Privacy policy

This Privacy Policy is provided by A Nelson & Co Limited ("we", "us", “Nelsons”, or "our") on
behalf of the Nelsons corporate group, as further described below.

We want you to feel comfortable using our website and services.

Last modified: 13.10.2025

Nelsons is deeply committed to protecting your privacy, which is why we have set out this Privacy Policy describing the information we collect and what may happen to that information.

This Privacy Policy describes the types of personal data we may collect from you or that you may provide when you visit www.nelsons.com (our “Website”), purchase our products, receive services from Nelsons Pharmacy (our “Pharmacy”) or interact with us in any other way. It also explains how we collect, use, store, protect and disclose that information. Please see the section titled ‘Useful words and phrases’ at the end of this Privacy Policy for explanations of the defined terms used in this Privacy Policy.

If you have any queries about your personal data, please contact us by email at dataprotectionofficer@nelsons.com.

Please be aware that if you share personal information with us via social media channels (such as X, Facebook or Instagram), we cannot guarantee they will keep your personal data as secure as we do. Instead, we recommend that you contact us directly using the emails provided throughout this Privacy Policy.

Key Summary:

This Privacy Notice applies to website users, customers, Nelsons Pharmacy patients, suppliers, participants who enter into competitions or respond to surveys, journalists and social influencers.

We use cookies to collect statistical data which helps us to understand clients' needs and provide a better service. Please see our Cookies Policy in the Website footer for more information.

We process your personal information to:

  • present our Website and its contents to you;
  • provide you with information, products or services that you request from us;
  • enable our Pharmacy and/or our authorised third party logistics partner, CPG Logistics, to fulfil your order using the personal information you provide, including your name, address, telephone number and email address;.
  • to notify you of deliveries for your orders;
  • carry out our obligations under any contract entered into between you and us (for example: where you make a purchase from our site, our Terms of Supply);
  • send you information about our products or services we believe will be of interest to you, if you consent to us doing so;
  • to invite you to leave a product or service review after a purchase on our website;
  • allow you to participate in the interactive features of our service and website, when you choose to do so;
  • manage any competition or prize draw you have entered into;
  • to use agency fraud detection to screen credit card details prior to accepting payments for goods
  • carry out research if you have responded to one of our surveys
  • ensure that content from our site is presented in the most effective manner for you and your device
  • manage public relations, if you are a journalist or social media influencer
  • notify you about changes to our service; and
  • comply with a legal or regulatory obligation.

Scope of this Privacy Policy:

This Privacy Policy applies to information we collect:

  • On this Website or directly from you offline as described in the Key Summary and throughout this Privacy Policy.
  • In email, text and other electronic messages between you and us.
  • Through mobile and desktop applications you use or download from this Website, which provide dedicated non-browser-based interaction between you and this Website.
  • This Privacy Policy does not apply to information collected by:
  • Any other website
  • Any third party, including through any application or content (including advertising) that may link to or be accessible from or through the Website.

About Us:

A Nelson & Co Limited is a company registered in England & Wales under number 249879, with its registered office at Nelsons House, 83 Parkside, Wimbledon, London, SW19 5LP. Nelsons acts as a controller under the European and UK General Data Protection Regulation (GDPR) and is registered with the ICO under registration number Z8497184.

We are responsible for looking after the personal data you give to us and take your privacy very seriously. We ask that you read this Privacy Policy carefully as it contains important information about our processing and your rights.

If you need to contact us about this Privacy Policy, please use the details below:

  • Address: Nelsons House, 83 Parkside, Wimbledon, London, SW19 5LP
  • Telephone number: +44(0)20 8780 4200
  • Email: dataprotectionofficer@nelsons.com 

If you would like this Privacy Policy in another format (for example: audio, large print, braille), please contact us.

What Personal Data Do We Process?

We collect several types of information from and about our customers, users of our Website and other individuals we interact with, as outlined below.

We will collect this information:

  • Directly from you when you provide it to us;
  • Automatically as you navigate through the site.
  • From third parties who provide it on your behalf; and

Information you provide to us:

We will process the information you provide to us when you:

  • use our website,
  • create an account on our Website,
  • purchase a product, book a consultation or complete an order in our Pharmacy or on our website,
  • subscribe to any of our services,
  • post material on social media,
  • request further services,
  • enter a competition or promotion run by us,
  • participate in the interactive features of our service and website, including responding to surveys, quizzes and forms;
  • report a problem with our site;
  • sign up to receive marketing communications from us.

We will also process the information you provide when you contact us for any reason, including:

  • any information you share via email or phone and any opinions or personal data you put in emails;
  • through consultations and our other services listed on the ‘Speak to an expert’ page; and
  • Records and copies of your correspondence (including email addresses).

The personal data that you provide to us might consist of:

  • the country you are based in,
  • your account credentials,
  • your first and last name,
  • your address,
  • cart contents,
  • the products you order,
  • credit card details,
  • payment and purchase history,
  • delivery/pick choices made for orders,
  • e-mail address,
  • telephone number,
  • your occupation,
  • competitions / prize draws, and other promotional activities you take part in,
  • opinions and any other information you share with us or others share with us about you.

You also may provide information to be published or displayed (hereinafter, "posted") on public areas of the Website and our other platforms (including social media); you may also transmit your information to other users of the Website or third parties (collectively, "User Contributions"). Your User Contributions are posted on and transmitted to others at your own risk. Please be aware that no security measures are perfect or impenetrable. Additionally, we cannot guarantee the security of third party platforms or control the actions of other users with whom you may choose to share your User Contributions. Therefore, it is best to minimise the personal information you include in such posts.

If you are a journalist/social media influencer in addition to the above, we also collect the following information: your place of work, interests, online presence and content displayed across your social media channels.

If you are a supplier or a business partner or work for one of our suppliers or business partners, we will process business contact details about you such as your name, position, email and phone number and any other personal data about you provided via email or phone by you or the organization you work for.

Information collected through automatic data collection technologies:

We may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns when you use our site including:

  • Details of your visits to our Website, including traffic data, location data, weblogs, and other communication data and the resources that you access and use on the Website.
  • Information about your computer and internet connection, including your IP address, operating system, and browser type.

The technologies we use for this automatic data collection may include Cookies (or browser cookies). We use cookies to collect statistical data, for example IP addresses of those who visit our Website. Please see our Cookies Policy in the footer for more information.

Personal information provided by third parties:

We might receive personal data about you from you, or when others provide this data to us. We might also receive personal data about you when you or others make such information publicly available.

We may also process personal data we receive or collect from other organisations, including those listed in the section titled “Who will have access to your personal data?” below.

We may also collect your personal data through Instagram and LinkedIn when you use tools to tag us and mention us in your posts and comments through your accounts on these platforms, and when you provide us with your personal data on our accounts on these platforms, e.g. when you comment on one of our posts on Instagram.

If you are a supplier or a business partner or work for one of our suppliers or business partners, we will process personal data about you which you provide to us or that the organization you work for provides to us or that any other third party provides to us.  

If you are a journalist, or a social influencer, we do collect data from third parties such as Sprout Social who will provide us publicly available information about you.

What Special Categories of Data Do We Process?

We might process such data about you including data related to your health conditions, medical records and prescriptions. We will also process any special categories of data you provide to us or another person provides to us about you.

If information about you has been provided to us by another person, we will generally process your personal data on the basis of our legitimate interests in running our business, including the commercial benefits in providing our services and products. If the information provided to us by another person includes health data, Nelsons Pharmacy will process that health data for health care purposes under the health and social care purposes lawful basis and conditions, as a registered pharmacist (GPhC registration number: 1106255).

Personal information about other individuals:

If you provide us with information about other individuals (e.g. a member of your family), please make sure you have informed them and they are comfortable with you sharing the relevant information about them with us.

Why We Process Your Personal Data & Legal Bases:

Please see below for the purposes for which we use your personal data and the lawful bases we rely on.    

Purpose/Activity

 Lawful basis for processing

To allow you to use and interact with our website

Our legitimate interests in making our website available to the public, including the promotional benefits for our business

To process and deliver your order including to manage payments, fees and charges

In order to take steps prior to entering into a contract with you and/or for the performance of a contract with you

To manage our relationship with you which will include notifying you about changes to our service, terms or privacy notice

(a) Performance of a contract with you

(b) When we are legally required to notify you of a change, we will notify you because it is necessary for us to comply with the relevant legal obligation

To run our everyday operations, for example, enable communications between members of our team and different suppliers in connection with the provision of our products and sharing data with service suppliers that aid the operation of our business

Our legitimate interests in running our business, including our commercial and financial benefits

To aggregate information about you so that the aggregated information can be shared with members of our group, associated companies and marketing partners

The legitimate interests of the data recipients including the facilitation of their business development efforts

To comply with our legal obligations, for example, in connection with requirements relating to invoicing, tax and financial accounts

To comply with a legal obligation we are subject to

To respond to communications, including customer support queries from individual customers

Our legitimate interests in creating and maintaining our customer relationships, including our commercial interests in these relationships

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

Our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise)

To investigate and report on potential personal data breaches or fraudulent use of our systems or services (including product delivery and return services)

To comply with our legal obligations

To deliver marketing communications to you

Your consent

To manage a competition or prize draw you have entered into

Your consent

To use data analytics to improve our website, services, customer relationships and experiences

(a)  Your consent, when the processing relates to the use of cookies and similar technologies

(b) Our legitimate interests in improving our website and services, when the processing relates to other activities involving analytics

To establish, exercise or defend legal claims or to otherwise interact with courts and other authorities

 a) Compliance with a legal obligation we are subject to

b) Our legitimate interests in establishing, exercising or defending legal claims or in otherwise interacting with courts and other authorities, including following their instructions

To administer an investment in, sale or possible investment in or sale of the whole of or part of our business or the restructuring of our business

Our legitimate interests in facilitating any such possible or actual transaction or restructuring, including our commercial interests

To facilitate our relationship with you as a supplier, business partner, journalist or influencer or if you work for a corporate supplier or business partner including an advertising partner, to facilitate our relationship with that organisation

Our legitimate interests in facilitating our relationship with you or the organisation you work for


We will also provide members of our group and any associated companies and marketing partners with aggregate information about our users (for example, we might inform them that 500 men aged under 30 clicked on a particular link on any given day). We will also use such aggregate information to help members of our group, associated companies and marketing partners reach the kind of audience they want to target (for example, women in SW1).

We may also process your personal data for additional purposes if such purposes are compatible with those listed above and if we believe that the same lawful basis applies.

In certain circumstances, you may be obliged to provide us with your personal data under a statutory or contractual requirement. This might include, but is not limited to, personal data we require to enter into an agreement with you or the organisation you work for; for tax and accounting purposes; and to enable us to fulfil our compliance and other obligations under relevant legislation or regulation. Failure to provide us with personal data required under a statutory or contractual requirement may prevent us from entering into or performing our obligations under a contract with you or your business.

Legal bases for Special Categories of Data:

We are allowed to process your special categories of personal data for the following legal bases:

Health care services:

Nelsons Pharmacy is a registered pharmacist (GPhC registration number: 1106255) under the Pharmacy Order 2010 (S.I. 2010/231) and may process special categories of personal data for the provision of health care under the health or social care basis, and under the health or social care purposes condition of the Data Protection Act 2018. 

In limited circumstances, if we need to process your data to provide you with health care services, pursuant to a contract with one of our practitioners, who, according to law, is subject to a duty of secrecy or is a registered health professional.

Consent:

You have given your explicit consent.

Legal claims:

We need to process your personal data if we are required to process your personal data to defend or establish a legal claim or within the scope of the courts acting in their judicial capacity.

Vital interests:

When the processing is necessary to protect your vital interests or those of another person, when you or another person are incapable of giving consent.

Scientific, statistical or historical research purposes:

When the processing is necessary for archiving purpose in the public interest, for scientific purposes or statistical purposes based in an act of law.

Change of Purpose:

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Who Will Have Access to Your Personal Data?

We may share your personal data with third parties.

The section below lists some of our key service providers that act as our processors who, if necessary, will have access to your personal data (including special categories of data). If you would like to know the names of our other service providers (e.g. IT service providers), please contact us using the details provided in the ‘About Us’ section of this Privacy Notice.

Processors:

  • Shoppay provides secure payments for online purchases.
  • Shopify hosts our Website
  • Appointly is a Shopify app that enables the book a consultation feature.
  • Mailchimp and Klaviyo as data processors for the Nelsons' Pharmacy newsletter.
  • Trustpilot provides independent product and service reviews.
  • EposNow provides till system services.
  • Retail Merchant Service provide Payment System and Payment Clearance services.
  • Sprout Social as a provider of software for social media management, social advocacy, social analytics, and social listening.
  • CPG as the third party warehouse are provided with your name, delivery address and telephone number to enable order fulfilment.

Controllers:

We share your personal data internally within the Nelsons corporate group, this being our ultimate holding company and its subsidiaries who act as separate controllers of your personal data as follows:

  • Nelson & Russell Holdings Limited;
  • A Nelson & Co Limited;
  • Spatone Limited;
  • Bach Flower Remedies Limited;
  • Nelson Pharmacies Limited (Nelsons Pharmacy);
  • Nelsons GmbH;
  • Laboratoire Famadem;
  • Nelson Bach (USA) Limited;
  • Nelson Bach Australia Pty Ltd.

Other disclosures of your information:

We may also need to disclose your personal information to third parties:

  • In the event that we sell or buy any business or assets, in which case we would disclose your personal data to the prospective seller or buyer of such business or assets.
  • If we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets.
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use or terms and conditions of supply and other agreements; or to protect the rights, property, or safety of Nelsons, its customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
  • to comply with any court order, law, or legal process, including to respond to any government or regulatory request.
  • Freelancers operating our social media accounts.
  • Analytics tools and agencies like Swanky agency, Dashworx agency, Polar Analytics, Google analytics (GA4), Meta (including Meta Pixel, Business Suite, Events Manager and Ads Manager), TikTok (including TikTok Business Suite and Ads), Funnel and Elevar.
  • Independent practitioners offer a range of therapies at Nelsons Pharmacy and are responsible for the processing of a patient / customer’s personal data from the moment the patient / customer has been in contract with the independent practitioner.

Third Party Marketing:

We will get your express consent before we share your personal data with any third party for their own direct marketing purposes. 

Aggregated, non identifying data:

We may disclose aggregate information about our users, and information that does not contain any personal data, without restriction.

Transfers of your personal data outside the UK and EEA:

The data that we collect from you might be transferred, and stored outside the European Economic Area ("EEA") and/or the UK, for example,:

  • when it is necessary to be processed by staff operating outside the UK and/or EEA who work for us
  • because we have suppliers who are multinational companies, or are located out of the UK and/or EEA, or have staff working from different locations.

This is mainly because they are engaged in the fulfilment of your order, the processing of your payment details and the provision of support services. 

We are under an obligation to ensure that your personal data is only shared as permitted under European and UK Data Protection Laws. In most of the cases we have agreements in place which are approved by the UK government (for example, the international transfer addendum) and/or European Commission (the standard contractual clauses). If you want to know more about how data is transferred, please contact us using the details in the section above.

How We Keep Your Personal Data Secure:

We implement appropriate technical and organisational measures in order to protect your personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access and any other unlawful forms of processing. We aim to ensure that the level of security and the measures adopted to protect your personal data are appropriate for the risks presented by the nature and use of your personal data. We follow recognised industry practices for protecting our IT environment and physical facilities. 

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Website; any transmission is at your own risk. 

Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

When Will We Delete Your Data?

Our main rule is not to keep your data for longer than we need to in order to meet all the purposes we included in the section "Why do we process your personal data?”.

For example, if you buy our products online, we will keep your data for the time we need it to place the order and deliver them; then, we will keep that data if we need it to comply with a legal obligation, or for research or statistics purposes, but if we do not need all the data you provided then, we will delete the remaining data. For most purposes and legal obligations, we have a retention period of 7 years.

In general, we have set out that the following categories of personal data and special categories of data will be kept for the following periods.

Personal data/special categories of data:

  • Contact details of users -  we will automatically remove your personal data from our systems if you have not purchased from us in the prior two years.
  • Medical records and contact details of Pharmacy customers/patients - we will retain your personal data for as long as it is required by law.

Your Rights:

As a data subject, you have the following rights under the Data Protection Laws:

  • the right to object to processing of your personal data;
  • the right of access to personal data relating to you (known as data subject access request);
  • the right to correct any mistakes in your information;
  • the right to ask us to stop contacting you with direct marketing and object at any time to the processing of your personal data for that purpose. We include an ‘unsubscribe’ option in all our marketing communications which you can use if you would like to stop receiving marketing emails from us;
  • the right to prevent your personal data being processed;
  • the right to have your personal data ported to another controller;
  • the right to withdraw your consent;
  • the right to erasure;
  • rights in relation to automated decision making.

These rights are explained in more detail below. If you want to exercise any of your rights, please contact us using the details provided in the ‘About Us’ section.

We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex or you have made a number of requests, in which case we will respond within three months.

Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with the Data Protection Laws.

Right to object to processing of your personal data:

You may object to us processing your personal data where we rely on a legitimate interest as our legal grounds for processing.

If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so. We believe we have demonstrated compelling grounds in the section headed "How is processing your personal data lawful".

Right to access personal data relating to you:

You may ask to see what personal data we hold about you and be provided with:

  • a copy of the personal data; 
  • details of the purpose for which the personal data is being or is to be processed; 
  • details of the recipients or classes of recipients to whom the personal data is or may be disclosed, including if they are overseas and what protections are used for those overseastransfers; 
  • the period for which personal data is held (or the criteria we use to determine how long it is held); 
  • any information available about the source of that data; and 
  • whether we carry out an automated decision-making, or profiling, and where we do information about the logic involved and the envisaged outcome or consequences of that decision or profiling. 
  • confirmation that we process your personal data and a copy of such personal data. We may also refer you to this Privacy Notice for supplementary information.

To help us find the information easily, please provide us as much information as possible about the type of information you would like to see.

Right to correct any mistakes in your information:

You can require us to correct any mistakes in your information which we hold. If you would like to do this, please let us know what information is incorrect and what it should be replaced with.

Right to restrict processing of personal data:

You may have the right to request that we stop processing your personal data temporarily if:

  • you do not think that your data is accurate and we are verifying the accuracy of the data. We might start processing again once we have checked whether or not it is accurate;
  • the processing is unlawful and you do not want us to erase your data;
  • we no longer need the personal data for our processing, but you need the data to establish, exercise or defend legal claims; or
  • you have objected to processing because you believe that your interests should override our legitimate interests.

Right to data portability:

You may have the right to ask for an electronic copy of your personal data which we hold electronically and which we process for purposes of a contract with you or on the basis of your consent. You can also ask us to provide this data directly to another party.

Right to withdraw consent:

If the lawful basis we rely on for processing your data is consent, you may withdraw your consent  at any time. This means that we will not be able to carry out any processing which requires use of that personal data. Please email us at dataprotectionofficer@nelsons.com to withdraw consent for the processing of your personal data.

Right to erasure:

You can ask us to erase your personal data where:

  • you do not believe that we need your data in order to process it for the purposes for which it was originally collected or processed;
  • you had given us consent to process your data, you withdraw that consent and we cannot otherwise legally process your data;
  • you object to our processing and there is no overriding legitimate interest for us to continue to process your data;
  • we have to erase your personal data to comply with a legal obligation; or
  • your data has been processed unlawfully or has not been erased when it should have been.

Rights in relation to automated decision making:

You have the right to have any decision that has been made by automated means and which has a significant effect on you reviewed by a member of staff and we will consider any objections you have to the decision that was reached.

What will happen if your rights are breached?

You may be entitled to compensation for damage caused by contravention of the Data Protection Laws.

Complaints to the regulator:

It is important that you ensure you have read this Privacy Policy. If you do not think that we have processed your data in accordance with this Privacy Policy, you should let us know as soon as possible. You have a right to complain to your supervisory authority. In the UK this is the ICO. Information about how to do this is available on the ICO website at ico.org.uk

Your Acceptance and Changes to this Privacy Policy:

The latest version of this privacy notice can always be found in the footer of our Website.

We may update this Privacy Policy from time to time. If we make material changes that affect how we process your personal data, we will take reasonable steps to notify you, for example by posting a notice on our website when changes are made or sending you an email where appropriate.

If you do not agree with our policies and practices, your choice is not to use our Website. By accessing or using our Website, including after being notified of any material changes, you are deemed to have accepted this Privacy Policy and any subsequent updates. Please check this Privacy Policy periodically to stay informed of any changes.

Useful Words and Phrases:

Please familiarise yourself with the following words and phrases (used in bold) as they have particular meanings in the Data Protection Laws and are used throughout this Privacy Notice:

  • Controller:
    This means any person who determines the purposes for which, and the manner in which, any personal data is processed.
  • Data Protection Laws:
    This means the laws that govern the handling of personal data. This includes the UK General Data Protection Regulation, General Data Protection Regulation (EU) 2016/679 and any other national laws implementing that Regulation or related to data protection.
  • Data subject:
    The person to whom the personal data relates.
  • ICO:
    This means the UK Information Commissioner's Office, which is responsible for implementing, overseeing and enforcing Data Protection Laws.
  • Personal data:
    This means any information from which a living individual can be identified. This includes information such as telephone numbers, names, addresses, e-mail addresses, photographs and voice recordings. It also includes expressions of opinion and indications of intentions about data subjects (and their own expressions of opinion/intentions).It also covers information which on its own does not identify someone but would if put together with other information which we have or are likely to have in the future.
  • Processing:
    This covers virtually anything anyone can do with personal data, including: obtaining, recording, retrieving, consulting or holding it; organising, adapting or altering it; disclosing, disseminating or otherwise making it available; and aligning, blocking, erasing or destroying it.
  • Processor:
    This means any person who processes personal data on behalf of the controller.
  • Special categories of data:
    This means any information relating to: racial or ethnic political opinions; religious beliefs or beliefs of a similar nature; trade union membership; past, current or future physical or mental health status or condition sexual life; genetic data or biometric data for the purpose of uniquely identifying you.
  • You:
    A living individual including users and people (and any other relevant person to whom this privacy policy applies) about whom the personal data is processed.