Privacy policy

Last updated: 12 June 2026

This Privacy Policy explains how Aethr Skin ("AETHR", "we", "us", "our") collects, uses, shares and protects your personal information when you visit our website, create an account, make a purchase, use our skincare personalisation tools, or otherwise interact with our services.

AETHR operates this store and website, including all related information, content, features, tools, products and services (the "Services"). Our store is powered by Shopify, and our email marketing is provided by Klaviyo. Where these providers process your personal information on our behalf, they do so under written data processing agreements.

Aethr Skin is a cosmetics and technology company based in the United Kingdom. We are committed to handling your personal data fairly, lawfully and transparently in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this Privacy Policy carefully. By using the Services, you acknowledge that you have read this Privacy Policy and understand the collection, use and disclosure of your information as described below. If there is a conflict between our Terms of Service and this Privacy Policy, this Privacy Policy controls with respect to personal information.

Contents

Who we are
What personal data we collect
How and why we use your personal data
Special category data
Automated decision-making
Cookies and similar technologies
Who we share your data with
Our relationship with Shopify
International transfers
How long we keep your data
Your rights
Marketing
Children
Security
Third-party links
Complaints
Changes to this policy
Contact

1. Who We Are

Aethr Skin is the "data controller" responsible for your personal data. This means we decide how and why your personal data is processed.

Our contact details for data protection matters are:

Company: Aethr Skin

Address: 22 West Common, ENG, SL9 7QS, GB

Email: hello@aethr.skin

Data Protection Officer: dpo@aethr.skin

2. What Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

2.1 Information you give us

Contact details: your name, email address, postal/delivery address, billing address and phone number.
Account information: username, password and account preferences.
Order and transaction data: products purchased, items viewed, added to cart or wishlist, order history, returns, exchanges, and payment confirmation details. We do not store your full payment card numbers — card payments are processed securely by our payment provider (Shopify Payments).
Skin profile and preferences: if you choose to complete our skin questionnaire, information you provide about your skin type, concerns, goals, conditions, allergies and product preferences. See section 4 for important information about how we treat this data.
Communications: the content of messages, reviews, survey responses and customer service correspondence.

2.2 Information we collect automatically

Device information: IP address, device and browser type, operating system, and unique identifiers.
Usage and browsing data: how you navigate and use our website, pages viewed, products viewed, items added to basket, and interaction with emails.
Cookie and similar technology data: see section 6 and our separate Cookie Policy.

2.3 Information from other sources

We may receive personal information from our service providers (such as Shopify and Klaviyo) when they collect or process your information on our behalf, and from partners or third parties where you have authorised them to share your information with us.

3. How and Why We Use Your Personal Data

Under UK data protection law, we must have a lawful basis for each way we use your personal data. The table below sets out our processing purposes and the legal basis we rely on for each.

Purpose	Lawful Basis
Creating and managing your account	Performance of a contract — processing is necessary to set up and maintain the account you requested.
Processing and fulfilling your orders	Performance of a contract — processing is necessary to fulfil your purchase, including payment, delivery, returns and refunds.
Personalised skincare recommendations, formulations and content	Consent (and explicit consent where special category health data is involved) — you actively choose to provide your skin data. See sections 4 and 5.
Collecting your name and email via our mailing list sign-up	Consent — you opt in by submitting the sign-up form.
Sending marketing emails where you have opted in	Consent — you gave specific opt-in consent when signing up.
Sending marketing emails about similar products (existing customers)	Legitimate interests — marketing our own similar products under the PECR soft opt-in. You can opt out at any time.
Essential website analytics and performance monitoring	Legitimate interests — understanding site performance and fixing errors is necessary for reliable service.
Non-essential cookies (analytics, marketing, personalisation)	Consent — obtained via our cookie consent banner.
Custom audience advertising (uploading hashed customer data to Meta and Google for retargeting and lookalike audiences)	Consent — collected separately at the point of data capture (e.g. mailing list sign-up). You can withdraw at any time.
Fraud prevention and detection	Legitimate interests — protecting the business and customers from fraudulent transactions. Fraud screening is performed by our payment provider.
Customer service and enquiry handling	Performance of a contract (existing customers) / Legitimate interests (prospective customers).
Legal, tax and accounting compliance	Legal obligation — required by HMRC, the Companies Act and other applicable law.
Responding to data subject rights requests	Legal obligation — required by UK GDPR.
Account security and authentication	Legitimate interests — protecting your account and our services from unauthorised access.

Where we rely on legitimate interests, we have carried out a balancing assessment (Legitimate Interests Assessment) to ensure your rights and freedoms are not overridden. You can ask us for a copy of these assessments by contacting our DPO.

4. Special Category Data (Health-Related Skin Information)

Some of the skin information you may provide — for example skin conditions linked to health, or allergies — amounts to "special category data" under Article 9 UK GDPR. This type of data receives additional legal protection.

We only process this data with your explicit consent. Specifically:

You actively choose to provide your skin data by completing our skin questionnaire — it is not required to browse the website or make a standard purchase.
Before you begin, we ask for your explicit consent with a clear explanation of what data we collect, how we use it, and your right to withdraw.
Your consent is granular — it is separate from any general terms of service or marketing consent.
You can withdraw your consent at any time through your account settings or by contacting our DPO. On withdrawal, we stop processing your skin data for personalisation and delete or anonymise your skin profile. You can still browse and purchase from our standard product range.

5. Automated Decision-Making and Profiling

If you complete our skin questionnaire, we use your skin profile data to:

Recommend products suited to your skin;
Create personalised product formulations tailored to your profile;
Show you content and products relevant to your skin type and concerns.

These personalisation decisions are made automatically (by our system, not a person). Because they are based on health-related data and affect the products available to you, we provide the following safeguards under Article 22 UK GDPR:

You can request that a person reviews any automated formulation or product access decision;
You can express your point of view and provide additional information;
You can contest a decision if you believe it is incorrect or unfair;
You can withdraw your consent at any time, in which case automated personalisation will stop.

To exercise any of these rights, contact our DPO at dpo@aethr.skin.

6. Cookies and Similar Technologies

Cookies are small text files placed on your device when you visit a website. Similar technologies include pixels, tags, local storage and software development kits (SDKs), which we refer to collectively as "cookies" in this section.

We only set non-essential cookies with your consent, which you give through our cookie consent banner. You can change your cookie preferences at any time.

6.1 Types of cookies

Required (essential): These cookies are necessary for the site to function — logging in, adding items to the cart, completing a purchase securely. They cannot be switched off and do not require consent under PECR Regulation 6.
Personalisation (functional): These cookies remember your choices (such as country, currency or preferences) to provide a more personalised experience. Set only with your consent.
Analytics: These cookies help us understand how visitors use our website so we can measure and improve performance. We use Google Analytics 4. Set only with your consent.
Marketing: These cookies are used to deliver relevant advertising and measure campaign effectiveness. They are set by Meta (Facebook/Instagram) and Google Ads through their respective tracking pixels and tags. Set only with your consent.

Marketing cookies enable us to show you relevant advertisements on other platforms based on your visit to our website (retargeting), and to measure whether those advertisements led to a purchase or other action (conversion tracking).

6.2 Cookies we use

Cookie	Category	Purpose	Duration
`_shopify_essential`	Required	Core store functionality: session management, cart, checkout security	Session
`cart`	Required	Stores your cart token to preserve basket contents	2 weeks
`cart_sig` / `cart_ts`	Required	Cart signature and timestamp for checkout validation	2 weeks
`checkout_token`	Required	Temporary token during checkout process	Session
`secure_customer_sig`	Required	Authenticates your customer account login	20 years
`storefront_digest`	Required	Verifies access to password-protected store	Indefinite
`localization`	Required	Remembers your country and currency selection	1 year
`_shopify_country`	Personalisation	Remembers your selected country for localised content	Session
`_shopify_m`	Personalisation	Manages multi-currency display preferences	1 year
`_ga`	Analytics	Google Analytics 4: distinguishes unique visitors	2 years*
`_ga_[container]`	Analytics	Google Analytics 4: persists session state	2 years*
`_gid`	Analytics	Google Analytics 4: distinguishes users (short-term)	24 hours
`_fbp`	Marketing	Meta Pixel: identifies your browser for ad delivery and measurement	90 days
`_fbc`	Marketing	Meta Pixel: stores the Facebook click identifier when you arrive via a Facebook ad	90 days
`_gcl_au`	Marketing	Google Ads: links your visit to ad click data for conversion measurement	90 days
`_gcl_aw`	Marketing	Google Ads: stores click information for conversion tracking	90 days

* Browser policies (e.g. Safari ITP) may cap first-party cookie lifetimes at approximately 7–400 days. The durations shown are the values we configure; actual expiry may be shorter.

6.3 Third-party cookies

Some cookies are set by third parties that provide services on our website. These third parties may process your data in accordance with their own privacy policies. We only allow these cookies to be set after you have given consent.

Provider	Cookies	Purpose	Privacy Policy
Google Analytics	`_ga`, `_ga_[id]`, `_gid`	Website analytics and performance measurement	Google Privacy Policy
Meta (Facebook / Instagram)	`_fbp`, `_fbc`	Ad delivery, retargeting and conversion measurement	Meta Privacy Policy
Google Ads	`_gcl_au`, `_gcl_aw`	Conversion tracking and remarketing	Google Privacy Policy

6.4 Custom audiences and retargeting

In addition to cookie-based retargeting, we may use "custom audience" and "lookalike audience" features provided by Meta and Google. This involves uploading hashed (pseudonymised) customer data — such as email addresses — to the advertising platform so that:

Custom audiences: we can show targeted advertisements to people who have already interacted with us (for example, signed up to our mailing list).
Lookalike audiences: the platform identifies other users with similar characteristics to our existing audience, allowing us to reach potential new customers.

We only upload customer data for custom or lookalike audiences where you have given us consent. This consent is separate from cookie consent and is collected at the point where you provide your details (for example, via our mailing list sign-up form). The advertising platforms receive hashed data only and delete the uploaded data after matching. You can opt out at any time by unsubscribing from our mailing list, adjusting your ad preferences on Meta or Google, or contacting us at dpo@aethr.skin.

6.5 How we obtain cookie consent

When you first visit our website, Shopify's cookie consent banner allows you to accept all cookies, decline all non-essential cookies, or set your preferences by category (required, personalisation, analytics, marketing). Non-essential cookies are not set until you give consent. We record your choices and re-seek consent when our cookie use changes.

6.6 How to manage or disable cookies

You can change your cookie preferences at any time via the cookie settings on our website. You can also control cookies through your browser settings. Please note that disabling essential cookies may stop parts of the website from working. You can opt out of specific third-party cookies using:

Google: Ad Settings and Google Analytics Opt-out Add-on
Meta: Ad Preferences
Industry-wide: Your Online Choices (European Digital Advertising Alliance)

We share personal data only where necessary, with:

Shopify — our e-commerce platform provider, which hosts our store, processes orders and provides related infrastructure. Shopify acts as a processor on our behalf and, for certain enhanced features, as an independent controller (see section 8).
Shopify Payments — our payment provider, which processes your payment card details securely. We do not store your full card numbers.
Klaviyo — our email marketing platform, which stores your name and email address when you sign up to our mailing list, and sends marketing emails on our behalf.
Meta and Google Ads — where you have given consent, we may upload hashed (pseudonymised) customer data (such as email addresses) to these platforms to create custom audiences for targeted advertising and to build lookalike audiences to reach new potential customers. See section 12 for details.
Fulfilment and delivery partners — to deliver your orders.
Manufacturing partners — where you have consented to a personalised formulation, limited skin profile data may be shared with our formulation partner under a data processing agreement.
Professional advisers (lawyers, accountants, auditors) — where necessary.
Regulators, law enforcement or other authorities — where required by law.

All processors acting on our behalf are bound by written Data Processing Agreements that require them to keep your data secure and process it only on our instructions.

We do not sell your personal data. Where we share hashed customer data with advertising platforms for custom audiences, this is done only with your consent and the platforms are contractually prohibited from using the data for any other purpose.

8. Our Relationship with Shopify

Our Services are hosted by Shopify, which collects and processes personal information about your access to and use of the Services in order to provide and improve them. Information you submit through the Services will be transmitted to and shared with Shopify, as well as third parties that may be located in countries other than where you reside.

In addition, to help protect, grow and improve our business, we may use certain Shopify enhanced features that incorporate data from your interactions with our store, along with other merchants and Shopify. For these enhanced features, Shopify is responsible for the processing of your personal information, including for responding to your requests to exercise your rights.

To learn more about how Shopify uses your personal information, visit the Shopify Consumer Privacy Policy. You may also exercise your rights with respect to data processed by Shopify at https://privacy.shopify.com/en.

9. International Transfers

Some of our service providers process personal data outside the United Kingdom. Where personal data is transferred outside the UK, we ensure an appropriate safeguard is in place, such as:

A UK adequacy decision ("adequacy regulations") for the destination country; or
The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported by a transfer risk assessment.

The following international transfers currently apply:

Service Provider	Country	Safeguard
Shopify	Canada / United States	UK adequacy decision (Canada) / UK IDTA (US)
Shopify Payments / Stripe	United States	UK IDTA / Standard Contractual Clauses
Klaviyo	United States	UK IDTA / Standard Contractual Clauses

You can contact us for more information about the safeguards in place for any specific transfer.

10. How Long We Keep Your Data

We keep your personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, accounting or reporting requirements.

Data Category	Retention Period
Mailing list (name and email)	Until you unsubscribe, or 24 months of inactivity
Account data	Duration of account + 24 months of inactivity
Order and transaction records	6 years (UK tax and accounting requirements)
Payment records	Confirmation only (no full card data) — 6 years
Skin profile and preferences	Duration of account, or until consent is withdrawn
Marketing consents	Until withdrawn; suppression record retained to honour your opt-out
Customer service correspondence	24 months
Website analytics / cookies	Up to 14 months (or as set out in our Cookie Policy)

11. Your Rights

Under UK data protection law you have the following rights, which you can exercise free of charge in most cases:

The right to be informed about how we use your data (this policy).
The right of access to a copy of your personal data (a "subject access request").
The right to rectification of inaccurate or incomplete data.
The right to erasure ("the right to be forgotten") in certain circumstances.
The right to restrict processing in certain circumstances.
The right to data portability — to receive a copy of data you provided to us in a structured, commonly used format.
The right to object to processing based on legitimate interests. You have an absolute right to object to direct marketing at any time.
The right to withdraw consent at any time, where we rely on consent as the lawful basis. Withdrawal does not affect the lawfulness of processing before withdrawal.
Rights related to automated decision-making and profiling — see section 5 above.

To exercise any of these rights, contact us at hello@aethr.skin or our DPO at dpo@aethr.skin. We will respond within one month. We may need to verify your identity before acting on your request. You may also designate an authorised agent to make requests on your behalf.

You may also exercise certain rights with respect to data processed by Shopify at https://privacy.shopify.com/en.

We will not discriminate against you for exercising any of these rights.

12. Marketing

We will only send you marketing communications where:

You have given us specific consent (for example, by signing up on our splash page or ticking a consent box); or
You are an existing customer and the PECR "soft opt-in" applies — meaning we are marketing our own similar products, and you were given a clear opportunity to opt out when we first collected your details and in every message since.

Every marketing email includes a clear, free, one-click unsubscribe option. If you opt out, we will stop sending you marketing emails promptly. We may still send you non-promotional messages, such as those about your account or orders.

We do not share your personal data with third parties for their own independent marketing purposes.

We may also use your data for retargeting and custom audience advertising on platforms such as Meta and Google. Full details, including how to opt out, are set out in section 6.4 above.

13. Children

The Services are not intended to be used by children, and we do not knowingly collect personal information from anyone under the age of 18. If you are the parent or guardian of a child who has provided us with their personal information, please contact us and we will delete it.

14. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction or alteration. These include encryption in transit (TLS), access controls, and secure hosting via Shopify.

No security measures are perfect or impenetrable. We recommend that you do not use insecure channels to communicate sensitive information to us, and that you keep your account credentials safe and do not share them with anyone.

15. Third-Party Links

The Services may provide links to websites or platforms operated by third parties. We are not responsible for the privacy or security practices of those sites. We recommend you review their privacy policies before providing your personal information.

16. Complaints

If you are unhappy with how we have handled your personal data, please contact us first so we can try to resolve the matter.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline: 0303 123 1113

Website: ico.org.uk

17. Changes to This Policy

We may update this Privacy Policy from time to time, including to reflect changes to our practices or for other operational, legal or regulatory reasons. We will post the revised policy on this website and update the "Last updated" date above.

18. Contact

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us: