Privacy policy

Many thanks for visiting our website. Compliance with statutory data protection provisions is particularly important to us. The aim of this data protection policy is to inform you as the user of the website of the nature, scope and purpose of personal data processing and your existing rights, providing you are deemed a data subject as defined by Article 4 section 1 of the General Data Protection Regulation. The following data protection policy has already taken into account new developments in line with the General Data Protection Regulation (GDPR), which applies from 25.5.2018.

This website and the services offered are operated by:

Oraphim Ltd

Oraphim Studios

Grange Lane



Tel: 007762703578

We have developed the website in such a way as to ensure we collect as little data from you as possible. It is possible in principle to visit our website without entering any personal data. The processing of personal data is only necessary if you decide to use certain services (e.g. using the contact form). In doing so, we make sure at all times that we only process your personal data in accordance with a legal basis or consent given by you. We adhere to the provisions of the General Data Protection Regulation (GDPR), applicable from 25.5.2018, and the relevant applicable national regulations and other special legislation on data protection.

In accordance with GDPR, the terms used in this data protection policy are defined as follows:
‘personal data’ any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘processing’ any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘restriction of processing’ the marking of stored personal data with the aim of limiting their processing in the future;

‘pseudonymisation’ the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

‘controller’ the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘processor’ a natural or legal person, public authority, agency or other bodies which processes personal data on behalf of the controller;

‘recipient’ a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

‘third party’ a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

When you visit our website, we will sometimes collect certain personal data concerning you. We require your consent to do this. This takes place in the first instance in our dialogue and service area specifically when contact is made via a contact form, newsletter subscription, when booking queries are made when our services are used (e.g. pregnancy calendar or subscription service).

Declaration of consent

By using the forms we provide, you hereby consent to us collecting the personal data you provide and processing it as indicated in this data protection policy. You may withdraw this consent at any time with effect for the future by providing us with a relevant statement. However, please note that it is no longer possible to use our service without your consent. To withdraw, please use the above methods of contact (in that instance, please state your name, email and postal address).

Purpose and legal basis of personal data processing
We process personal data required to legitimise, perform or process our service offering using Article 6, section 1b GDPR as our legal basis. If we use external service providers as part of commissioned data processing, the legal basis for the processing shall be Article 28 GDPR.
We collect, process and use the personal data exclusively for the following purposes:

Purpose of data processing

Legal basis for data processing (‘why is data processing required’)

when contact is made and for related correspondence

based on your consent

dealing with your request and to provide you with any additional advice you require

based on your consent

sending our newsletter, the subscription service 

based on your consent

to ensure that our website is presented to you in the most effective and interesting way (e.g. through anonymised evaluation)

based on legitimate interests

for technical implementation of our services

based on legitimate interests

registration as a Weleda user; taking part in product reviews

based on your consent

participation in competitions

based on your consent


Personal data collected and processed

We only collect and process your personal data when it is freely provided by you with your knowledge e.g. by completing forms or sending emails.
This initially concerns the following data in the forms provided:
General contact information:

  • First Name
  • Surname
  • Telephone number
  • Email address
  • Street
  • House number
  • Postcode
  • Town/city
  • Message

Oraphim newsletter:

  • Email address

Oraphim order:

  • First name
  • Surname
  • Telephone number
  • Email address
  • Street
  • House number
  • Postcode
  • Town/city

Oraphim user account:

  • First name
  • Surname
  • Email address
  • Password

The personal data you provide and the content thereof shall remain exclusively with us. We shall only store and process your data for the purposes stated in clause 5. Any use beyond the indicated purpose requires your express consent. The same also applies to the transfer and transmission of your data to third parties.

General log files

The connection data for the querying computer (IP address), which of our pages you visit, the date and duration of your visit, the identification data of the browser and operating system type used, the website you are visiting us from and successful access are temporarily recorded by the web server in protocol files (log files). Technical administration of websites and anonymous collection of statistics allows evaluation of access to the Weleda service and evaluation aimed at improving data protection and data security within our company, in order to ultimately ensure an optimum level of protection for the personal data we process.
The server log file data is stored separately from all the personal data you enter for a period of 12 months for analytical purposes, before being erased.


On our website, information is collected and stored using what are known as browser cookies.


What are cookies?

Cookies are small text files which are stored on your data carrier and store certain settings and data for interacting with our system via your browser. A cookie usually contains the name of the domain that the cookie data was sent from, information on the age of the cookie and an alphanumeric identification code.


Why do we use cookies?

Cookies allow our systems to recognise the user’s device and make any predefined settings available immediately. Once a user accesses the platform, a cookie is transmitted to said user’s computer hard disk. Cookies help us to improve our website and provide you with a better service more tailored to you. They allow us to recognise your computer and/or (mobile) end device if you return to our website, thus enabling us to:

  • Store information on your preferred activities on the website and thus align our website to your individual interests.
  • Speed up processing of your queries.

We work together with third-party services that help us make the online service and website more appealing to you. Accordingly, when you visit the website, cookies from these partner companies (third-party providers) are also stored on your hard disk. These cookies are automatically erased after a fixed period.


Can I decide whether cookies are used?

If you do not wish browser cookies to be used, you can adjust the settings for the cookies used on this end device as you wish at any time, by clicking on the cookie settings. Alternatively, you can adjust your browser’s settings to prevent it from accepting the storage of cookies. Please note that in that case, you may only be able to use our website to a limited extent, or not at all. If you only wish to accept our own cookies, not those of our service providers and partners, you can select the setting ‘block cookies from third-party providers’ in your browser. We accept no responsibility for the use of third-party cookies.


Cookie Name Description Duration
Session cookies Session cookies are used by the server to store information about user’s page activities. Anonymous identifier of the current session is encrypted in the session cookies and they do not contain any personal information in the unencrypted form. Session cookie is stored in the temporary memory and is removed when a user closes the Web browser.
Authentication cookies Authentication cookies contain the heavily encrypted identifier of the authenticated web site visitor (shop account):

  • ASPXAUTH_SS for non-secure (HTTP) pages
  • ASPXAUTH_SS_s for secure (HTTPS) pages
Expiration date of the authentication cookie depends on whether a user selected the option ‘Remember me’ while logging in the web store.
If not selected, the authentication cookie will be deleted when the Web browser is closed.
If ‘Remember me’ is selected, the expiration date of the authentication cookie will be set to 30 days.
Anti-forgery cookies Anti-forgery cookies are used to prevent CSRF attacks. It guarantees that the user is the one who initially requested the page form. It prevents from anybody to forge a link and have it activated by an authenticated user. Anti-forgery cookies are removed when a user closes the Web browser.
Basket cookies Basket cookies contain the encrypted anonymous identifier of the visitor’s basket and do not contain any personal information in the unencrypted form. Basket cookie is stored for 3 days.
Last viewed products cookies This cookie is used to store information about the last viewed products that are shown at the bottom of the product and product list pages. Last viewed products cookie is removed when a user closes the Web browser.


Integration of third-party content and services

Our website uses content and services from other providers. These include, for example, maps and videos provided by Google Maps and YouTube. The IP address must be transmitted in order to ensure that this data can be accessed and displayed in the user’s browser. The providers (hereinafter referred to as ‘third-party providers’) therefore use the user’s IP address.

Although we endeavour only to use third-party providers which only require the IP address to provide content, we have no influence on whether the IP address may be stored. This process may take place for statistical purposes, among others. If we become aware that the IP address is stored, we shall inform you.

Use of Google Analytics

This website uses Google Analytics, a web analytics service from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (‘Google’).

Google Analytics also uses cookies, i.e. text files which are stored on your computer and enable analysis of your use of the website. The information extracted by the cookie regarding your use of this website is usually transferred to a Google server in the USA and stored there.

IP anonymisation is activated on our website, meaning that your IP address is shortened in advance by Google within the member states of the European Union or other contracting states of the Agreement on the European Economic Area. The full IP address is only transferred to a Google server in the USA and shortened there in exceptional cases. In these exceptional cases, in accordance with Article 6 section 1 GDPR, this processing is based on our legitimate interest in statistical analysis of user behaviour for optimisation and marketing purposes.

Google will use this information on our account to evaluate your use of the website, compile reports on website activities and provide additional services associated with website use and Internet use to us as the website operator. The IP address transmitted by your browser as part of Google Analytics is not combined with other data from Google.

You can prevent the storage of cookies using the relevant setting in your browser software; however, please note that in this case, you may not be able to use all functions of this website to their full extent.

You can also prevent the collection of the data extracted by the cookie concerning your use of the website (including your IP address) at Google and the processing of this data by Google by downloading and installing the browser plug-in available at the following link:

Google LLC, with its headquarters in the USA, is certified for the US-European ‘Privacy Shield’ data protection framework, which guarantees compliance with the level of data protection applicable in the EU.

For more information on how user data is used in Google Analytics, please see Google’s Privacy Policy:

You can find Google’s Privacy Policy at:

Use of Google Maps

On this website, we also use Google Maps (API), provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (‘Google’). Google Maps is a web service which displays interactive maps in order to display visual representations of geographical information. This service is used to show you our location and make it easier to get to us.

When you access the subpages featuring integrated Google Maps, information on your use of our website (such as your IP address) is sent to Google servers in the USA and stored there. This occurs irrespective of whether you are logged into a user account provided by Google or you do not have a user account. If you are logged into Google, your data is directly assigned to your account. If you do not wish it to be assigned to your Google profile, you must log out before activating the button.

Google stores your data (even for users who are not logged in) as usage profiles and evaluates these. Any such evaluation occurs, in accordance with Article 6 section 1f GDPR, based on Google’s legitimate interest in placing personalised advertising, market research and/or needs-based design of its website. You have the right to object to the creation of these usage profiles. To exercise this right, you must approach Google.

Google LLC, with its headquarters in the USA, is certified for the US-European ‘Privacy Shield’ data protection framework, which guarantees compliance with the level of data protection applicable in the EU.

If you do not agree to your data being transmitted to Google in future in conjunction with the use of Google Maps, you can also fully deactivate the Google Maps web service by turning off the JavaScript application in your browser. Google Maps and the map display on this website can then no longer be used.

You can view Google’s terms of use at Additional terms of use for Google Maps can be found at

Detailed information on data protection in conjunction with the use of Google Maps can be found on Google’s website (‘Google Privacy Policy’):

Use of retargeting tools

On our website, we use what is known as retargeting technology. We use retargeting to categorise website users into user groups. Depending on the user group, we then address website visitors on other websites or in apps with personalised advertising regarding to our products and services.

To do so, we use the following products, which are supplied to us by service providers:
‘Facebook Custom Audience’/’Facebook Pixel’/’Google AdWords User Lists’/’Google Dynamic Remarketing’

‘Facebook Customer Audience’/’Facebook Pixel’

‘Facebook Custom Audience’ and ‘Facebook Pixel’ are products of Facebook Ireland Ltd., Hanover Reach, 5-7 Hanover Quay, Dublin 2, Ireland (‘Facebook’). Our website uses a ‘Facebook Pixel’ from Facebook which creates a direct connection to the Facebook servers. The fact that you have visited our website is therefore transmitted to the Facebook server. Facebook assigns this information to your personal Facebook user account, if you have such an account and are logged into it. If you visit other websites which use ‘Facebook Custom Audience’/’Facebook Pixel’, this information is also linked to your user account. However, we cannot see which other websites you visit. If you are not a Facebook user or you are not logged in to Facebook when you visit our website, your visit to our website is not assigned to a Facebook user account.

For more information on the protection of your privacy at Facebook, please see Facebook’s privacy information at In particular, you can manage the content and information you have shared through your use of Facebook via the ‘Activity log’ tool.

Browser settings

Most internet browsers are automatically set up to accept cookies, but you can set your browser to refuse a cookie or ask your browser to show you where a cookie has been set up. Certain services are only activated by the presence of a cookie and, if you choose to refuse cookies, particular features of this site may not be available to you.

Find out how to disable/enable cookies by clicking on the “Manage Cookies” section of the Interactive Advertising Bureau UK Site on the following link


How secure are my personal and credit card details?

We know that security is one of the main concerns when buying on the internet. So when researching hosts for the Weleda site ‘the best security available’ was top of the list of essentials. We are pleased to confirm that to our knowledge the security provided is the best available. The site is PCI DSS Compliant to Tier 1 – which ensures unbeatable security & protection of sensitive customer information including credit cards.

Why do I need to enter my email address?

We use your email address as a means of identification, as this is totally unique to you.

Why do I need a password?

When you create a password it allows you to access your account information. Your password is unique to your email address and ensures that your account details remain secure. You can access your account information at any time to edit any of your account details. Each time you return to this site, remember to sign in using your email and password.

Why do I need to log in again even though I have already?

If you have been through to Checkout and then gone back to shop, the website will ask you to log in again. This is to ensure security is maintained because credit card details are added at Checkout so that area needs to be kept safe. The site is PCI DSS Tier 1 compliant. The Payment Card Industry Data Security Standard (PCI DSS) is a security standard which at Tier 1 Certification and compliance ensures unbeatable security & protection of sensitive customer information including credit cards.

PCI Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard which at Tier 1 Certification and compliance ensures unbeatable security and protection of sensitive customer information including credit cards.

The requirements for Tier 1 Certification include:

  • Security management policies;
  • Security policies;
  • Security procedures;
  • Network architecture;
  • Software design;
  • Critical Protective Measures.

Websites go through a rigorous INDEPENDENT audit and significant investment to attain Tier 1 PCI DSS certification. The purpose is to ensure that their customers’ data is as safe as possible when they purchase products online.


Verified by Visa Overview

Verified by Visa, also known as 3-D Secure, is an extra level of security developed by Visa and MasterCard to improve the security of payments and transactions offered to customers over the Internet. When you initiate a transaction using one of these card issuers you will be redirected to the website of your card-issuing bank to authorise the transaction. You will have to enter your password, or create one if you don’t already have one, which will then redirect you back to our site to complete your order. If you are creating a password, you can then use this password on any other site that uses 3-D Secure technology. Please note: this password is separate from the one you use to log in to our site.