GDPR Statement

Aesthetic 26 Wholesale Ltd (“we”, “us”, “our”) is committed to protecting your personal data and to handling it lawfully, transparently and securely in accordance with EU Regulation 2016/679 (the “General Data Protection Regulation” or “GDPR”), the Irish Data Protection Act 2018, the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (the “ePrivacy Regulations”) and other applicable data protection law.

This is our primary data protection notice. A shorter summary appears in our Terms & Conditions and inside your account at Privacy & GDPR (where you can also submit a data deletion request).

For the purposes of GDPR, the “data controller” (the entity that decides why and how your data is processed) is:

• Aesthetic 26 Wholesale Ltd
• Registered office: Ireland
• VAT number: IE0000000A
• Email: info@aesthetic26.ie
• Phone: available on request via email

We are not currently required to appoint a statutory Data Protection Officer under Article 37 GDPR, but you may direct any data protection enquiry to the email address above and it will be answered by the person responsible for data protection in our business.

This notice applies to all personal data we process about:

• Visitors to aesthetic26.ie;
• Customers (registered trade account holders);
• Prospective customers and marketing subscribers;
• People who contact us by email, phone, social media or other channels;
• Suppliers, partners and academies we work with — to the extent they are natural persons.

This notice does not cover separate websites or services run by third parties even if we link to them. Read the third party’s own privacy notice before submitting personal data to them.

We collect and process the following categories of personal data:

• Identity data: first name, last name, date you became a customer;
• Business data: business name, trading name, business address, VAT number, CRO number, professional registration numbers;
• Contact data: billing address, delivery address, collection address, phone number, email address;
• Account data: account number (ACC-XXXXXX), encrypted password, trade verification status (pending / approved / rejected), role (customer / admin), is-active flag;
• Professional verification documents: insurance certificates, training certificates, aesthetics certificates, medical registration proofs, screenshots, expiry dates and any notes you provide on upload;
• Order data: products purchased (name, SKU), quantities, batch numbers, lot numbers, expiry dates, prices, discount codes applied, delivery / collection method, invoice number, order status history, tracking number, courier;
• Communications data: emails to and from us, messages sent through your account, recall acknowledgements, support tickets, GDPR data requests;
• Marketing data: consent state (opted in / out), consent timestamp, source of consent (e.g. pop-up, footer, account settings), email open and click data on marketing campaigns (Resend);
• Technical data: IP address, browser type, operating system, device type, pages visited, referring URL, session identifiers, cookie identifiers;
• Payment metadata: Stripe checkout session identifier, payment intent identifier, payment status, currency, amount paid. We do not see, receive or store full card numbers, CVC codes, expiry dates or any card data.

• Directly from you when you register an account, place an order, upload documents, contact us, sign up for marketing or fill in any other form;
• Automatically through technical means (cookies, server logs) when you visit the website;
• From our processors — for example, Stripe tells us whether a payment succeeded; Resend tells us whether an email was delivered;
• From regulators or third parties in the rare event of a recall or legal request where you are identified as an affected party.

Under GDPR, we must have a lawful basis for every processing activity. Our bases are:

• Performance of a contract (Art. 6(1)(b) GDPR) — to fulfil your order, manage your account, verify your trade status, communicate with you about deliveries, collection and order issues, and to act on returns or refunds.
• Compliance with a legal obligation (Art. 6(1)(c) GDPR) — to issue and retain VAT invoices (Irish Revenue requires 6 years), maintain medical-device batch / lot traceability records, respond to law enforcement or regulatory requests, and meet our other statutory obligations.
• Legitimate interests (Art. 6(1)(f) GDPR) — to verify professional qualifications, prevent fraud, manage product recalls and safety notices, improve the website, secure our systems, and operate our business efficiently. We have conducted a legitimate interests balancing test for each of these purposes and concluded that the processing is proportionate and does not override your rights.
• Consent (Art. 6(1)(a) GDPR) — for non-essential marketing communications, the entry-pop-up signup discount, and for any non-essential cookies. You can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

We use your personal data for the following purposes:

• Creating and verifying your trade account, including reviewing the documents you upload;
• Processing, dispatching and delivering your orders;
• Issuing invoices and maintaining tax records as required by Irish Revenue;
• Managing returns, refunds, cancellations and recall communications;
• Maintaining batch / lot traceability for medical-device safety;
• Sending operational communications (order confirmations, dispatch alerts, ready-for-collection notices, recall and safety notices, account changes, invoice receipts, GDPR responses);
• Sending marketing communications (new product launches, sales, training opportunities) only where you have opted in;
• Operating in-account messaging and the notification bell for important updates;
• Detecting, preventing and investigating fraud and abuse;
• Operating, securing and improving the website and our administrative systems;
• Generating internal alerts to our staff (new orders, document uploads, GDPR requests, low stock, recall follow-up);
• Maintaining a tamper-evident audit log of administrative actions for security and regulatory accountability;
• Answering your queries, complaints and exercising your data rights;
• Co-operating with regulators (HPRA, Data Protection Commission, Revenue) where required.

We do not actively seek to collect special category data (Art. 9 GDPR) such as data concerning health, racial / ethnic origin, religious beliefs or trade union membership. However, some professional registration or insurance documents you upload may incidentally reveal health-related professional information about you. Where this occurs, we rely on Article 9(2)(b) (employment / social security / social protection law) or Article 9(2)(f) (establishment, exercise or defence of legal claims) as a condition for processing, alongside our contract / legitimate interest basis under Article 6.

We do not process patient data. You are responsible for the protection of any patient personal data you handle in connection with the products supplied by us — you are the data controller in respect of your own patients.

Our website uses cookies and similar technologies. Our cookies fall into three categories:

• Strictly necessary cookies — required to operate the website. These include authentication and session cookies, cart contents, security tokens, the dismiss-cookie for the welcome pop-up, and CSRF tokens. These are set without your consent under Regulation 5(5) of the ePrivacy Regulations as they are essential for the service you have requested.
• Functional cookies — remember your preferences (e.g. delivery method, VAT number, dismissed banners). Set with consent or based on legitimate interest where non-intrusive.
• Analytics cookies — if and when we deploy analytics, used only with your consent and processed in aggregated, anonymised form.

You can manage or delete cookies through your browser settings. Note that disabling strictly-necessary cookies will prevent the website from functioning (cart, login, checkout will not work).

We will only send you marketing emails or other electronic marketing communications where you have given prior, freely-given, specific, informed and unambiguous consent — for example, by ticking the marketing-opt-in box on our signup pop-up or in your account settings.

You can withdraw consent at any time:

• Click “unsubscribe” in any marketing email we send;
• Open Marketing Preferences in your account;
• Email info@aesthetic26.ie asking to be unsubscribed.

We record every consent change with a timestamp and source so we can demonstrate compliance under the GDPR’s accountability principle.

Service / transactional / safety communications — order confirmations, dispatch and collection notifications, invoice receipts, account verification messages, recall and safety notices, GDPR request responses, regulatory notices — are not marketing. They form part of the service or are required by law and will be sent regardless of your marketing preference. Recall and safety communications are specifically carved out under our legal obligation basis.

We share your personal data only with parties who need it to provide a service you have asked for, or where we are legally required, or with your consent. All processors are engaged under written contracts that include the safeguards required by Article 28 GDPR.

Our data processors

• Supabase Inc. — database hosting, authentication and file storage for customer documents and certificates. We host on Supabase’s EU region (Frankfurt). All databases enforce row-level security; admin operations are restricted by role and audit-logged.
• Stripe Payments Europe Ltd. — processes card payments. Stripe is an independent data controller for payment data; they receive your name, billing address, email and amount. We never see or store full card details, CVC codes or expiry dates. Stripe’s privacy notice: stripe.com/ie/privacy.
• Resend, Inc. — delivers transactional and (where you have opted in) marketing emails on our behalf. Processes the recipient email address, message content and basic engagement metrics.
• Vercel Inc. — hosts the website and content delivery network. Sees IP address and HTTP request metadata as a normal part of serving the site.
• DPD Parcels Ireland Ltd. — receives delivery name, address, phone number and order reference to deliver your order. DPD is an independent data controller for delivery operations.
• Domain & DNS providers — GoDaddy (DNS).

Other recipients

• Regulators and competent authorities — including the Health Products Regulatory Authority (HPRA), the European Medicines Agency (EMA), the Data Protection Commission (DPC), the Office of the Revenue Commissioners, An Garda Síochána, and any other competent authority — only where we are legally required to disclose information by law, court order, regulatory request, criminal investigation, or in connection with a product recall or safety investigation. See Section 15 below for detail.
• Our professional advisers — accountants, auditors, legal advisors — under contracts of confidentiality, only where necessary for them to advise us.
• Successor entities — in the event of merger, acquisition, sale or restructuring of our business, your personal data may be transferred to the acquiring entity. We would notify you of any such transfer with reasonable advance notice and the receiving entity would be bound by the same protections under GDPR.

Who we do not share with

We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes. We do not engage in data brokering of any kind.

Some of our processors are based outside the European Economic Area (EEA), including in the United States. Where personal data is transferred outside the EEA, we rely on one or more of the following safeguards approved by the European Commission:

• EU Commission adequacy decisions — including, where applicable, the EU–US Data Privacy Framework (Stripe, Resend, Vercel, Supabase to the extent they participate);
• Standard Contractual Clauses approved by the European Commission (Decision 2021/914);
• Supplementary technical and organisational measures — including encryption in transit and at rest, role-based access controls, and contractual restrictions on sub-processors.

You can request a copy of the relevant transfer safeguard for any of our processors by emailing info@aesthetic26.ie.

We only retain personal data for as long as is necessary for the purpose for which it was collected, taking into account our legal obligations. Specific retention periods:

At the end of the retention period, data is either deleted, anonymised, or — where required for accounting / regulatory archive — retained in a restricted-access archive.

We apply technical and organisational measures appropriate to the sensitivity of the data and the risks of processing. These include:

• Encryption in transit — all traffic to and from aesthetic26.ie is encrypted with TLS 1.2 or higher;
• Encryption at rest — Supabase and Stripe encrypt data at rest on our behalf;
• Row-level security (RLS) at database level — customers can only see their own rows; admin reads are scoped and audit-logged;
• Role-based admin permissions — Owner / Manager / Staff tiers, each with explicit permissions for what they can view, change or export;
• Audit log — every administrative action (status changes, document approvals, refunds, role changes, recall sends) is logged with admin email, timestamp and before/after value;
• Signed URLs with short expiry — file downloads (invoices, certificates, customer documents) generate single-use signed URLs that expire in 60 seconds;
• Strong authentication — accounts use email + password with Supabase Auth; we never store plaintext passwords;
• No card data on our servers — payments are tokenised through Stripe;
• Processor due diligence — every processor is engaged under a written data processing agreement that includes Article 28 GDPR safeguards;
• Regular review — we review processor agreements and security posture periodically.

No system can guarantee 100% security. Where you have a password, choose a strong unique one and do not share it.

We will disclose personal data to public authorities or other third parties only where we are legally required to do so. Examples of situations in which we may be required to disclose data include:

• Health Products Regulatory Authority (HPRA) — in connection with a medical device recall, post-market surveillance request, vigilance report or inspection of our records;
• European Medicines Agency (EMA) — for products falling within EU-wide medical device or medicinal product regulatory oversight, in the rare circumstances where we are required to provide records;
• Office of the Revenue Commissioners — VAT inspection, audit, or corporation tax investigation;
• An Garda Síochána — pursuant to a lawful request or court order in connection with a criminal investigation or proceedings;
• The Courts — in compliance with a court order, judgment or formal legal process;
• The Data Protection Commission (DPC) — where the DPC requires information in the course of an inquiry into a complaint or own-motion investigation, or as part of mandatory breach notification under Articles 33–34 GDPR;
• Other competent authorities — including consumer protection bodies, competition authorities or any other regulator within their jurisdiction over our business, where required by valid legal instrument.

Where we are required to make a disclosure, we will release only the minimum data necessary to satisfy the requirement and, where legally permitted, we will notify you in advance. We will not voluntarily disclose your personal data to any third party outside the recipients listed in Section 11 unless required to do so by law.

We maintain a record of every disclosure made under this Section, including the requesting authority, the legal basis cited, the data released, the date, and the approving administrator — retained as part of our audit log for 6 years.

Under GDPR you have the following rights, exercised free of charge unless your request is manifestly unfounded or excessive:

• Right of access (Art. 15 GDPR) — to obtain confirmation that we process personal data about you, and a copy of that data;
• Right to rectification (Art. 16) — to have inaccurate or incomplete data corrected without undue delay;
• Right to erasure / “right to be forgotten” (Art. 17) — to have personal data deleted, where the data is no longer necessary, where you withdraw consent, where you object to processing under legitimate interests, where data has been unlawfully processed, or where erasure is required to comply with a legal obligation. Erasure may be partially limited where we are required to retain records (e.g. VAT, traceability) by law;
• Right to restriction (Art. 18) — to restrict processing while a dispute is being investigated;
• Right to data portability (Art. 20) — where processing is based on consent or contract and is carried out by automated means, to receive your personal data in a structured, commonly-used, machine-readable format and to transmit it to another controller;
• Right to object (Art. 21) — to processing based on legitimate interests or public interest, including profiling. You have an absolute right to object to direct marketing — we will stop processing for that purpose immediately;
• Right not to be subject to automated decision-making (Art. 22) — to not be subject to a decision based solely on automated processing that produces legal effects on you or significantly affects you. We do not currently engage in such processing;
• Right to withdraw consent — where processing is based on consent, to withdraw consent at any time;
• Right to lodge a complaint — with the Data Protection Commission (see Section 21).

To exercise any of your rights, contact us in one of the following ways:

• Email info@aesthetic26.ie with the subject line “GDPR request” and a short description of the right you wish to exercise;
• Submit a data deletion request from your account privacy page;
• Post a written request to Aesthetic 26 Wholesale Ltd, Ireland.

We will acknowledge receipt promptly and respond fully within one (1) month of receiving a valid request. Where a request is complex or where we receive a high volume of requests, we may extend the response window by a further two (2) months and inform you of the extension within the original one-month period.

We may need to verify your identity (for example, by asking you to confirm your account details) before fulfilling a request — this is a security measure to ensure data is not disclosed to the wrong person.

We do not currently engage in automated decision-making with legal or similarly significant effect on you. The website does use some automated processing for routine operations (e.g. an order is automatically declined if Stripe declines payment), but these decisions are operationally necessary and not legally significant.

We do not engage in marketing-style profiling of customers and do not build behavioural advertising audiences.

Our website and services are intended for trade customers aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we have inadvertently collected personal data from a person under 18, we will delete it without undue delay.

We have technical, organisational and procedural measures in place to identify, contain and investigate personal data breaches. In the event of a personal data breach:

• Where the breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Data Protection Commission within 72 hours of becoming aware of it, in accordance with Article 33 GDPR;
• Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will also notify the affected individuals directly without undue delay, in accordance with Article 34 GDPR, using the contact details on file;
• We will document every breach (factual circumstances, effects, remedial action) in our internal breach register, retained for 6 years, whether or not it crossed the notification threshold.

You have the right to lodge a complaint with the Irish supervisory authority — the Data Protection Commission (DPC):

• Postal: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
• Phone: +353 (0)761 104 800
• Web: www.dataprotection.ie

We’d appreciate the chance to address your concerns directly before you take this step — write to info@aesthetic26.ie and we will respond within one month.

We will update this notice from time to time to reflect changes in how we process personal data, changes in the law, or operational changes. The “last updated” date at the top of the page indicates when the notice was last changed. Material changes will be communicated to active account holders by email or in-account notification.

Continued use of your account after a notified change constitutes acceptance of the updated notice. If you do not agree with a change, you may close your account and request deletion of your data subject to our legal retention obligations.

For any data protection question:

• Email: info@aesthetic26.ie
• Postal: Aesthetic 26 Wholesale Ltd, Ireland

This notice was last updated on 01 June 2026. Aesthetic 26 Wholesale Ltd. All rights reserved.