Privacy policy.

Introduction

This Privacy Policy explains how Afope Atoyebi Co. (“we”, “us”, “our”) collects, uses, shares, and protects your personal information when you use our website, purchase products, or receive trichology, haircare, or consultation services from us. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. By using our services, you agree to the terms of this Privacy Policy.

Personal Data We Collect

We collect the following categories of personal data, depending on the services you use:

  • Basic Contact and Transaction Data: name, address, email, telephone, billing and payment information, purchase history.

  • Consultation and Service Data: images of your hair and scalp, hair samples, lifestyle and haircare history, details of your hair goals and concerns.

  • Special Category Health Data (Article 9 UK GDPR): hair and scalp condition, relevant medical history, allergies/sensitivities, diagnostic test results (blood, hair tissue mineral, gut health, genetic), lifestyle and nutrition information relevant to assessment.

  • Technical Data: IP address, browser type/version, device type, operating system, and usage data.

How We Collect Your Data

We collect personal data in the following ways:

  • When you book or purchase a service or product.

  • When you complete a consultation form or send required materials.

  • During consultations (virtual or in-person).

  • From diagnostic test providers you use via us.

  • Automatically through our website (cookies, analytics).


How We Use Your Data and Lawful Bases

    1. We only process your personal data where permitted by law. Our main lawful bases are: performance of a contract, consent, legitimate interests, and legal obligations. For special category health data, we rely on your explicit consent under Article 9(2)(a) UK GDPR.

    2. We process your data for the following purposes:

  • Providing consultations and services.

  • Arranging diagnostic testing.

  • Sharing results with relevant professionals.

  • Processing product purchases.

  • Sending marketing communications (with your consent).

  • Improving our website and services.

  • Complying with legal and regulatory obligations.

Special Category Data and Consent

We require your explicit consent to process health-related data. This consent is collected during the booking process when you click to accept our Client Services Agreement and this Privacy Policy. You may withdraw consent at any time (see section 11), although doing so may prevent us from delivering certain services.

Sharing Your Data

We share your data only when necessary, including with:

  • Diagnostic laboratories.

  • Nutritionists or medical practitioners for referrals.

  • Payment processors to complete transactions.

  • IT and website hosting providers.

  • Professional advisors (accountants, lawyers, insurers).

  • Regulatory authorities where required by law.

We ensure third parties only receive the minimum necessary data and, for health data, only information relevant to your hair/scalp diagnosis and treatment.

International Transfers

If any of our service providers may be located outside the UK and where personal data is transferred internationally, we ensure that appropriate safeguards are in place, such as:

  • Adequacy regulations issued by the UK Government.

  • International Data Transfer Agreements (IDTAs).

  • Standard Contractual Clauses (SCCs).

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

  • Diagnostic or treatment-related records: 5 years from your last consultation.

  • Non-diagnostic consultation records: 3 years from your last consultation.

  • Purchase and transaction records: 4 years for tax and accounting purposes.

  • Marketing contact details: until you withdraw consent.

After these periods, data will be securely deleted or anonymised. Anonymised data may be kept indefinitely for research, statistical, or service improvement purposes.

Security Measures

    1. We implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures are designed to provide a level of security appropriate to the risk, taking into account the nature of the personal data, the scope and purposes of processing, the costs of implementation, and the potential impact on individuals’ rights and freedoms.

    2. Our measures include, without limitation:

  1. Access Controls – Personal data is accessible only to authorised personnel who require it for the performance of their duties, and access rights are reviewed regularly.

  2. Encryption and Pseudonymisation – Sensitive and special category data, including health-related information, is encrypted in transit and at rest using industry-standard encryption protocols.

  3. Secure Storage – Electronic records are stored in secure, access-controlled systems; physical records are stored in locked facilities.

  4. Data Minimisation – We limit the collection, storage, and retention of personal data to what is necessary for the purposes identified in this Privacy Policy.

  5. System Security – We use firewalls, intrusion detection systems, antivirus software, and regular security patching to protect our IT systems from unauthorised access or malware.

  6. Staff Training and Confidentiality – All staff and contractors handling personal data receive regular data protection and information security training and are bound by confidentiality obligations.

  7. Secure Transmission – We use secure protocols for transmitting personal data over networks.

  8. Third-Party Due Diligence – We assess the security measures of all third-party processors and require them to maintain security standards no less protective than our own.

While we take all reasonable precautions to protect your personal data, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. However, we continually review and enhance our security measures to meet evolving threats and industry best practices. We follow industry standards and regularly review our security practices.

Your Rights

Under UK GDPR, you have the following rights:

  • Access to your personal data.

  • Rectification of inaccurate data.

  • Erasure (‘right to be forgotten’).

  • Restriction of processing.

  • Data portability.

  • Objection to processing.

  • Withdrawal of consent at any time (for health data or marketing).

  • To lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk.

Withdrawing Consent

If you wish to withdraw your consent to the processing of your health data or for marketing purposes, you may do so at any time by emailing hello@afopeatoyebi.com.. Withdrawal of consent for health data may mean we cannot continue to provide certain services.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website, with the ‘Effective Date’ shown at the top. We will notify you of any material changes before they take effect.

Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at hello@afopeatoyebi.com..