PRIVACY POLICY

POLICY - STATEMENT

2. Who We Are

Haus of Ästhetik Ltd operates as a private aesthetics and skincare clinic providing elective, non-surgical cosmetic and wellbeing treatments.

For the purposes of the UK General Data Protection Regulation, Haus of Ästhetik Ltd is the data controller in respect of personal data processed through this website, our clinical systems, and associated communication channels.

3. Scope of This Policy

This Privacy Policy applies to the processing of personal data relating to:

• Visitors to our website

• Individuals making enquiries or bookings

• Patients and service users

• Individuals submitting a Subject Access Request

• Individuals communicating with us via online forms, email, telephone, or website chat

This policy does not apply to third-party websites or systems that may be linked to from our site, which operate under their own privacy policies.

4. Personal Data We Collect

We collect and process only personal data that is necessary, relevant, and proportionate to the purposes for which it is required.

4.1 Identity and Contact Data

• Full name

• Date of birth

• Postal address

• Email address

• Telephone number

• Photographic identification where required for verification or safeguarding purposes

4.2 Health and Special Category Data

• Medical history and consultation information

• Treatment records and clinical notes

• Consent forms, outcome documentation, and incident records

Special category data is processed subject to enhanced safeguards and strict access controls.

4.3 Technical and Usage Data

• IP address (anonymised where technically feasible)

• Device type, operating system, and browser information

• Pages visited, referral sources, and interaction patterns

4.4 Communications Data

• Enquiries submitted via website forms

• Website chat interactions

• Email, telephone, or written correspondence

5. Lawful Bases for Processing

We process personal data under the following lawful bases:

• Article 6(1)(a) Consent

• Article 6(1)(b) Contractual necessity

• Article 6(1)(c) Legal obligation

• Article 6(1)(f) Legitimate interests

• Article 9(2)(h) Provision of health or social care

Where consent is relied upon, it may be withdrawn at any time.

6. How We Use Your Data

We use personal data only where there is a clear and lawful purpose to do so. 

This includes:

• Responding to enquiries, consultations, and booking requests

• Assessing suitability for treatments and delivering clinical care

• Maintaining accurate, contemporaneous clinical and administrative records

• Fulfilling contractual and payment obligations

• Meeting legal, regulatory, and professional requirements

• Managing complaints, incidents, and safeguarding concerns

• Improving website functionality, accessibility, and user experience

• Responding to Subject Access Requests and other data rights requests

7. Subject Access Requests (SARs)

You have the right to request access to personal data we hold about you under Article 15 of the UK General Data Protection Regulation and the Data Protection Act 2018.

Subject Access Requests must be submitted using our dedicated SAR form: Click Here To Access.

All Subject Access Requests are managed in accordance with a specific Subject Access Request Legal Disclaimer, which applies solely to the SAR process and must be accepted at the point of submission.

In summary:

• Identity and, where relevant, legal authority must be verified before a request is processed.

• A request is only treated as valid once verification requirements have been met.

• Statutory response timeframes begin only when a request is deemed valid.

• Disclosure is limited to personal data held and controlled by Haus of Ästhetik Ltd at the time of processing.

• Information may be lawfully withheld or redacted to protect third-party rights, confidentiality, safeguarding interests, legal privilege, or to prevent serious harm.

• 
  

The full legal terms governing Subject Access Requests are contained within the SAR form and form part of the submission agreement.

8. Data Retention

Personal data is retained only for as long as is necessary to fulfil its purpose and to comply with legal, regulatory, professional, and indemnity requirements.

Retention periods include:

• Clinical records: retained in line with professional standards, indemnity guidance, and limitation periods

• Financial and transactional records: retained in accordance with statutory requirements

• Website analytics data: anonymised and retained in accordance with provider default settings

• SAR records and correspondence: retained for audit, accountability, and regulatory assurance purposes

• 
  

Data that is no longer required is securely deleted or anonymised.

9. Third‑Party Processors, AI Tools, and Analytics

We use trusted third‑party systems to support our operations, website functionality, clinical documentation, communications, analytics, and payment processing.

These include, but are not limited to:

• Website hosting, forms, booking infrastructure, and payment processing provided by Wix

• Website analytics and visitor insight tools, including Twipla (Visitor Analytics)

• AI‑assisted chat or automated response tools used to support website enquiries and user navigation

• Clinical documentation, consent, and record‑keeping systems used to maintain consultation notes, treatment records, consent forms, and clinical photographs

• Medical suppliers, pharmacies, laboratories, and distributors involved in the prescribing, dispensing, supply, or safety monitoring of products and treatments

These third parties may process personal data where necessary to deliver services. This may include identity details, contact information, treatment‑related information, prescription details, batch or product traceability data, and transaction records. Data shared is limited to what is necessary for the specific purpose.

Analytics and technical data may be anonymised or aggregated and is not used for profiling or automated clinical or commercial decision‑making.

Some third parties, such as pharmacies or laboratories, act as independent data controllers for their own records. Personal data held by such organisations is subject to their own privacy policies and must be requested directly from them where applicable.

All third‑party processors operate under contractual safeguards requiring appropriate technical and organisational measures and compliance with UK GDPR. Data processed by these providers is subject to their own retention schedules and privacy frameworks, over which Haus of Ästhetik Ltd has limited control.

We do not sell, rent, or monetise personal data.

Website chat, AI tools, and third‑party systems are not continuously monitored and must not be used for urgent, clinical, or emergency matters.

10. Cookies and Analytics

We use essential and non‑essential cookies to support website functionality, security, and performance monitoring.

Analytics tools, including Twipla, are used to understand how visitors interact with our website. This may include information such as device type, general location, session duration, and navigation behaviour. Where possible, data is anonymised and used only for service improvement, accessibility, and performance optimisation.

Users may manage cookie preferences through browser settings or cookie banner controls.

11. Data Security

We implement robust technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure.

Security measures include:

• Encryption of data in transit and at rest using industry-standard 256-bit encryption protocols

• Secure cloud-based storage environments with layered access controls

• Role-based access restrictions to ensure staff can only access data necessary for their role

• Strong authentication measures and session controls

• Automatic security updates and patch management across all clinic-issued devices to maintain current protection against known vulnerabilities

• Device-level security controls, including encryption, secure login credentials, and remote locking or wiping where appropriate

• Regular review of access permissions and system security settings

Personal data is stored primarily within secure UK or EEA-based environments. Where data is transferred outside these regions, appropriate safeguards are applied in accordance with UK GDPR requirements.

Staff receive training on data protection, confidentiality, and information governance, and are required to comply with internal policies governing secure data handling.

12. Your Rights

Under UK GDPR, you have the right to:

• Access your personal data

• Rectify inaccurate data

• Erase data where lawful

• Restrict or object to processing

• Data portability

• Withdraw consent

• Lodge a complaint with the Information Commissioner’s Office

We do not use personal data for automated decision‑making or profiling that produces legal or similarly significant effects under Article 22 UK GDPR.

Privacy‑related enquiries may be directed to the clinic using the contact details provided on our website.

13. Children’s Data

Our services are primarily intended for adults. Where limited services are lawfully provided to individuals under 18, we apply enhanced safeguards to protect children’s personal data. 

These safeguards include:

• Age verification and assessment of capacity where relevant

• Involvement of a parent or legal guardian where required

• Obtaining valid parental or guardian consent before processing personal or health data

• Limiting data collection to what is strictly necessary for the specific service provided

• Applying heightened access controls and confidentiality measures

Children’s data is never used for marketing purposes and is not processed beyond what is required to deliver the permitted service safely and lawfully.

14. Changes to This Policy

We may update this Privacy Policy to reflect legal, regulatory, or operational changes. The current version will always be available on our website.

15. Review and Governance

This policy is reviewed annually by the Nominated Individual and Registered Manager as part of the clinic’s governance cycle. Version control and review outcomes are recorded internally.