Refined Clinic Privacy Policy (UK Aesthetic Clinic GDPR Compliance)

Refined Clinic (operating at www.refined-clinic.co.uk) is a UK-based aesthetic clinic committed to protecting your privacy and personal data. This aesthetic clinic privacy policy explains who we are, what information we collect, and how we use and safeguard your data in compliance with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

We value transparency and client trust, so we handle all client data protection matters with care. We will never sell or rent your personal information to third parties, and we only process your data for legitimate purposes as outlined below. By using our services or website, you agree to the practices described in this policy.

Personal Information We Collect: When you interact with Refined Clinic – whether by booking an appointment, filling out a form, or during a consultation – we may collect the following types of personal data:

​

• Identity Information: Your name, date of birth, and gender (to identify you and ensure treatments are appropriate).

• Contact Information: Contact details such as postal address, email address, and phone number, so we can communicate with you regarding appointments or queries.

• Health and Medical Information: Relevant health details, medical history, or treatment consent information you provide. This may include information about allergies, medications, or past procedures, collected to ensure we deliver safe skincare and aesthetic treatments tailored to you. (Health data is considered a special category of personal data, and we will only collect and use it with your explicit consent for the purposes described).

• Appointment and Transaction Details: Records of appointments you book or attend, services or treatments you have received, and any purchase or payment details. This includes consultation notes and treatment history maintained for continuity of care and legal record-keeping.

• Website Usage Data: When you visit our website, we may collect technical data about your device and browsing actions through cookies or analytics. This can include your IP address, browser type, device identifiers, pages viewed, and how you arrived at our site. This data helps us understand site usage and improve user experience, and it generally does not directly identify you.

​

We collect personal data directly from you (for example, when you fill in an online form or give information during a clinic visit) and through our online booking system (see “Data Sharing and Third Parties” below regarding Fresha). We ensure that we only collect information that is relevant and necessary for the purposes described in this policy, and all data is handled in accordance with applicable privacy laws.

We use your personal data for specific, lawful purposes in order to provide you with our services and operate our clinic efficiently. Our data use practices as a UK skincare clinic are designed to be transparent and lawful. The ways in which Refined Clinic uses your information include:

​

• Providing Services and Treatments: We process your personal details and health information to plan and deliver the aesthetic treatments or skincare services you request. For example, we review your medical history to ensure treatments (like injectables, skin treatments) are safe and suitable for you.

• Appointment Management: Your contact information is used to schedule and manage your bookings. We send you appointment confirmations, reminders, and any updates about your bookings. This includes communications to confirm appointments, notify you of changes, or follow up after your visit.

• Client Communication and Support: We may use your phone number or email to communicate with you regarding your treatments, respond to inquiries, or provide customer support. This can include answering your questions, sending pre- or post-treatment advice, and notifying you about important policy or protocol changes (such as COVID-19 guidelines or clinic closures).

• Health and Safety Compliance: If you provide health or medical information, we use it solely to ensure your safety during treatments. For instance, knowing your allergies or medical conditions allows us to avoid contraindicated products and to give appropriate aftercare advice. We may ask for this information through consent forms and will always explain why it’s needed.

• Marketing and Promotions (With Consent): With your explicit consent, we may use your name and contact details to send you our clinic news, promotional offers, new treatment announcements, or skincare tips. Direct marketing communications will only be sent if you have opted in, and you can opt out at any time. We respect your choice – if you prefer not to receive marketing emails or texts, we will not send them. (Note: If you do opt-in, you have the right to withdraw consent later, and we include an “unsubscribe” option in every marketing message.)

• Operational and Business Purposes: We may internally use aggregated or anonymised data to improve our services and business. For example, we might analyse booking trends to better schedule our staff or use feedback to enhance our treatment offerings. When we do so, individuals are not identifiable.

• Legal and Regulatory Compliance: We process certain data to fulfil our legal obligations. For instance, we keep records of treatments and transactions as required for medical, insurance, taxation, or audit purposes. If there is a need to recall product information or inform clients of a safety notice, we would use contact details for that notification.

• Protecting Rights and Interests: In rare cases, we may use personal information to enforce our terms and conditions, to protect the rights, privacy, or safety of our clients, staff, or the public, or to defend against legal claims. This would only be as necessary and lawful (for example, providing details to law enforcement if required by law).

​

We will never use your personal data for any purpose that is incompatible with the original reasons we collected it without obtaining your consent or notifying you as required. We also do not engage in any automated decision-making or profiling that has legal or significant effects on you. If this ever changes, we will update this policy and inform you.

Refined Clinic understands the importance of keeping your information confidential. We do not share your personal data with third parties for their own marketing or business purposes. We will share your data only in the following circumstances:

​

• Fresha (Online Booking Platform): We use Fresha, a third-party appointment scheduling and customer management platform, to handle our online bookings and client database. Fresha acts as a data processor on our behalf, which means it processes client data only according to our instructions and to provide the Refined Clinic with booking and record-keeping services. When you book an appointment or create an account with us, the details you provide (like name, contact info, and appointment details) are entered into the Fresha system. This allows us to securely manage your bookings, treatment history, and preferences. Fresha stores this information on its secure servers; we do not store it separately on the website’s own server. Importantly, Fresha is a reputable service that is fully compliant with UK GDPR requirements. They will only access your data if needed for system support or troubleshooting requested by us, and they are contractually obligated to handle your information in accordance with our instructions and data protection law. (You can review Fresha’s own Privacy Policy for more details on their data practices.)

• Website and IT Service Providers: We may use trusted third-party companies to help run our website and business (for example, web hosting providers, email service providers, or IT support). These third parties might have incidental access to personal data in the course of providing their services (e.g., our website platform storing form submissions, or an email service processing our messages). In all cases, such providers are bound by confidentiality and data protection agreements, meaning they cannot use your data for anything other than the agreed service. We ensure any data processors we engage implement adequate safeguards (including GDPR compliance) to protect your information.

• Payment Processors: If you make payments (for example, purchasing a treatment or product), your payment details may be processed by third-party payment gateways (such as credit card processors or banking services). We do not store full payment card details ourselves. These third-party payment processors are responsible for processing your payment information securely and must comply with relevant security standards. They only share with us the information needed to confirm payment (such as a payment confirmation and your name/partial card info).

• Legal Requirements and Vital Interests: We may disclose personal information to third parties if we are under a duty to comply with a legal obligation, or to protect the vital interests of you or another person. For example, we might share information when required by court order, to cooperate with regulators (such as the Information Commissioner’s Office), or to address emergencies that pose a threat to health or safety. We will evaluate each request carefully and only share the minimum data necessary in such cases.

​

Other than the scenarios above, Refined Clinic will not share, trade, or disclose your information to any external parties. We do not sell your data to advertisers or unrelated companies. If in the future we need to work with a new third-party that will process your personal data, we will update this Privacy Policy and notify you as required, ensuring you remain informed and in control of your information.

Under GDPR and UK data protection law, we must have a valid legal basis to process your personal information. Refined Clinic relies on the following legal grounds:

​

• Contractual Necessity: When you request our services (such as booking an aesthetic treatment), we process your personal data to fulfil our contract with you. This includes using your data to provide the services you have asked for – for example, using your contact and health information to schedule and carry out a treatment. Without this information, we cannot perform the services you expect from us (for instance, we cannot book an appointment if you don’t provide contact details, or we cannot perform a treatment safely without relevant medical history). Processing for these purposes is necessary to enter into or perform our contract with you.

• Consent: We will request your consent in situations where it is legally required or appropriate. The clearest example is for marketing communications – we will only send you promotional emails or texts if you have given us explicit consent (such as by opting in on a form). You can withdraw your consent at any time, and we will stop that processing. Additionally, because some of the data we collect (e.g., health information) is considered sensitive, we will obtain your explicit consent to process that information for the purpose of providing treatments. For instance, you may be asked to sign a consent form acknowledging you agree to share your medical info for treatment planning. Consent can be withdrawn later, though note that we might still need to retain certain data for legal reasons (see Data Retention below). We ensure that consent is freely given, and you have real choice without detriment.

• Legal Obligation: We are subject to various legal and regulatory requirements that necessitate processing of personal data. For example, the UK Data Protection Act 2018 and GDPR impose obligations on us to maintain certain records and demonstrate compliance. We also must keep transaction records for tax and accounting purposes, as required by HMRC (tax laws may require us to retain invoices and related information for a number of years). In the aesthetics industry, we may be required to document consent and maintain treatment records to comply with medical regulations or insurance requirements. When we process personal data to comply with a legal obligation, this is a lawful basis. We will not use your data for any new purpose unless required by law or we obtain your consent.

• Legitimate Interests: In some cases, we process your data because it is in our legitimate interests as a business to do so, and this use is fair and not overridden by your own rights. We only rely on legitimate interests after assessing the impact on your privacy. Examples include sending appointment reminders and follow-up communications (to improve customer service and reduce no-shows), improving our services by analysing feedback or booking patterns, or, if you are an existing customer, informing you about a service related to ones you previously received (within reasonable expectations). We also have a legitimate interest in ensuring our network and information security – so we might process data to protect against fraud or cyber-attacks. In all these cases, we ensure that our legitimate interests do not unfairly impact your privacy rights. You have the right to object to processing based on legitimate interests (see “Your Rights” below), and we will honour such objections in accordance with the law.

​

In summary, whatever the purpose, we always make sure we have a lawful basis to use your data. We are happy to explain the specific legal basis for any individual instance of processing if you have questions. We operate under the principle of minimisation, meaning we won’t collect or use more data than necessary for each purpose, and we will not keep data longer than needed.

We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy, including for satisfying any legal, accounting, or reporting requirements. The duration for which we keep your information can vary based on the type of data and the reason we have it:

​

• Client Records and Service History: For general client records (contact details, consultation forms, treatment history), we typically retain this information for the duration of our relationship with you and for a certain period after your last visit. This is to ensure continuity of care if you return to us, and to have records in case of any follow-up issues or inquiries. We review client records periodically and securely delete those that are no longer needed.

• Legal and Regulatory Retention Periods: Some data must be kept for fixed minimum periods by law. For example, financial transaction records (invoices, receipts) are often kept for 6-7 years to comply with UK tax law and audit requirements. Likewise, treatment consent forms and medical history records might be kept for a number of years (commonly up to 10 years for health and safety records) to comply with medical best practices or insurance policies. These longer retention periods ensure we can respond to any legal claims, inquiries, or safety issues that arise long after a treatment. We adhere to industry guidelines on retaining medical aesthetics records.

• Marketing Data: If you have consented to receive marketing emails/SMS, we will retain the necessary contact information (such as your email address or phone number) and preference details until you opt out or withdraw your consent. If you unsubscribe or if we discontinue our marketing program, we will promptly remove or anonymise your contact details from our marketing lists.

• Website Analytics Data: Analytics data collected via cookies (see Cookies section) is typically retained for a shorter period (often measured in months) or as long as needed for trend analysis. This data is usually aggregated, and personal identifiers (like IP addresses) may be anonymised or truncated by the analytics provider after a set time.

• Archived and Backup Data: Even after deletion from our active systems, data might persist in secure backups for a short duration. We maintain backup archives to ensure we can recover information in case of accidental deletion or disaster. These backups are protected, and access is restricted. We will delete or overwrite backups containing personal data in line with our retention schedules as they cycle.

​

When the retention period for a particular piece of data expires, or if we determine that we no longer need the data, we will either securely delete it or anonymise it (so it can no longer be associated with you). For example, paper records past their retention date are shredded, and digital records are permanently deleted or scrubbed from databases.

​

Your data will not be kept indefinitely by Refined Clinic. We continuously review the information we hold and erase or anonymise personal data that is no longer needed. If you believe we are retaining your information longer than necessary, you have the right to request erasure (see “Your Rights” below), and we will address such requests in line with our legal obligations.

As a client or visitor providing personal data to Refined Clinic, you have robust rights under GDPR and the UK data protection laws. We are committed to upholding these rights and ensuring you can exercise them. Under GDPR, you have the right to:

​

• Access Your Data: You can request a copy of the personal data we hold about you, as well as information on how we use it. This is known as a Subject Access Request. We will provide you with a summary of your information in a commonly used format, usually within one month of your request (as required by law).

• Rectification: If any of your personal data is inaccurate or incomplete, you have the right to ask us to correct or update it. We encourage you to help us keep your information up to date, so please let us know if you change your contact details or notice any errors in our records.

• Erasure (Right to be Forgotten): You can request that we delete your personal data in certain circumstances. For example, if you no longer use our services and want your details removed, or if you originally consented to a use of your data and have now withdrawn consent. We will assess such requests and, if there’s no lawful reason for us to keep the data (such as a legal requirement or legitimate interest), we will erase it.

• Restrict Processing: You have the right to ask us to limit the processing of your data in specific situations. This could apply if you contest the accuracy of your data (while we verify it) or if you object to our processing and we are considering that request. Restriction means we store your data but don’t actively use it until the issue is resolved.

• Data Portability: For data you provided to us and that we process by automated means on the basis of consent or contract, you can request that we provide it to you (or directly to another service provider) in a machine-readable format. For example, if you decide to move to another clinic and want your treatment records sent electronically to them, we can facilitate a secure transfer of your data when legally permissible and technically feasible.

• Object to Processing: You have the right to object to certain processing activities. Most importantly, you can object at any time to your personal data being used for direct marketing purpose. If you object, we will stop using your data for marketing immediately. You may also object if we are processing your data under a legitimate interest basis; in such cases, we will reconsider our reasons for processing and will stop if we cannot demonstrate a compelling legitimate ground that overrides your rights.

• Withdraw Consent: If we are processing any of your data based on your consent, you have the right to withdraw that consent at any time. For example, if you consented to receive newsletters, you can unsubscribe; if you consented to a particular treatment and changed your mind, you can let us know. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, and it won’t affect processing under other bases (like contract or legal obligations).

• Not Be Subject to Automated Decisions: We do not currently make automated decisions (including profiling) that produce legal or similarly significant effects on individuals. However, you have the right not to be subject to such decisions without human intervention. If this becomes relevant in the future, we will inform you and ensure your rights are protected.

​

To exercise any of your rights, please contact us using the contact information provided in the “Contact Information” section below. We may need to verify your identity before fulfilling certain requests, to ensure we don’t disclose data to an unauthorised person. We will respond to your requests within the timeframes set by law (usually within one month, but we’ll inform you if an extension is needed for complex requests).

If you have concerns about how we are handling your personal data, we encourage you to contact us first so we can address the issue. However, if you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with the UK supervisory authority for data protection, which is the Information Commissioner’s Office (ICO). You can contact the ICO by phone (+44 303 123 1113) or through their website. More information is available on the ICO website about how to raise a concern. We respect your rights and will not refuse or charge for reasonable requests to exercise these rights, in accordance with GDPR. Our goal is to ensure you feel confident and in control of your personal information.

Like most websites, Refined Clinic’s website uses cookies and similar tracking technologies to enhance user experience and gather information about how our site is used. This section explains our use of cookies and analytics:

​

• What Are Cookies? Cookies are small text files that a website saves on your computer or mobile device when you visit the site. They serve a variety of functions, from enabling core site features to remembering preferences and collecting usage data. Some cookies are set by us (first-party cookies) and some may be set by third-party services we use (third-party cookies).

• Essential Cookies: We use certain cookies that are necessary for the website to function correctly and securely. For example, if our site has a client login or booking widget (such as the Fresha booking interface embedded on our site), cookies may be required to enable that session and remember your inputs as you navigate through booking steps. These cookies do not store personally identifiable information beyond what is needed for the service.

• Analytics and Performance Cookies: We utilise analytics tools (such as Google Analytics or similar services) to collect information about how visitors use our website. The data gathered may include your IP address, browser type, device information, pages visited, time spent on pages, and referral source (how you found our website). We use this information to compile reports and improve our site – for instance, understanding which pages are most popular or detecting any navigation issues. The analytics cookies collect information in an anonymous form (for example, Google Analytics may anonymise IP addresses). We share this information with our analytics providers only for the purpose of analysing site traffic and usage patterns.

• Advertising Cookies: Currently, Refined Clinic does not host third-party advertisements, so we do not use advertising cookies or targeted advertising services on our site. If this changes in the future, we will update our cookie policy and obtain your consent where required.

• Cookie Consent: When you first visit our website, you should see a cookie notice or banner that alerts you to our use of cookies. Where required by law, we will ask for your consent before setting non-essential cookies (such as analytics cookies). You can choose to accept or reject these. Please note that if you disable certain cookies, some features of the site (like online booking) may not function optimally.

• Managing Cookies: You have the ability to control and manage cookies through your web browser settings. Most browsers allow you to view, disable, or delete cookies. For more information on how to do this, check your browser’s help section or the website of the browser developer. You can also use tools or browser extensions to opt out of analytics tracking (for example, Google offers a browser add-on to opt out of Google Analytics data collection).

• Other Tracking Technologies: We may occasionally use other technologies like web beacons (clear GIFs) in our emails to know if you open them, which helps us gauge the effectiveness of our communications. This information is used in a generalised way (e.g., to see overall open rates) and not to track individual behaviour beyond whether a specific email was viewed.

​

For a detailed breakdown of the cookies we use and their purposes, please see our Cookies Policy (if available) or contact us. By using our site after seeing the cookie notice, you are agreeing to the use of cookies as described. We aim to be transparent about data collected through your online interactions with Refined Clinic, and we use these tools solely to improve our website and services – aligning with our commitment to GDPR compliance and respectful data use.

Refined Clinic takes data security very seriously. We implement a range of technical and organisational measures to ensure that your personal information is protected from unauthorised access, alteration, disclosure, or destruction. Here are some key aspects of our data security practices:

​

• Secure Systems (Encryption): Our website and online booking forms are secured with SSL encryption – you will see the padlock symbol in your browser and an “https://” URL when you interact with our site. This means any personal data you enter (for example, when completing a booking or contact form) is encrypted in transit. Likewise, the Fresha platform we use for managing client data employs HTTPS and TLS encryption, ensuring that information transmitted between our clinic and the Fresha cloud servers is encrypted and secure. In short, your data is scrambled during transfer so that no unauthorised third party can intercept and read it.

• Access Controls: Access to personal data within Refined Clinic is restricted strictly on a need-to-know basis. Only authorised personnel (such as our lead clinician and relevant support staff) who require access to your information to perform their duties can see it. Each staff member has unique login credentials and, where applicable (like for Fresha), secure PIN access is used. Staff are trained in confidentiality and data protection procedures. We regularly review who has access to what data and update permissions when roles change.

• Secure Data Storage: Personal data held electronically (for example, your client profile and treatment notes in Fresha) is stored on secure servers protected by firewalls and monitored for potential vulnerabilities. Fresha’s data centres and infrastructure include robust security measures, and we chose them in part due to their strong reputation for data security and GDPR compliance. Any physical paperwork (like consultation forms or signed consent forms) is stored in a locked cabinet or secure area when not in active use. Only authorised staff can access these files. We also take care to keep our computers and devices secure (using passwords, up-to-date antivirus software, and encryption where possible).

• Data Minimisation and Pseudonymisation: Wherever feasible, we minimise the amount of personal data we keep or use. For example, if we only need to analyse general trends, we use anonymised data rather than identifiable information. If we ever work with third-party analysts or designers for business improvements, we either use aggregated data or ensure data is pseudonymised (so individuals are not easily identified) unless there’s a specific need to include personal details.

• Routine Security Practices: We maintain up-to-date security policies and regularly assess our systems. This includes applying software updates and patches in a timely manner, using strong passwords and two-factor authentication for accounts, and monitoring for suspicious activity. We also back up data securely to prevent loss. In the unfortunate event of a security breach, we have a response plan in place: we will contain the breach, assess the risk, and notify affected individuals and authorities (like the ICO) as required by law.

• Third-Party Security: Any third-party processors we use (such as Fresha, web host, payment gateway) are vetted for robust security practices. We review their privacy and security measures and ensure that they meet the standards expected under GDPR. We also have agreements in place that require them to protect your data and report any incidents.

​

While we strive to use commercially acceptable means to protect your personal data, no system can be 100% secure. However, we continuously update our security protocols to address new threats and to ensure that your client data protection remains a top priority. Your trust is paramount to us, and we will take all appropriate steps to keep your information safe.

If you have any questions, concerns, or requests regarding this privacy policy or your personal data, please do not hesitate to contact us. We are here to help and address any issues related to GDPR compliance and data protection at Refined Clinic. You can reach us through the following contact details:

​

• Refined Clinic (Data Controller)

• Email: info@refined-clinic.co.uk

• Phone: 07710797124

• Address: 13 Westgate, Baildon, Shipley, West Yorkshire, BD17 5EJ

​

For privacy-specific inquiries, you can include “Attn: Privacy Officer” in your email subject or letter. We take all privacy inquiries seriously and will respond as soon as possible, typically within 30 days.

If you wish to exercise any of Your Rights described above (access, correction, deletion, etc.), you may contact us through any of the above channels. We might ask you to verify your identity (to protect your privacy) before proceeding with certain requests.

​

Complaints: As noted in the “Your Rights” section, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe we have not addressed your data protection concerns adequately. The ICO is the UK’s supervisory authority for data protection issues. We would appreciate the chance to address your concerns first, but you can contact the ICO at any time. Their contact details can be found on the ICO website (https://ico.org.uk) or you can call them at +44 303 123 1113.

Refined Clinic is dedicated to resolving any issues fairly and transparently. Your privacy matters to us, and we welcome feedback that helps us improve our practices.

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, to keep up with legal requirements, or to incorporate improvements. If we make significant changes, we will notify our clients via email or by posting a prominent notice on our website. However, we encourage you to review this policy periodically to stay informed about how we are protecting your information.

​

Each version of this policy will be identified by its effective date. This Privacy Policy is effective as of March 28, 2025, and it supersedes any prior versions. Any changes will become effective when we post the revised policy on our website. Your continued use of our services or website after a policy update constitutes your acknowledgment of the changes.

​

If you have any questions about the changes in a revised policy, please contact us. We are committed to maintaining the highest standards of privacy and GDPR compliance and will always be transparent about how client data is used. Thank you for trusting Refined Clinic with your personal information and for taking the time to read our Privacy Policy.