Information We Collect

We collect various types of personal data, including Special Categories of Personal Data (health data) necessary to provide you with safe and effective aesthetic and medical services.

A. Personal Data

We collect basic contact, identity, and transactional information, such as your name, address, phone number, email address, date of birth, billing details, and your transaction history. When you use our website, we also collect website and technical data (like your IP address and pages visited) through cookies and analytics tools.

B. Special Categories of Personal Data (Health Data)

Since we are a health service provider, we collect sensitive information, including your medical history, allergies, medications, treatment notes, consent forms, and before-and-after photographs. This information is vital for medical diagnosis, treatment planning, and ensuring your safety.

The Legal Basis for Processing Your Data

Under UK GDPR, we must have a lawful reason to use your data.

• Contractual Obligation: We process data to fulfill our contract with you, which includes booking and managing appointments and processing payments for your services.
• Legal Obligation: We process data when necessary to comply with a legal requirement, such as maintaining accurate financial records, complying with mandatory health and safety laws, or responding to lawful requests from regulators (e.g., the CQC).
• Provision of Health or Social Care: For your sensitive medical records (Special Categories of Personal Data), our legal basis is that the processing is necessary for medical diagnosis, the provision of health or social care or treatment, and the management of those systems (Article 9(2)(h)).
• Legitimate Interest: We process data for our justifiable business interests, such as ensuring the security of our IT systems and internal administration, provided your rights are not overridden.
• Consent: We will ask for your explicit consent for specific activities, primarily for: 1) sending marketing/promotional communications and 2) using identifiable visual records (e.g., before/after photos) for promotional purposes. You are free to withdraw this consent at any time.

How We Use and Share Your Information

We use your information to provide treatment, assess your suitability, create safe treatment plans, and ensure continuity of care. We also use it for internal operations like clinical audits, managing our services, and staff training.

Your information is treated as highly confidential, and we will never sell your data. We only share it in limited, necessary circumstances:

• For Direct Care: We may share the necessary information with other healthcare professionals (like your GP or a specialist) where it is required for your continued care.
• To Our Service Providers: We use third-party processors (such as EMR providers, payment systems, and IT support) who are essential for clinic operations. These partners are bound by strict data processing agreements to protect your data.
• As Required By Law: We will disclose information when legally compelled, such as in response to a court order or to regulatory bodies (like the ICO or CQC).
• International Transfer: If we need to transfer your data outside the UK or EEA, we will ensure it is protected by appropriate safeguards (such as ICO-approved standard contractual clauses).

Security and Retention

We use robust technical and organizational security measures (including encryption, password protection, and staff training) to protect your data from unauthorized access or loss. We keep your records only for as long as necessary. Due to medical-legal requirements, health records are typically retained for [Insert your clinic’s specific retention period, e.g., 8-10 years] after your final visit.

Your Rights (UK GDPR)

You have the following rights regarding the personal information we hold about you. You can exercise any of these rights by contacting our Data Protection Contact in writing.

• Right to Access: You have the right to request a copy of the personal information and health records we hold about you.
• Right to Rectification: You can request that we correct any inaccurate or incomplete personal information.
• Right to Erasure (Right to be Forgotten): You may request the deletion of your personal data where there is no legal reason for us to keep it. Please note this right is limited for medical records due to our legal retention obligations.
• Right to Restrict Processing: You can request the temporary suspension of processing in specific circumstances.
• Right to Data Portability: You have the right to receive your data in a structured, electronic format to transmit to another healthcare provider.
• Right to Object: You can object to our processing of your personal data for direct marketing purposes.
• Right to Withdraw Consent: Where we rely on your consent, you have the right to withdraw it at any time.

If you have any questions or concerns about how we handle your personal data, please contact Us as Clinic@Medskinstudio.com

This Privacy Policy was last updated on: 12th November 2025