Privacy Policy
Last updated: 1 March 2026
1. Who We Are
ThermaFlex Health Ltd is the data controller responsible for your personal data.
- Company name: ThermaFlex Health Ltd
- Company number: 14829301
- VAT number: GB 412 893 720
- Registered address: Unit 7, Meridian Business Park, Leicester, LE19 1WZ
- Email: support@thermaflexreflief.fit
If you have any questions about this policy or how we handle your data, please contact us at the address above.
2. What Data We Collect
We collect and process the following categories of personal data:
2.1 Information You Provide to Us
- Identity data: first name, last name.
- Contact data: billing address, delivery address, email address, telephone number.
- Order data: products purchased, order history, transaction reference numbers.
- Communication data: messages sent to our customer support team.
2.2 Information Collected Automatically
- Technical data: IP address, browser type and version, time zone, operating system.
- Usage data: pages visited, time spent on pages, links clicked, referral sources.
- Cookie data: preferences and session identifiers. Please see our Cookie Policy for details.
2.3 Payment Data
We do not store your payment card details. All payment processing is handled securely by our third-party payment processors. Please see Section 6 for details of these providers.
3. Lawful Basis for Processing
We rely on the following lawful bases under UK GDPR to process your personal data:
| Purpose | Lawful Basis |
|---|---|
| Processing your order and delivering your product | Contract performance (Article 6(1)(b)) |
| Managing payments and preventing fraud | Contract performance and legitimate interests (Article 6(1)(b) and (f)) |
| Sending order confirmations and customer service communications | Contract performance (Article 6(1)(b)) |
| Complying with legal obligations (e.g. tax records) | Legal obligation (Article 6(1)(c)) |
| Sending marketing emails (where opted in) | Consent (Article 6(1)(a)) |
| Improving our website and services through analytics | Legitimate interests (Article 6(1)(f)) |
4. How We Use Your Data
We use your personal data for the following purposes:
- To process and fulfil your order, including arranging delivery.
- To send you order confirmations, shipping updates and receipts.
- To respond to your customer service enquiries.
- To process refunds and handle returns in accordance with our Returns Policy.
- To detect and prevent fraud or other unlawful activities.
- To comply with our legal and regulatory obligations.
- To improve our website, products and services using aggregated analytics data.
- To send you marketing communications where you have given your consent.
5. Cookies
We use cookies and similar tracking technologies on our website. For full details of the cookies we use, your choices and how to manage them, please read our Cookie Policy.
6. Third Parties We Share Your Data With
We share your personal data only where necessary and only with trusted third parties. We do not sell your personal data.
6.1 Payment Processors
- Stripe, Inc. processes credit and debit card payments on our behalf. Stripe acts as a data processor and is certified to PCI DSS standards. Privacy policy: stripe.com/gb/privacy.
- PayPal (Europe) S.a.r.l. et Cie, S.C.A. processes PayPal payments. Privacy policy: paypal.com/uk/privacy.
6.2 Delivery and Logistics
We share your name and delivery address with our fulfilment and courier partners solely for the purpose of delivering your order.
6.3 Analytics Providers
We use Google Analytics to understand how visitors use our website. Google Analytics collects anonymised usage data. You can learn more at policies.google.com/privacy.
6.4 Email Service Providers
We use third-party email platforms to send transactional and marketing emails. These providers process your email address on our behalf under data processing agreements.
6.5 Legal Requirements
We may disclose your data to law enforcement agencies, courts or regulators where required to do so by law or to protect our legal rights.
7. International Data Transfers
Some of our third-party providers operate outside the United Kingdom. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or equivalent standard contractual clauses, to protect your data to the same standard required within the UK.
8. Data Retention
We retain your personal data only for as long as necessary for the purposes set out in this policy. The retention periods we apply are as follows:
| Data Type | Retention Period |
|---|---|
| Order and transaction records | 7 years (for HMRC and legal compliance) |
| Customer account data | 3 years from last interaction |
| Customer support correspondence | 3 years from resolution |
| Marketing consent records | Until consent is withdrawn |
| Website analytics data | 26 months (Google Analytics default) |
9. Your Rights Under UK GDPR
Under UK data protection law, you have the following rights in relation to your personal data:
- Right of access: You have the right to request a copy of the personal data we hold about you (a Subject Access Request).
- Right to rectification: You have the right to request that we correct any inaccurate or incomplete personal data.
- Right to erasure: You have the right to request that we delete your personal data in certain circumstances (the "right to be forgotten").
- Right to restriction of processing: You have the right to request that we restrict how we process your data in certain circumstances.
- Right to data portability: You have the right to receive your personal data in a structured, commonly used and machine-readable format.
- Right to object: You have the right to object to our processing of your data where we rely on legitimate interests as the lawful basis.
- Right to withdraw consent: Where we process your data based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
To exercise any of your rights, please contact us at support@thermaflexreflief.fit. We will respond to your request within one calendar month as required by UK GDPR.
10. Your Right to Complain
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters.
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would, however, appreciate the opportunity to address your concerns directly before you approach the ICO. Please contact us first at support@thermaflexreflief.fit.
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These measures include SSL/TLS encryption for data transmitted via our website, access controls and secure data storage practices.
While we take all reasonable steps to protect your data, no method of transmission over the internet is completely secure. We cannot guarantee absolute security of data transmitted to or from our website.
12. Children's Privacy
Our products and website are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take steps to delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
14. Contact Us
If you have any questions, concerns or requests relating to this Privacy Policy or your personal data, please contact us:
- Email: support@thermaflexreflief.fit
- Post: ThermaFlex Health Ltd, Unit 7, Meridian Business Park, Leicester, LE19 1WZ