Privacy Policy
Last updated: [December 2025]
Chameleon Scrubs (“we”, “us”, “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you visit our website, place an order, or contact us.
This policy is provided in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
Chameleon Scrubs is the data controller responsible for your personal data.
If you have any questions about this Privacy Policy or how we handle your data, you can contact us using the details provided on our website.
2. What Personal Data We Collect
We may collect and process the following personal data:
Information you provide to us
Name
Billing and delivery address
Email address
Telephone number
Order details and purchase history
Account registration details (if applicable)
Communications you send to us (emails, enquiries, support requests)
Information collected automatically
IP address
Browser type and version
Device information
Pages visited and interaction with the website
Cookies and similar technologies (see Cookie section below)
Business-to-Business Data
For NHS, hospitals, universities, and organisations, we may also process:
Job title
Organisation name
Purchase order references
Delivery contact details
This data relates to professional roles and not private individuals acting in a personal capacity.
3. How We Use Your Data
We use your personal data to:
Process and fulfil orders
Manage payments, delivery, and returns
Communicate with you about your order
Respond to enquiries or customer service requests
Comply with legal and regulatory obligations
Improve our website, products, and services
Prevent fraud and protect our business
We do not use your data for automated decision-making or profiling.
4. Legal Bases for Processing
We process personal data under the following lawful bases:
Contractual necessity – to fulfil orders and deliver goods
Legal obligation – for accounting, tax, and regulatory compliance
Legitimate interests – to operate and improve our business, prevent fraud, and communicate with customers
Consent – where you have explicitly opted in (e.g. marketing communications)
You may withdraw consent at any time.
5. Marketing Communications
We will only send marketing communications if:
You have opted in, or
There is a lawful legitimate interest under applicable regulations
You can opt out of marketing communications at any time by using the unsubscribe link or contacting us directly.
6. Sharing Your Data
We may share your personal data with trusted third parties only where necessary, including:
Payment service providers
Courier and delivery companies
IT and website service providers
Professional advisers (accountants, legal advisers)
All third parties are required to handle your data securely and in accordance with data protection law.
We do not sell your personal data.
7. International Data Transfers
Where data is transferred outside the UK, we ensure appropriate safeguards are in place, such as:
Adequacy regulations
Standard contractual clauses
Secure data handling agreements
8. Data Retention
We retain personal data only for as long as necessary for:
Order fulfilment
Legal and accounting obligations
Resolving disputes
Retention periods vary depending on the nature of the data and legal requirements.
9. Your Data Protection Rights
Under data protection law, you have the right to:
Access your personal data
Request correction of inaccurate data
Request deletion of your data (where applicable)
Restrict processing
Object to processing
Data portability
Withdraw consent at any time
To exercise any of these rights, please contact us using the details on our website.
10. Cookies
Our website uses cookies to improve functionality and user experience.
You can control or disable cookies through your browser settings. For more information, please see our Cookie Policy (if applicable).
11. Data Security
We take appropriate technical and organisational measures to protect personal data against:
Unauthorised access
Loss
Misuse
Alteration
However, no online system can be guaranteed to be completely secure.
12. Third-Party Links
Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of those sites.
13. Complaints
If you have concerns about how we handle your personal data, please contact us first so we can address the issue.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Website: https://www.ico.org.uk
14. Changes to This Policy
Data Protection – NHS & Public Sector Contracts Status of the Parties
For the purposes of UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:
Chameleon Scrubs acts as a Data Controller in respect of personal data processed for order fulfilment, account management, invoicing, delivery, and customer communications.
Where Chameleon Scrubs processes personal data strictly on the documented instructions of an NHS Trust or public sector body, we will act as a Data Processor for those limited purposes only.
Compliance with Data Protection Law
Chameleon Scrubs shall:
Process personal data lawfully, fairly, and transparently
Ensure personal data is collected for specified, explicit, and legitimate purposes
Limit processing to what is necessary for contract performance
Take appropriate technical and organisational measures to protect personal data
Ensure staff handling personal data are subject to appropriate confidentiality obligations
Categories of Personal Data
Personal data processed under NHS or public sector contracts may include:
Names and professional contact details of staff
Job titles and department information
Delivery addresses and site contact details
Purchase order references and contract identifiers
Chameleon Scrubs does not process special category data (including health data) on behalf of NHS bodies.
Data Sharing & Sub-Processors
Chameleon Scrubs may engage third-party service providers (including couriers, IT providers, and payment processors) to process personal data where necessary for contract performance.
All sub-processors are:
Contractually bound to process data securely
Restricted to using data solely for the purposes instructed
A list of sub-processors can be made available upon reasonable request.
International Transfers
Where personal data is transferred outside the UK, appropriate safeguards are implemented in accordance with UK GDPR, including adequacy regulations or standard contractual clauses.
Data Retention
Personal data processed under NHS or public sector contracts will be retained only for as long as necessary to:
Fulfil contractual obligations
Meet legal, accounting, and audit requirements
Data will be securely deleted or anonymised when no longer required.
Data Subject Rights
Chameleon Scrubs shall provide reasonable assistance to NHS bodies in responding to data subject rights requests where applicable and within the scope of our processing role.
Data Breach Management
Chameleon Scrubs maintains procedures to identify, report, and manage personal data breaches.
In the event of a personal data breach affecting data processed on behalf of an NHS or public sector body, we shall notify the relevant organisation without undue delay and provide reasonable cooperation to support any required notifications.
Audits & Assurance
Upon reasonable written notice, Chameleon Scrubs shall provide information necessary to demonstrate compliance with data protection obligations, subject to confidentiality, security, and proportionality considerations.
Liability
Nothing in this clause shall:
Require Chameleon Scrubs to accept unlimited liability
Extend liability beyond that permitted under applicable law
Override any agreed contractual limitations of liability
Governing Law
This Data Protection clause shall be governed by and construed in accordance with the laws of England and Wales.
We may update this Privacy Policy from time to time. Any changes will be posted on this page and will take effect immediately upon publication.
