1. Who we are

Nompharma Ltd (Company No. 11764276), trading as “Intaleaf”, is the data controller for the processing described in this notice.
Data protection contact: compliance@intaleaf.com
General enquiries: info@intaleaf.com
Sales/product enquiries: sales@intaleaf.com
Registered Office: Biocity Nottingham, Innovation Building, Pennyfoot Street, Nottingham, NG1 1GF.

2. What data we collect

• Business contact data: names, roles, emails, phones.
• Organisation data: incorporation details, VAT/tax IDs, Licences, registrations.
• Compliance data: AML/KYC (Director/UBO identity and ownership), sanctions/adverse-media results, insurance certificates, GMP/GACP, CoAs, SOP/QMS summaries.
• Transactional data: orders, deliveries, invoices, batch/traceability records.
• Website/IT: technical logs, cookies/analytics (see Cookies section if used).
• Sources: you; your organisation; public registers (e.g., Companies House, MHRA/Home Office), professional advisers; screening providers; logistics/labs.

3. Why we use your data (purposes)

Verify regulatory eligibility and onboard Buyers/Suppliers; run AML/KYC and sanctions screening.

Perform and manage contracts (orders, deliveries, payments) and maintain GDP records (including batch traceability, temperature logs, recalls/complaints).

Meet legal/regulatory obligations (MHRA, Home Office, HMRC, MLR 2017).

Communicate operational updates (licence expiry reminders, compliance requests).

Send B2B product/regulatory updates to corporate contacts (you can opt out anytime).

4. Lawful bases (UK GDPR)

• Contract (Art 6(1)(b)) – onboarding, orders, deliveries, payments.
• Legal obligation (Art 6(1)(c)) – MHRA/Home Office/HMRC, MLR 2017 record-keeping.
• Legitimate interests (Art 6(1)(f)) – operating a compliant wholesale business, preventing diversion, maintaining supply quality, and sending B2B updates to corporate subscribers in line with PECR (opt-out provided).

5. Sharing your data

We share data only as necessary with:

• Regulators: MHRA, Home Office, HMRC and other competent authorities.
• Service providers: secure CRM/hosting, e-signature, logistics/couriers, accredited labs, sanctions/AML screening, insurers, auditors, legal counsel.
• Affiliates: within our corporate group for compliance/operations.

We do not sell personal data.

6. International transfers

If we transfer data outside the UK (e.g., to non-UK suppliers or IT providers), we implement appropriate safeguards such as UK IDTA or UK Addendum to EU SCCs, or rely on adequacy regulations where available. Details are available on request.

7. Retention

We keep personal data no longer than necessary:

• AML/KYC & CDD: generally 5 years from the end of the relationship or the date of the last transaction, and not more than 10 years (Reg. 40 MLR 2017), after which CDD data is deleted unless another law permits/compels longer retention.
• Controlled-drug registers & requisitions (Schedule 2): 2 years from the last entry/date.
• Invoices/financial records: typically 6 years (VAT/finance).
• Contracts/claims files: up to 6 years (Limitation Act).
• Operational GDP records: retained as required to evidence GDP/recall compliance.

Specific periods may vary where a law or regulator requires longer.

8. Security

We use industry-standard measures: role-based access, MFA, encryption in transit/at rest, audit logging, supplier due diligence, and restricted access to compliance files. Incident response and business continuity procedures are in place.

9. Your rights

You may request access, rectification, erasure (where lawful), restriction, objection (including to B2B updates), and portability. To exercise these rights, contact compliance@intaleaf.com (please write “Data Rights Request” in the subject). You also have the right to complain to the ICO.

10. PECR & B2B electronic marketing

We may send operational/product updates to corporate subscribers (work emails at companies) without consent under PECR, relying on our legitimate interests. We will always provide an opt-out in each message.

11. Cookies

If cookies/analytics are used, we will provide a separate Cookies Notice and consent mechanism where required.

12. Updates

We may update this notice. The current version will be available at www.intaleaf.com and will state the effective date.