PRIVACY POLICY

POLICY - STATEMENT

2 Our Commitment to Privacy Haus of Ästhetik Ltd. is committed to protecting the privacy, confidentiality, and security of all personal data processed through our clinic, website, and associated systems. This includes clients, patients, staff, suppliers, and visitors. All data is handled in accordance with the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018, CQC Regulation 17 (Good Governance), and Save Face data management standards.

2.1 What Information We Collect We may collect, store, and process the following categories of information:

• Personal Identification Data: name, address, date of birth, contact details.

• Health and Medical Data: medical history, allergies, consultation notes, photographs, and treatment outcomes.

• Financial Data: payment information, invoices, and receipts (processed securely through approved payment platforms).

• Digital Data: IP addresses, cookies, browsing activity, and device identifiers for website optimisation.

• Employment or Training Data: for staff and professional associates where applicable.

All medical records and images are held securely in encrypted systems in line with NHS Digital and UK GDPR standards for medical data retention.

2.2 How We Collect Information Information may be collected directly through:

• Consultation and registration forms (online or in-clinic).

• Appointment bookings, payments, and consent forms.

• Website forms, cookies, and communication platforms (email, chat, or social media).

• Third-party referrals or prescribers (Acre Pharmacy, Roseway Pharmacy, Church Pharmacy, etc.) where required for prescription purposes.

2.3 Why We Collect Information Your data is collected for the following lawful purposes:

• To deliver safe, effective, and tailored clinical treatments.

• To meet legal, professional, and insurance requirements.

• To maintain accurate clinical and financial records.

• To process payments and issue receipts.

• To communicate treatment information, aftercare, or appointment reminders.

• To improve service quality and ensure patient safety.

All processing is based on one or more lawful bases under Article 6 and Article 9 of the UK GDPR, including consent, legitimate interest, and compliance with legal obligations.

2.4 Data Sharing and DisclosureYour data may be shared only where necessary with:

• Registered prescribers, pharmacists, or laboratories involved in your treatment.

• Regulatory bodies such as the CQC, Save Face, NMC, or insurers when required by law.

• IT service providers or data processors who maintain our secure systems under strict confidentiality agreements.

• Emergency services where disclosure is essential for safeguarding or health protection.

We never sell, rent, or trade your data to third parties for marketing purposes.

2.5 Data Retention and Storage

• Medical and treatment records are retained for 10 years from the date of last treatment (as per NHS record-keeping standards).

• Financial records are held for 7 years in compliance with HMRC requirements.

• All data is stored securely within the UK or EEA using encrypted servers, with restricted staff access and multi-factor authentication.

2.6 Your RightsUnder the UK GDPR, you have the right to.

• Access a copy of your personal data.

• Request correction of inaccurate information.

• Request deletion (where legally permissible).

• Withdraw consent for marketing communications.

• Restrict or object to processing.

• Request data portability to another provider.

Requests should be made in writing to the Data Protection Officer via the contact details below. We will respond within 30 days.

2.7 Children and Vulnerable PersonsWe do not provide aesthetic injectables or body treatments to individuals under 18. Limited treatments (such as acne management) are provided to those aged 13+ with parental consent and safeguarding oversight, in line with CQC and Save Face standards.

2.8 Website and CookiesOur website may use cookies to improve functionality and user experience. By using the website, you consent to the use of cookies unless you disable them in your browser. No personally identifiable information is stored without consent.

2.9 Security MeasuresWe implement multiple layers of data protection including:

• Encryption and secure cloud storage.

• Password-protected devices with role-based access.

• Regular audits and staff GDPR training.

• Incident reporting and breach management protocols.

In the event of a data breach, affected individuals and the ICO will be notified within the legally required timeframe.

2.10 Twipla Analytics and Wix AI Chat

Our website uses Twipla (formerly Visitor Analytics) and the Wix AI Chat application to improve website performance, user experience, and service efficiency. These tools collect limited digital information to help us understand how visitors use our site and to support automated customer interactions.

Twipla Analytics

We use Twipla, a GDPR-compliant website analytics platform, to track anonymised usage patterns such as page visits, device types, and general browsing behaviour. Twipla does not identify individual users unless they voluntarily provide identifiable information through a form or interaction on the site.

Twipla processes data under strict privacy and security standards. Full terms can be found here: https://www.twipla.com/en/support/legal-data-privacy-certificates/standard-integration/terms-of-use

Information collected via Twipla may include:

• Device and browser type

• General geographic region

• Pages visited and time spent on site

• Navigation paths

• Cookie-based interaction data

Twipla anonymises IP addresses by default and does not track users across unrelated websites.

Wix AI Chat

Our site also uses Wix AI Chat to assist visitors with enquiries, provide automated guidance, and improve service responses.

The AI chat system may collect:

• Text entered by users into the chat

• Basic usage information (timestamps, interaction logs)

• Contact details only if voluntarily provided (for example, booking requests or call-back messages)

Wix processes this information under their GDPR-compliant infrastructure. You can learn more about Wix data handling here: https://www.wix.com/about/privacy

Wix AI Chat does not access confidential clinical records, staff data, or restricted areas of our digital systems. Any information submitted via chat is handled securely, used only for service delivery, and never shared with third parties for marketing.

Legal Basis for Processing

Both Twipla and Wix AI Chat operate under Legitimate Interest (Article 6(1)(f) UK GDPR) for website performance, service optimisation, and user support.

Where optional cookies or identifiable information are involved, consent (Article 6(1)(a)) is used.

Twipla and Wix do not use collected data to profile, sell, or commercially monetise users.