the contact form is processed to carry out pre-contractual measures (Art. 6. (1) (b) UK GDPR).

(3) Recipients: Our website is maintained by service providers who act as our data processors.

If you send us an inquiry regarding an offer, service providers used by us may receive data for these purposes if they need the data to fulfill their respective service (e.g. IT services).

All service providers are contractually obligated to treat your data confidentially.

(4) Storage duration: Data will be deleted no later than 6 months after processing the request. If a contractual relationship is established, we are subject to the statutory retention periods and delete your data after six to ten years.

(5) Providing prescribed or required: The provision of your personal data is voluntary. However, we can only process your request if you provide us with the required data and the reason for the request.

(6) Right to object: Please read the information on your right to object under Art. 21 UK GDPR below.

4. E-Mail Marketing

(1) Nature and purpose of processing: Your data will only be used to send you the Marketing-E-Mails you have subscribed to and, if you have additionally consented to it, evaluate how you interact with the newsletter and, if applicable, the contents linked therein. Your name is given in order to be able to address you personally in the Marketing-E-Mails and, if applicable, to identify you if you wish to exercise your rights as a data subject.

(2) Legal Basis: The legal basis for this processing activity is in each case your consent, Art. 6 (1) (a) UK GDPR.

(3) Recipients: We use service providers who act as our data processors for the dispatch and any evaluations that may take place.

All service providers are contractually obligated to treat your data confidentially.

(4) Storage duration: Data will only be processed in this context as long as the corresponding consent is available.

(5) Providing prescribed or required: The provision of your personal data is voluntary, based solely on your consent. There will be no disadvantages for you. Without valid consent, we can unfortunately not send you, our Marketing-E-Mails.

(6) Withdrawal of consent: You can withdraw your consent to the storage of your personal data and its use for the marketing mailing by us at any time. There is a corresponding link in each Marketing-E-Mail. In addition, the withdrawal can be made via the other contact options provided on the website.

(7) Profiling: Provided that you have given us your consent, we evaluate your interaction with the Marketing-E-Mails sent and evaluate the subsequent visits to our website in order to further improve the Marketing-E-Mails and the website and to optimize it according to the actual interests of the visitors.

5. Skintelligence Education

(1) Nature and purpose of processing: We process your personal data to register you for our education platform and grant you access to our library of CPD-accredited Skintelligence Academy interactive learning modules. The following data are being processed:

  • First and Last name
  • NHS E-Mail
  • NHS Work Address
  • Role/Job Title
  • Hospital/Practice Details

They are processed to help verify that you are a healthcare professional and to improve your customer experience with us.

(2) Legal Basis: The legal basis for processing your data is your consent (Art. 6(1)(a) UK GDPR). By registering for the platform, you consent to us using your data for this purpose.

(7) Recipients: Our website is maintained by service providers who act as our data processors.

All service providers are contractually obligated to treat your data confidentially.

(3) Storage duration: Data will only be processed in this context as long as the corresponding consent is available, and your account is active. If the verification is not successful or no contact is made, the data will be deleted after 2 years.

You can deactivate your account at any time, and upon deactivation, we will anonymize your data within a reasonable timeframe unless we are required by law to retain it for a longer period.

(4) Providing prescribed or required: The provision of your personal data is voluntary. However, we can only give you access to the library of learning if you provide us with the required data and the reason for the request.

(5) Withdrawal of consent: You can withdraw your consent to the storage of your personal data and its use for the Skintelligence Education platform. The withdrawal can be made via the contact options provided on the website.

6. Materials Download

(1) Nature and purpose of processing: We process your personal data to register you for granting you access to our HCP materials. The following data are being processed:

  • First and Last name
  • NHS E-Mail
  • NHS Work Address
  • Role/Job Title
  • Hospital/Practice Details

They are processed to help verify that you are a healthcare professional and to improve your customer experience with us.

(2) Legal Basis: The legal basis for processing your data is your consent (Art. 6(1)(a) UK GDPR). By registering for the platform, you consent to us using your data for this purpose.

(8) Recipients: Our website is maintained by service providers who act as our data processors. All service providers are contractually obligated to treat your data confidentially.

(3) Storage duration: Data will only be processed in this context as long as the corresponding consent is available, and your account is active. If the verification is not successful or no contact is made, the data will be deleted after 2 years.

You can deactivate your account at any time, and upon deactivation, we will anonymize your data within a reasonable timeframe unless we are required by law to retain it for a longer period.

(4) Providing prescribed or required: The provision of your personal data is voluntary. However, we can only give you access to the HCP materials if you provide us with the required data and the reason for the request.

(5) Withdrawal of consent: You can withdraw your consent to the storage of your personal data and its use. The withdrawal can be made via the contact options provided on the website.

7. Patient Evaluation Products

(1) Nature and purpose of processing: We process your personal data to provide you with a placebo demonstration device. The following data are being processed:

  • First and Last name
  • NHS E-Mail
  • (NHS Phone number)
  • NHS Work Address
  • Role/Job Title
  • Hospital/Practice Details
  • (Professional registration number)

They are processed to help verify that you are a healthcare professional and to improve your customer experience with us.

(2) Legal Basis: The legal basis for processing your data is your consent (Art. 6(1)(a) UK GDPR). By registering for the platform, you consent to us using your data for this purpose.

(9) Recipients: Our website is maintained by service providers who act as our data processors.

All service providers are contractually obligated to treat your data confidentially.

(3) Storage duration: Data will only be processed in this context as long as the corresponding consent is available, and your account is active. If the verification is not successful or no contact is made, the data will be deleted after 2 years.

You can deactivate your account at any time, and upon deactivation, we will anonymize your data within a reasonable timeframe unless we are required by law to retain it for a longer period.

(4) Providing prescribed or required: The provision of your personal data is voluntary. However, we can only give you access to the library of learning if you provide us with the required data and the reason for the request.

(5) Withdrawal of consent: You can withdraw your consent to the storage of your personal data and its use. The withdrawal can be made via the contact options provided on the website.

8. Plausible

(1) Nature and Purpose of the Processing: We use the open-source program Plausible to count website visits, downloads, etc. For this purpose, Plausible collects the following information, among others: Date and time of your visit, title and URL of the pages visited, incoming links, the country you are in and the user agent of your browser software. Plausible does not use or store “cookies” on your terminal device. All personal data (e.g., your IP address) is stored completely anonymously in the form of a so-called hash. A hash is an encryption of data that is not reversible, i.e., cannot be “decrypted”. In this way, we can analyse your visit without storing personal data in a form that would be readable for us, plausible or third parties.

(2) Legal Basis: The processing is carried out in accordance with Art. 6 (1) (f) UK GDPR on the basis of our legitimate interest in improving our website. At no time does the data we collect allow us to draw conclusions about an identifiable person.

(3) Recipient: Data is transferred to the provider Plausible. For more information on data processing at Plausible, please visit: https://plausible.io/privacy and https://plausible.io/data-policy. Recipients of the data may be technical service providers who act as data processors for the operation and maintenance of our website.
All service providers are contractually obligated to treat your data confidentially.

(4) Storage duration: Data is only stored anonymized.

(5) Third Country Transfer: Processing only takes place inside the EU.

(6) Provision Prescribed or Required: The provision of the aforementioned personal data is neither legally nor contractually required.

(7) Right to object: Please read the information about your right to object according to Art. 21 UK GDPR below.

9. Cookies

A cookie is a small data set that is created when a website is visited and is temporarily stored on the website user’s system. If the server of this website is called up again by the user of the website, the browser of the user of the website sends the previously received cookie back to the server. The server can evaluate the information obtained through this procedure. Cookies can, in particular, make it easier to navigate a website.

Detailed information on the subject of cookies, and which cookies are used on this website (after consent), can be found in our Cookie Consent Tool, which you can access at any time by clicking on the icon at the bottom left of your web browser.

You can reject any cookie category, except for the technically necessary cookies. To do this, click on the icon at the bottom left of your web browser and change the desired settings in the cookie consent banner that opens.

You can also delete individual cookies or the entire cookie inventory via your browser settings. In addition, you will receive information and instructions on how to delete these cookies or block their storage in advance. Depending on the provider of your browser, you can find the necessary information under the following links:

Additionally, you can prevent loading of so-called scripts by default. NoScript allows JavaScript, Java and other plugins to run only on trusted domains of your choice. For information and instructions on how to edit this feature, contact your browser vendor (e.g. for Mozilla Firefox: https://addons.mozilla.org/en-GB/firefox/addon/noscript/).

9.1. Use of technically necessary cookies

(1) Nature and purpose of processing: We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can be identified even after a page change.

The following data is stored and transmitted in the cookies:

  • Your status as a healthcare professional is stored (hcpCookie)

Technically necessary cookies help to make a website usable by enabling basic functions such as page navigation and access to secure areas of the website. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page change.

(2) Legal Basis: The processing is carried out in accordance with Art. 6 (1) (f) UK GDPR on the basis of our legitimate interest in a user-friendly design of our website and in the documentation of consent.

(3) Recipients: We use technical service providers for the operation and maintenance of our website, who act as our data processors.

All service providers are contractually obligated to treat your data confidentially.

(4) Storage duration: The cookie will be stored for up to 12 hours.

(5) Providing prescribed or required: The provision of the aforementioned personal data is neither legally nor contractually required. However, without this data, the service and functionality of our website cannot be guaranteed. In addition, individual services and services may not be available or may be limited.

(6) Right to object: Please read the information on your right to object under Art. 21 UK GDPR below.

9.2. Use of technically necessary cookies

Our website does not use technically unnecessary cookies.

10. Information about your right to object in accordance with Art. 21 UK GDPR

Right to object on a case-by-case basis

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6(1)(f) UK GDPR (data processing on the basis of a balance of interests); this also applies to profiling based on this provision within the meaning of Art. 4 No. 4 UK GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate interests for the processing that override your interests, rights and freedoms, or the processing serves the assertion, exercise or defense of legal claims.

Recipient of an objection

The objection can be made informally with the subject “Objection”, stating your name, address or other identifying information to:

Thornton and Ross Limited
Manchester Road
Huddersfield
HD7 5QH
Email: dataprotection@thorntonross.com
Website: www.thorntonross.com

11. Questions to the data protection officer

If you have any questions about data protection, please send us an e-mail or contact the person responsible for data protection in our organisation directly:
Data Protection Officer of Thornton & Ross Ltd
c/o activeMind.legal UK Ltd.
No 1 Royal Exchange
London, EC3V 3DG
Registered #11814518
Phone: +44 20 89383608
E-Mail: dataprotection@thorntonross.com

12. TLS Encryption

To protect the security of your data during transmission, we use state-of-the-art encryption methods (e.g., TLS) via HTTPS.

13. Changes to our privacy policy

We reserve the right to amend this privacy policy so that it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g. when introducing new services. The new privacy policy will then apply to your next visit.

UK-CETRRX-115 | Date of Preparation January 2025

Please confirm you’re a healthcare professional

Yes I am No I’m not