Who we are

GRÁ is a trading name of Ardcairn Ltd. Company registered in Scotland No. SC599934. Our website address is: https://graskincareuk.com.

What personal data we collect and why we collect it

This Privacy Policy describes how your personal information is collected, used, and shared when you visit or make a purchase from GRÁ (the “Site”) and orders are processed using our online shop software Shopify, and our postage service with Royal Mail.

When you visit the Site, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. We refer to this automatically-collected information as “Device Information”.

We collect Device Information using the following technologies:
– “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.
– “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
– “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse the Site.

Additionally when you make a purchase or attempt to make a purchase through the Site, we collect certain information from you, including your name, billing address, shipping address, payment information (including credit card numbers), email address, and phone number. We refer to this information as “Order Information”.

When we talk about “Personal Information” in this Privacy Policy, we are talking both about Device Information and Order Information.

We use the Order Information that we collect generally to fulfill any orders placed through the Site (including processing your payment information, arranging for shipping, and providing you with invoices and/or order confirmations). Additionally, we use this Order Information to:
– Communicate with you;
– Screen our orders for potential risk or fraud; and
– When in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services.

We use the Device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimize our Site (for example, by generating analytics about how our customers browse and interact with the Site, and to assess the success of our marketing and advertising campaigns).

We share your Personal Information with third parties to help us use your Personal Information, as described above. For example, we use Shopify to power our online store–you can read more about how Shopify uses your Personal Information here: https://www.shopify.com/legal/privacy. We use Royal Mail to fulfill our shipments — you can read more about how Royal Mail uses your Personal Information here: https://www.royalmail.com/privacy-notice/. We also use Google Analytics to help us understand how our customers use the Site — you can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.


Shopify are our payment provider and will use information you submit to process sales. Customer’s may also choose to use Paypal or Google Pay.

When interacting with our shop provided by Shopify, via any channel, e.g. Facebook, Instragam, this website or Shopify, you agree to Shopify:

Collecting, receiving, using and disclosing your information relating to the sale, including that they may use information gathered via cookies. Shopify will use Cardholder Data in Shopify’s supply of sevices to GRÁ and Ardcairn Ltd and in doing so may transmit or process it out with ours or our customer’s jurisdiction.

Customer’s choosing to use Paypal or Google Pay should read their policies regarding use of Personal Information.

Finally, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.

As described above, we may use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.

You can opt out of targeted advertising by using the links below:
– Facebook: https://www.facebook.com/settings/?tab=ads
– Google: https://www.google.com/settings/ads/anonymous
– Bing: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads

Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/.

Please note that we do not alter our Site’s data collection and use practices when we see a Do Not Track signal from your browser.

If you are a UK or European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted. If you would like to exercise this right, please contact us through the contact information below.

Additionally, if you are a UK or European resident we note that we are processing your information in order to fulfill contracts we might have with you (for example if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above. Additionally, please note that your information will be transferred outside of Europe, including to Canada and the United States.

When you place an order through the Site, we will maintain your Order Information for our records unless and until you ask us to delete this information.

We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.

For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us using the form below and using the subject line: Privacy Compliance Officer


If we enable Comments on our site, when visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.


If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms


If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.


Who we share your data with

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.

GDPR statement of compliance

Introduction and overview

We have studied the Information Commissioner’s Office (ICO) guidelines concerning compliance with the new General Data Protection Regulation (GDPR) rules. This document explains how GRÁ, part of Ardcairn Ltd, complies, using the structure of the ICO booklet, “Preparing for the General Data Protection Regulation – 12 Steps to Take Now.


Ardcairn Ltd is aware that GDPR comes into effect on 25th May 2018. All Associates and staff of the company have read and adhere to our data protection privacy policies.

Data we hold

We hold the following data, which can be accessed by relevant members of Ardcairn Ltd:

  • Email addresses of people or organisations who have contacted us using our contact form, or emailed us and to whom we have replied.

Ardcairn Ltd has access to the following data:

  • Email addresses, names and self-identified descriptors (eg “CEO”) of people who have been the main contact within an organisation with which we have worked.

Ardcairn Ltd and McElhinney and Co (our accountants, based in the UK) have access to the following data:

  • Email addresses, postal addresses and bank details of organisations with which we have worked and for whom we have processed orders. These are recorded in Google Applications and our online bookkeeping software (all password protected).

We share your Personal Information with third parties to help us use your Personal Information, to provide our services to you. For example:

  • We use Shopify to power our online store–you can read more about how Shopify uses your Personal Information here: https://www.shopify.com/legal/privacy.
  • We use Royal Mail to fulfill our shipments — you can read more about how Royal Mail uses your Personal Information here: https://www.royalmail.com/privacy-notice/.
  • We also use Google Analytics to help us understand how our customers use the Site — you can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.

Google Applications have Privacy Shield and/or other features to ensure we use them in ways compliant with the GDPR in general, and our privacy and data retention policies specifically.

Google Apps’ Privacy Sheild Certification is here: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI

Communicating private information

We have taken the following steps:

  1. Placed this document on our website with our privacy policy.
  2. Ensured we are up to date with latest policy amendments and procedures.

Individuals’ rights

Any individual or organisation may request to be informed on the data held by Ardcairn Ltd about them. We will update or delete this data subject to reasonable requests in order to comply with GDPR. Note that we have a legal requirement to retain some financial records for auditing purposes.

Subject access requests

We will respond to all requests for information within the one month compliance period. In order to action the request, please note that the individual or organisation will be requested to prove their identity.

Lawful basis for processing data

  • When an individual or organisation contacts us via email, their email address is stored on our email servers. It will not be added to any database or spreadsheet unless a working contract between us has been agreed.
  • If an individual or organisation opts into one of our email lists they have done so in the knowledge that they will receive regular updates via email. They may unsubscribe at any time.
  • When people/organisations have entered into a working contract with us, their postal and email addresses are saved in Google apps, and our online bookkeeping software (password protected).
  • When people/organisations have completed a working contract for us, their postal and email addresses and bank details are saved in Google apps, and our online bookkeeping software.
  • Email addresses, postal addresses and bank details of organisations with which we have worked and for whom we have processed orders, are recorded in Google Applications, our online bookkeeping software, Shopify and Royal Mail (all password protected) as relevant.

Any individual or organisation subscribed to our email lists can unsubscribe at any time by clicking the relevant link in one of our communications, or by contacting us via our website. These email addresses are retained as ‘unsubscribed users’ for a one-year period for auditing reasons.


Individuals and organisations who subscribe to our email lists are over the age of 13. If we find that there are subscribers under this age, we will remove them from the list, explaining why we are doing so.

Data breaches

We aim to prevent data breaches by using strong passwords with two-factor authentication where available. If any organisations who we use as data processors are compromised we would take steps to follow their advice immediately, and inform the data subjects.

Data Protection by Design and Data Protection Impact Assessments

We have familiarised ourselves with the ICO’s code of practice on Privacy Impact Assessments.

Data Protection Officers

We have appointed a Data Protection Officer (DPO) who can be contacted using the form below.

Our commitment to your privacy

We’re serious about protecting your personal data. This note explains:

  • How we obtained your personal data;
  • The personal data that we collect;
  • Your personal data rights;
  • Your right to object to our processing your personal data and withdrawing consent;
  • How and when we use that personal data;
  • Whether we share your personal data with anyone else;
  • For how long will we keep your personal data;
  • How you can access your personal data

If you have any questions or queries about this notice please use the form below and use the subject line: Privacy Compliance Officer

How Ardcairn Ltd (“we”) use your information

Your privacy is important to us. We are committed to safeguarding the privacy of your information.

Why are we collecting your data?

When required we collect personal data to provide an appropriate level of service to you and to comply with the law regarding data sharing. In legal terms this is called ‘legitimate interests’. We collected your personal data when you corresponded with us during a sales process or signed up for one of our services. When it is required, we may also ask you for your consent to process your data.

The categories of information that we may collect and hold include:

  • Personal information (such as name, telephone number, address, email address, bank details)
  • Corporate information (such as company name, telephone number, address, email address, bank details)

How and when we use your personal data

We’re committed to using your personal data responsibly and lawfully. Here’s what we do with your personal data:

  • We will use it to ensure we deal with your enquiries quickly and efficiently.
  • We will use it to establish ongoing communication with you regarding the provision of a good relationship with you and your company.

Your personal data is stored on platforms protected by strong passwords, including Google Applications that have Privacy Shield and/or other features to ensure they are compliant with the GDPR in general, and our privacy and data retention policies specifically.

Google Apps’ Privacy Sheild Certification is here: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI

To help us to maintain the accuracy of the personal data that we hold please let us know if we hold out of date or inaccurate information about you.

Storing your data

We hold your data for varying lengths of time depending on the type of information in question but in doing so we always comply with Data Protection legislation.

Who do we share your information with?

We will not share your information with third parties without your consent unless the law requires us to do so or as necessary for own legitimate interests or those of other persons and organisations eg:

  • For good governance, accounting and managing and auditing our business operations

Sharing your personal data

There are only a few occasions where we will share your personal data with a third party. They are:

  • Where we’re required to disclose it by law – to government bodies for example.
  • Where we need to do so in order to complete a contractually agreed services using 3rd party tools (Shopify and Royal Mail for example). [Example – with our professional advisers (who are required to keep confidential your data)].
  • Subcontractors and other persons who help us to provide our products and services.
  • Companies and other persons providing services to us.
  • To protect the security or integrity of our business operations.
  • Payment systems, where it is necessary to process transactions.

Requesting access to your personal data

Under Data Protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information contact our Data Protection Officer (DPO).

You also have the right to:

  • object to processing of personal data that is likely to cause, or is causing, damage or distress
  • prevent processing for the purpose of direct marketing
  • object to decisions being taken by automated means
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
  • claim compensation for damages caused by a breach of the Data Protection regulations.

For further information on how your information is used, how we maintain the security of your information and your rights to access information we hold on you please get in touch with our Data Protection Officer using the contact details below.

If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/


To discuss anything in this privacy notice, please contact our Data Protection Officer using the form below.


“Data Protection Legislation” means the Data Protection Act 1998, the Privacy and Electronic Communications Regulations (EC Directive) Regulations 2003 (SI 2426/2003 as amended), and all applicable laws and regulations, including any replacement UK or EU data protection legislation relating to the Processing of Personal Data, including, where applicable, the guidance and codes of practice issued by the Information Commissioner’s Office.

The Data Protection Legislation (“the Legislation”) is concerned with the protection of human rights in relation to personal data. The aim of the Legislation is to ensure that personal data is used fairly and lawfully and that where necessary the privacy of individuals is respected. As part of regular business activities, Ardcairn Ltd will collect, store and process personal data about our members, clients and suppliers and other third parties and we recognise that the correct and lawful treatment of this data will maintain confidence in Ardcairn Ltd. This policy sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.

The Data Protection Officer (“DPO”) is responsible for ensuring compliance with the Legislation and with this policy.

Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the DPO.

What is personal data?

Personal data is defined as data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the the data controller.

Processing personal data

All personal data should be processed in accordance with the Legislation and this policy.

Processing includes obtaining, holding, maintaining, storing, erasing, blocking and destroying data.

Personal data is data relating to a living individual. It includes employee data. It will not include data relating to a company or organisation, although any data relating to individuals within companies or organisations may be covered. Personal data can be factual (for example a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.

Examples of personal data are employee details, including employment records, names and addresses and other information relating to individuals, including supplier details, any third-party data and any recorded information including any recorded telephone conversations, video calls, emails or CCTV images.

Staff who process data on behalf of Ardcairn Ltd should assume that whatever they do with personal data will be considered to constitute processing. Individuals should only process data:

  • If they have consent to do so; or
  • If it is necessary to fulfil a contractual obligation or as part of the employer/employee relationship; for example, processing the payroll
  • If neither of these conditions are satisfied, individuals should contact the Data Protection Compliance Manager before processing personal data.

Compliance with the Legislation

Staff who process data on Ardcairn Ltd’s behalf have a responsibility for processing personal data in accordance with the Legislation. Anyone who has responsibility for processing personal data must ensure that they comply with the data protection principles in the Legislation. These state that personal data must:

  • be obtained and used fairly and lawfully
  • be obtained for specified lawful purposes and used only for those purposes
  • be adequate, relevant and not excessive for those purposes
  • be accurate and kept up to date
  • not be kept for any longer than required for those purposes
  • be used in a way which complies with the individual’s rights (this includes rights to prevent the use of personal data which will cause them damage or distress, to prevent use of personal data for direct marketing, and to have inaccurate information deleted or corrected)
  • be protected by appropriate technical or organisational measures against unauthorised access, processing or accidental loss or destruction
  • not be transferred outside the European Economic Area unless with the consent of the data subject or where the country is determined to have adequate systems in place to protect personal data.

Monitoring the use of personal data

Ardcairn Ltd are committed to ensuring that this data protection policy is put into practice and that appropriate working practices are being followed. To this end the following steps will be taken:

  • Staff who deal with personal data are expected to be aware of data protection issues and to work towards continuous improvement of the proper processing of personal data;
  • Staff who handle personal data on a regular basis or who process sensitive or other confidential personal data will be more closely monitored;
  • Staff must evaluate whether the personal data they hold is being processed in accordance with this policy. Particular regard should be had to ensure inaccurate, excessive or out of date data is disposed of in accordance with this policy;
  • An annual report on the level of compliance with or variance from good data protection practices will be produced. Data breaches will be recorded and investigated to see what improvements can be made to prevent recurrences.

Handling personal data and data security

We will take appropriate technical and organisational steps to guard against unauthorised or unlawful processing. Records will be stored on Google Apps and our online bookkeeping software. Access to these records will be restricted to account holders with passwords only. Paper-based records relating to members, clients or suppliers will be kept secure in a locked cabinet.

We will ensure that staff who handle personal data are adequately trained and monitored.

Security policies and procedures will be regularly monitored and reviewed to ensure data is being kept secure.

Where personal data needs to be deleted or destroyed, adequate measures will be taken to ensure data is properly and securely disposed of. This will include destruction of files and back up files and physical destruction of manual files. Particular care should be taken over the destruction of manual sensitive data (written records) including shredding or disposing via specialist contractors.

All data will be stored in a secure location and precautions will be taken to avoid data being accidentally disclosed. Any agent employed to process data on our behalf will be bound to comply with this data protection policy by a written contract. Personal data stored on a laptop should be password protected.

The rights of individuals

The Legislation gives individuals certain rights to know what data is held about them and what it is used for. In principle everyone has the right to see copies of all personal data held about them. There is also a right to have any inaccuracies in data corrected or erased. Data subjects also have the right to prevent the processing of their data for direct marketing purposes.

Any request for access to data under the Legislation should be made to the DPO in writing. In accordance with the Legislation we will ensure that written requests for access to personal data are complied with within 30 days of receipt of a valid request.

When a written data subject access request is received the data subject will be given a description of a) the personal data, b) the purposes for which it is being processed, c) those people and organisations to whom the data may be disclosed, d) be provided with a copy of the information in an intelligible form.

Sensitive data

No sensitive data will be requested, gathered or stored by GRÁ for Ardcairn Ltd.

Changes to this policy

We reserve the right to change this policy at any time. Where appropriate we will notify data subjects of those changes by mail or email.

Policy adopted on 22/5/18.

Contact us