1. Who We Are
[Your Name], trading as [Business Name], is the data controller responsible for the personal data collected from clients. We are a beauty therapy business based in [Your Town], England.
If you have any questions about how we use your personal data, please contact us at: [Your Email Address].
We are not currently required to register with the Information Commissioner's Office (ICO) [or: Our ICO registration number is ZX……].
2. What Personal Data We Collect
We collect and process two categories of personal data:
Standard personal data:
- Name, date of birth, address, phone number, and email address
- Appointment history and treatment records
- Financial records (payments received, invoices issued)
- Communications between us (emails, messages)
Special Category Data (health information): The nature of beauty therapy means we also collect health and medical information, including skin conditions, allergies, medications, and other conditions relevant to safe treatment. Under UK GDPR, health information is classified as special category data and is subject to additional protections.
3. Legal Basis for Processing
| Data type |
Legal basis |
| Contact details, appointment records |
Contract performance — necessary to deliver the service you have booked (Article 6(1)(b) UK GDPR) |
| Financial records |
Legal obligation — HMRC requires us to retain financial records for 6 years (Article 6(1)(c) UK GDPR) |
| Health and medical information (special category) |
Explicit consent — your written consent on the Consultation & Consent Form (Article 9(2)(a) UK GDPR). You may withdraw this consent at any time (see Section 7). |
| Marketing communications (where applicable) |
Consent — only where you have separately opted in (Article 6(1)(a) UK GDPR) |
4. How We Use Your Data
We use your personal data only for the purposes set out below:
- To provide beauty therapy treatments safely and effectively
- To maintain accurate treatment records and monitor your treatment history
- To manage your appointments and communicate with you about bookings
- To issue invoices and process payments
- To comply with our legal and insurance obligations
- To send you appointment reminders and aftercare information (this is part of service delivery, not marketing)
- To send you marketing communications about our services, promotions, and offers — only where you have given explicit consent
5. Data Retention
How long we keep your records:
- Client consultation and treatment records: Retained for a minimum of 5 years from the date of your last appointment, in line with beauty industry best practice and professional insurance requirements.
- Financial records (invoices, payments): Retained for 6 years from the end of the relevant tax year, as required by HMRC.
- Marketing consent records: Retained for as long as you remain on our mailing list, plus 1 year after you unsubscribe (to demonstrate consent compliance).
After the relevant retention period, your data will be securely deleted or anonymised. Paper records will be shredded; digital records will be permanently deleted.
6. Right to Erasure — Important Caveat
Your right to erasure ("right to be forgotten") and our duty of care: You have the right under UK GDPR to request that we delete your personal data. However, we may not be able to fulfil an erasure request in full where we are required by law to retain records (e.g. financial records for HMRC), or where retaining your medical history is necessary to protect your health and safety in any future treatment. If we decline an erasure request in full or in part, we will explain our reasons in writing.
7. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access: To request a copy of the personal data we hold about you (Subject Access Request)
- Right to rectification: To ask us to correct inaccurate data
- Right to erasure: To ask us to delete your data (subject to the caveat above)
- Right to restrict processing: To ask us to pause how we use your data while a dispute is resolved
- Right to data portability: To receive your data in a portable format
- Right to object: To object to our use of your data for direct marketing (we will always act on this promptly)
- Right to withdraw consent: You may withdraw your consent to us processing your health data at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. Note that withdrawing health data consent may mean we are unable to continue treating you safely.
To exercise any of these rights, please contact us at [Your Email Address]. We will respond within one calendar month.
If you are unhappy with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
8. Who We Share Your Data With
We do not sell, rent, or share your personal data with any third parties for their own commercial purposes.
We may share your data only in the following limited circumstances:
- With our professional indemnity insurer, where you make or threaten a claim, to the extent necessary to defend or resolve that claim
- With HMRC or other regulatory authorities, where required by law
- With our booking or practice management software provider, acting as a data processor on our behalf under a data processing agreement (e.g. [Fresha / Timely / other platform name]) — solely to manage your appointments
9. Data Security
We take appropriate technical and organisational measures to keep your personal data secure, including: password-protected devices, secure cloud storage, and locked physical storage for paper records. We do not email unencrypted sensitive health information.
10. Changes to This Notice
We may update this Privacy Notice from time to time. The current version will always be made available on request. The date at the top of this notice indicates when it was last revised.