• Home
  • About us
  • Services
    • Face Treatments
    • Body Treatments
    • Skin Treatments
    • Save Face
    • CliniCare Collection
  • Contact us
  • Set More - Book Here
  • Hair No More
  • Reviews & Gallery
  • More
    • Home
    • About us
    • Services
      • Face Treatments
      • Body Treatments
      • Skin Treatments
      • Save Face
      • CliniCare Collection
    • Contact us
    • Set More - Book Here
    • Hair No More
    • Reviews & Gallery

  • Home
  • About us
  • Services
    • Face Treatments
    • Body Treatments
    • Skin Treatments
    • Save Face
    • CliniCare Collection
  • Contact us
  • Set More - Book Here
  • Hair No More
  • Reviews & Gallery

Privacy Policy

  

Introduction


Purpose: explain how we collect, use, store and protect personal data of patients, clients, staff and suppliers in line with the UK GDPR and Data Protection Act 2018.
 

Scope: applies to all personal data processed by Anna’s Aesthetics across all sites and services.

Data Controller
 

Controllers: Anna Cripps & Lisa Beard, Anna’s Aesthetics Limited, 176 Albert Rd, Southsea, Portsmouth, Southsea PO4 0JT, 07912 077283, annapond@annasaesthetic.com
 

ICO Registration Number: ZC062126


Personal Data We Collect
 

· Patient/client identity and contact details (name, DOB, address, phone, email).

· Medical and treatment information (medical history, medications, allergies, consent forms, treatment notes, photos).

· Financial and billing information (card details via payment processor, invoices, insurance).

· Appointment, communication and marketing preferences.

· Staff and supplier personal data as required for employment/contract management.


Special Category (sensitive) Data
 

· Medical and health data are special category data. We process these only where necessary for healthcare provision, with explicit consent or other lawful basis permitted by law.


Purposes and Lawful Bases for Processing
 

· Treatment and healthcare provision - lawful basis: necessary for medical diagnosis, provision of health, and for the performance of a contract.

· Registration, scheduling and communications - lawful basis: contract performance and legitimate interests.

· Billing and insurance claims - lawful basis: contract performance and legal obligation.

· Photographs for clinical records and auditing - lawful basis: explicit consent (for marketing use) and healthcare purposes for clinical records.

· Marketing (email/SMS) - lawful basis: consent; opt-in required and easy opt-out provided.

· Staff management and payroll - lawful basis: legal obligation and contract performance.

· Quality assurance, audit and safety reporting - lawful basis: legitimate interests balanced against individuals’ rights; special-category data processed where necessary for health services.

  

How We Collect Data
 

· Directly from patients during registration, consultation, consent, online booking and communications.

· From referring clinicians, statutory registries, insurers and authorised third parties.

· From booking systems.

· Only minimal data required for the purpose is collected (data minimisation).

· Consent and Explicit Consent

· Consent is sought where required (e.g., marketing, use of identifiable photos for promotional purposes).

· Patients can withdraw consent at any time without affecting care; withdrawal does not make processing prior to withdrawal unlawful.


Data Sharing and Third Parties
 

We share data only where necessary and with appropriate safeguards:

· NHS or other healthcare providers (with consent or where necessary for care).

· Payment processors and insurers (for billing).

· IT and cloud service providers (data processors under contract).

· Regulatory or law enforcement bodies where legally required.

· All processors are contractually required to implement appropriate technical and organisational measures.
 

Data Retention

· Medical records / clinical notes: retained in line with professional guidance 8 years.

· Appointment and administrative records: retained for 7 years.

· Retention periods must be documented and periodically reviewed.
 

Security Measures

· Physical: secure premises, controlled access, locked storage for paper records.

· Technical: encrypted devices and backups, password policies, role-based access, secure email, up-to-date antivirus, firewalls.

· Organisational: staff training, confidentiality agreements, data-sharing contracts, regular audits.


Data Subject Rights
 

Patients and data subjects can:

· Request access to their personal data (Subject Access Request).

· Request rectification of inaccurate data.

· Request erasure where lawful (note: medical records retention obligations may limit this).

· Request restriction of processing.

· Object to processing (including direct marketing).

· Request data portability where applicable.

· Withdraw consent where applicable.

· Complain to the Information Commissioner’s Office (ICO) - www.ico.org.uk


Subject Access Requests (SARs) and Complaints
 

· SAR process: verify identity, respond within 1 month (extendable in complex cases).

· Fees: usually free unless manifestly unfounded or excessive.

· Complaints: internal complaint route: contact Anna Cripps or Lisa Beard / 07912 077283 / annapond@annasaesthetic.com. If unresolved, complain to the ICO.


Data Breach Response
 

· Incidents are logged and investigated. If a breach is likely to result in a risk to individuals’ rights and freedoms, we will notify the ICO within 72 hours and affected individuals where required.

· Breach response includes containment, assessment, remediation and record-keeping.
 

Data Protection Impact Assessments (DPIAs)
 

· DPIAs are completed for high-risk processing (e.g., new systems for health data, large-scale sharing, CCTV expansion).

· Findings inform mitigation and governance.


Staff Responsibilities and Training
 

· All staff must handle personal data lawfully and confidentially.

· Regular GDPR and confidentiality training is mandatory.

· Access is on a need-to-know basis and logged.

· Records and Accountability

· We maintain processing records in accordance with GDPR Article 30.

· Regular audits and reviews of policies, retention schedules and security.


Policy Review
 

This policy is reviewed annually or when required by legislative or operational changes. Next review date: June 2027.

Contact and Further Information

Data Controller: Anna Cripps & Lisa Beard

DPO / Data contact: Anna Pond & Lisa Beard / 07912 077283 / annapond@annasaesthetic.com 

ICO: www.ico.org.uk — telephone: 0303 123 1113.

Copyright © 2026 Anna’s Aesthetics - All Rights Reserved.

Powered by

  • Home
  • About us
  • Face Treatments
  • Body Treatments
  • Skin Treatments
  • Save Face
  • Contact us
  • Privacy Policy

This website uses cookies.

We use cookies to analyse website traffic and optimise your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept