Privacy Policy

Berkshire Aesthetics is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains what information we collect, how we use it, how long we keep it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller

The data controller responsible for your personal data is:

Information We Collect

We collect and process the following categories of personal data:

• Personal details — your name, date of birth, postal address, email address, and telephone number.
• Medical history — relevant health conditions, medications, allergies, and any information necessary to assess your suitability for treatment.
• Treatment records — consultation notes, consent forms, treatment plans, and clinical outcomes.
• Photographs — before-and-after images taken for clinical assessment, treatment planning, and (with your explicit consent) for use on our website or marketing materials.
• Payment details — information required to process payments for treatments and products, including card details processed securely through our payment provider.
• Website usage data — information collected automatically when you visit our website, including your IP address, browser type, pages visited, and referring website. See the Cookies and Website Analytics section below for more detail.

Legal Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following:

• Consent — where you have given clear consent for us to process your personal data for a specific purpose, such as sending marketing communications or using your photographs.
• Contract performance — processing that is necessary to fulfil our contractual obligations to you, including providing the treatments and services you have booked.
• Legal obligation — processing that is necessary to comply with UK law, including maintaining medical records as required by healthcare regulations and responding to regulatory bodies.
• Legitimate interests — processing that is necessary for our legitimate business interests, such as improving our services, ensuring patient safety, and protecting our clinic against legal claims, provided these interests do not override your fundamental rights and freedoms.

How We Use Your Information

We use your personal data for the following purposes:

• Providing treatment — to assess your suitability, plan and deliver treatments, and manage your ongoing care.
• Patient safety — to maintain accurate medical records, track treatment outcomes, and identify any adverse reactions or contraindications.
• Communication — to contact you regarding appointments, aftercare instructions, treatment recommendations, and (where you have consented) marketing communications.
• Legal compliance — to meet our obligations under healthcare regulations, data protection law, and other applicable legislation.
• Service improvement — to analyse anonymised or aggregated data to improve our treatments, patient experience, and clinical outcomes.
• Payment processing — to collect payments for treatments and products.

Medical Records and Data Retention

As a medical aesthetics clinic, we are required to retain your medical records for a minimum period to comply with UK healthcare guidelines and to protect both you and the clinic.

• Medical records for adult patients are retained for a minimum of 10 years from the date of the last treatment, in line with UK guidelines for cosmetic procedures.
• For patients treated as minors (under 18), records are retained until the patient reaches the age of 25, plus a further 8 years (i.e., until age 33).
• Records may be retained for longer where there is an ongoing clinical or legal need.

All medical records are stored securely using encrypted digital systems with access restricted to authorised clinical staff. Paper records, where they exist, are stored in locked cabinets within our clinic premises.

Data Sharing

We do not sell, rent, or trade your personal data. We may share your information with the following parties where necessary:

• Clinicians and healthcare professionals — members of our clinical team who are directly involved in your care.
• Regulatory bodies — including the Care Quality Commission (CQC), General Medical Council (GMC), and other regulators where required by law or as part of inspections.
• Payment processors — our payment provider (Stripe) processes your payment information securely. Stripe operates under its own privacy policy and is PCI DSS compliant.
• IT and hosting providers — third-party service providers who host our systems and provide technical support, bound by strict data processing agreements.
• Legal and professional advisers — where necessary to obtain legal advice or to establish, exercise, or defend legal claims.

Where we share data with third parties, we ensure appropriate safeguards are in place, including data processing agreements that comply with UK GDPR.

Cookies and Website Analytics

Our website uses cookies to help us understand how visitors use the site and to improve your browsing experience. Cookies are small text files stored on your device when you visit a website.

We use the following types of cookies:

• Strictly necessary cookies — required for the website to function properly, such as session management. These cannot be disabled.
• Analytics cookies — help us understand how visitors interact with our website by collecting anonymised usage data.
• Functional cookies — remember your preferences, such as language or region settings, to provide a more personalised experience.

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling certain cookies may affect your experience of our website.

For full details on the cookies we use and how to manage them, please see our Cookie Policy.

Your Rights Under UK GDPR

Under the UK General Data Protection Regulation, you have the following rights in relation to your personal data:

• Right of access — you can request a copy of the personal data we hold about you (known as a Subject Access Request).
• Right to rectification — you can ask us to correct any inaccurate or incomplete personal data.
• Right to erasure — you can request that we delete your personal data, subject to our legal obligations to retain certain records (such as medical records).
• Right to restriction of processing — you can ask us to limit how we use your data in certain circumstances.
• Right to data portability — you can request your personal data in a structured, commonly used, and machine-readable format.
• Right to object — you can object to the processing of your data where we rely on legitimate interests as our legal basis.
• Right to withdraw consent — where we process your data based on consent, you can withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of any processing carried out before you withdrew it.

Please note that some of these rights are not absolute. For example, we cannot erase medical records where we have a legal obligation to retain them.

How to Exercise Your Rights

To exercise any of your data protection rights, or if you have any questions about how we handle your personal data, please contact us:

• Email: info@berkshireaesthetics.com
• Phone: 01628 202028
• Post: Berkshire Aesthetics, Furze Platt Road, Maidenhead, SL6 6PR

We will respond to your request within one month. In complex cases, we may extend this by a further two months, but we will inform you if this is necessary.

Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent body set up to uphold information rights:

• Website: https://ico.org.uk/
• Telephone: 0303 123 1113

We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. Any significant changes will be communicated via our website. We recommend reviewing this page periodically to stay informed about how we protect your data.

Last reviewed: February 2026