GDPR Privacy Notice for Clients

🔒 [Business Name] 👤 Data Controller: [Your Name] 📅 Last updated: [Date]

1. Who We Are

[Your Name], trading as [Business Name], is the data controller responsible for the personal data collected from clients. We are a beauty therapy business based in [Your Town], England.

If you have any questions about how we use your personal data, please contact us at: [Your Email Address].

We are not currently required to register with the Information Commissioner's Office (ICO) [or: Our ICO registration number is ZX……].

2. What Personal Data We Collect

We collect and process two categories of personal data:

Standard personal data:

Special Category Data (health information): The nature of beauty therapy means we also collect health and medical information, including skin conditions, allergies, medications, and other conditions relevant to safe treatment. Under UK GDPR, health information is classified as special category data and is subject to additional protections.

3. Legal Basis for Processing

Data type Legal basis
Contact details, appointment records Contract performance — necessary to deliver the service you have booked (Article 6(1)(b) UK GDPR)
Financial records Legal obligation — HMRC requires us to retain financial records for 6 years (Article 6(1)(c) UK GDPR)
Health and medical information (special category) Explicit consent — your written consent on the Consultation & Consent Form (Article 9(2)(a) UK GDPR). You may withdraw this consent at any time (see Section 7).
Marketing communications (where applicable) Consent — only where you have separately opted in (Article 6(1)(a) UK GDPR)

4. How We Use Your Data

We use your personal data only for the purposes set out below:

5. Data Retention

How long we keep your records:
  • Client consultation and treatment records: Retained for a minimum of 5 years from the date of your last appointment, in line with beauty industry best practice and professional insurance requirements.
  • Financial records (invoices, payments): Retained for 6 years from the end of the relevant tax year, as required by HMRC.
  • Marketing consent records: Retained for as long as you remain on our mailing list, plus 1 year after you unsubscribe (to demonstrate consent compliance).

After the relevant retention period, your data will be securely deleted or anonymised. Paper records will be shredded; digital records will be permanently deleted.

6. Right to Erasure — Important Caveat

Your right to erasure ("right to be forgotten") and our duty of care: You have the right under UK GDPR to request that we delete your personal data. However, we may not be able to fulfil an erasure request in full where we are required by law to retain records (e.g. financial records for HMRC), or where retaining your medical history is necessary to protect your health and safety in any future treatment. If we decline an erasure request in full or in part, we will explain our reasons in writing.

7. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

To exercise any of these rights, please contact us at [Your Email Address]. We will respond within one calendar month.

If you are unhappy with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

8. Who We Share Your Data With

We do not sell, rent, or share your personal data with any third parties for their own commercial purposes.

We may share your data only in the following limited circumstances:

9. Data Security

We take appropriate technical and organisational measures to keep your personal data secure, including: password-protected devices, secure cloud storage, and locked physical storage for paper records. We do not email unencrypted sensitive health information.

10. Changes to This Notice

We may update this Privacy Notice from time to time. The current version will always be made available on request. The date at the top of this notice indicates when it was last revised.

Client Acknowledgement

I confirm I have received and read this Privacy Notice

Date

Issued by

[Your Name][Business Name]

Date issued