Privacy Policy

---

Effective Date: May 29, 2025 

Last Reviewed: May 29, 2025

At Skin and Essence Ltd, we understand that your personal information is important to you. This Privacy Policy explains, in plain language, how we collect, use, and protect your personal details when you visit our website, connect with us on social media, or receive our services in Plymouth.

Think of this as our promise to you: we're committed to keeping your information safe and being completely open about how we handle it. We follow strict UK laws, including the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR), to make sure your privacy is always respected.

Skin and Essence Ltd is the company that's in charge of your personal information. This means we decide how and why your data is used.

Here's how you can get in touch with us:

• Our Company Name: Skin and Essence Ltd
• Our Plymouth Location: 1 Southern Cl, Plymouth PL2 2BQ
• Give Us a Call: 07542610243
• Send Us an Email: enquiries@skinandessence.co.uk
• Your Privacy Contact: Shane Havers, Managing Director

When you interact with us, we collect different types of personal information. Here's a simple breakdown:

• Who You Are (Identity Data): This includes your full name, title (like Mr., Ms.), your date of birth, and gender.
• How to Contact You (Contact Data): Your home address, if we need to send you products, your email address, and your phone numbers.
• Your Health & Sensitive Details (Special Category Data): This is very private information, but it's essential for us to provide safe and effective treatments. It includes:
  • Your full medical history (past and current health, allergies, previous treatments).
  • Details about your skin type, what you're concerned about, and what you hope to achieve with our treatments.
  • Information about your lifestyle that might affect your skin (like smoking or sun exposure).
  • Records of your consultations and treatment plans.
  • The consent forms you sign for specific treatments.
  • Photos taken before and after your treatment, but only if you specifically agree to these photos being taken and used.
• Payment Information (Financial Data): Details of your payment cards. Don't worry, we use secure payment systems that don't store your full card details on our own systems. We also keep records of your purchases.
• Your Treatments (Service Data): Details about the services you've received, appointment dates, and any aftercare instructions we've given you.
• How You Use Our Website (Usage Data): This tells us how you browse our website – which pages you visit, how long you stay, and how you found your way around.
• Technical Stuff (Technical Data): Information about the device you're using (like your computer or phone), its internet address (IP address), what browser you're using, and where you're located. This helps our website work correctly.
• Your Choices (Marketing & Communications Data): Your preferences for receiving our news and offers, and how you like us to contact you.

We collect your information in a few different ways:

• When You Tell Us Directly: This happens when you fill out forms on our website (like booking an appointment or asking a question), talk to us on the phone, email us, or visit us in person. It also includes the forms you fill out during your consultation.
• Automatically, When You Visit Our Website: Our website uses cookies and similar technologies. These are small files that collect technical and usage data automatically as you browse. For a full explanation of cookies and how you can control them, please see our separate Cookie Policy.
• From Other Places: Sometimes, we might get technical information from companies like Google Analytics that help us understand how people use our website. We might also get contact or financial data from payment or delivery services, or publicly available information (like business directories).

We only use your personal information when we have a valid and legal reason to do so, as required by UK law. Here's a breakdown of why and our legal basis:

• To Sign You Up and Manage Your Account: We use your Identity and Contact Data to set you up as a new client and manage your appointments. Our legal reason is that this is necessary for us to provide the service you've asked for (like booking a treatment).
• To Provide Your Services (Consultations & Treatments): We use your Identity, Contact, Health & Special Category, Financial, and Usage Data. This is mainly so we can perform the contract we have with you (to give you the treatment). For your Health & Special Category Data, the law allows us to use it because it's necessary for us to provide you with healthcare or treatment. We always handle this with the highest level of professional confidentiality. We also use this data because it's in our legitimate business interest to ensure you receive the best and safest possible service.
• To Handle Your Orders and Deliver Products: If you buy products from us, we use your Identity, Contact, and Financial Data because it's necessary to fulfil our contract to sell and deliver those products to you.
• To Manage Payments and Charges: We use your Financial, Identity, and Contact Data to process payments. This is necessary for our contract with you, and also for our legitimate business interest in collecting any outstanding payments.
• To Manage Our Relationship With You: This includes keeping your records updated and understanding how we can improve our services. We use your Identity, Contact, Health & Special Category, Marketing & Communications, and Usage Data. This is necessary for our contract with you, necessary to meet our legal duties (like keeping accurate medical records), and for our legitimate business interests in growing our business and providing excellent service. For your Health & Special Category Data, this falls under providing healthcare or treatment.
• To Send You Important Service Updates: We use your Identity and Contact Data to send you appointment confirmations, reminders, and aftercare instructions. This is necessary for our contract with you and for our legitimate business interest in making sure your treatment runs smoothly and safely.
• To Send You Marketing Messages: We'll only send you news, offers, or promotions if you've given us your clear permission (consent) to do so. You can always change your mind and stop receiving these messages at any time.
• To Improve Our Website and Services: We use Technical and Usage Data (often in a way that doesn't identify you personally) to understand how people use our website and what we can do better. This is part of our legitimate business interest in growing and improving our services.
• To Protect Our Business and Website: We use Technical and Usage Data to keep our systems secure, prevent fraud, and manage our IT services. This is for our legitimate business interests and also necessary to meet our legal obligations.
• To Use Data Analytics to Improve Our Website: We process Technical and Usage Data to analyse how our website is used. This helps us understand what works and what doesn't, allowing us to improve your online experience. This is for our legitimate business interests.

Marketing and Opting Out: We will only send you marketing messages if you have specifically chosen to receive them. If you ever change your mind, you can easily stop receiving these messages by clicking the 'unsubscribe' link in any marketing email, or by contacting us directly.

We promise: Skin and Essence Ltd will never sell, rent, or lease your personal information to other companies for their own use. We only share your information in very specific situations, and only when necessary:

• Our Own Team: We might share your information with other parts of our company (if applicable) that help us with IT or reporting.
• Trusted Helpers (External Third Parties): We work with other companies who help us run our business and provide services to you. These are companies that act strictly on our instructions and must keep your data safe and confidential. Examples include:
  • Companies that host our website, manage our online booking system, or send our emails.
  • Professional advisors like lawyers, accountants, and insurers.
  • Government bodies like HM Revenue & Customs or other regulators, if required by law.
  • Secure payment processing companies that handle your transactions.
  • Google Analytics and Facebook Remarketing: We use these services to understand website usage and show you relevant ads on platforms like Facebook if you've visited our site before. The data shared with them follows their privacy rules. You can opt out of Google Analytics tracking through their browser add-on, and manage Facebook ads through your Facebook settings.
• For Marketing by Other Companies: We will never share your personal data with any other company for their own marketing purposes without your explicit permission.

We make sure all third parties we work with treat your personal information with the same care and security that we do, and they can only use it for the specific purposes we've agreed upon.

We primarily store and process your personal data right here in the United Kingdom.

If, for any reason, your personal data needs to be sent to a country outside the UK or the European Economic Area (EEA) – for example, if one of our service providers uses servers in a different country – we will always ensure that strong safeguards are in place. These safeguards are designed to give your data the same level of protection it has in the UK. This might involve:

• Sending data to countries that the UK government has officially recognised as having adequate data protection laws.
• Using special contracts approved by the UK government (called UK Standard Contractual Clauses) that legally commit the recipient to protect your data to UK standards.

We're serious about keeping your personal data secure. We've put in place a range of strong technical and organisational measures to protect your information from being lost, used without permission, changed, or disclosed. Our security efforts include:

• Physical Security: Any paper records are stored securely at our Plymouth clinic, with restricted access.
• Digital Security: We use secure networks, firewalls, encryption for data when it's being sent or stored, and multi-factor authentication for systems holding sensitive information.
• Access Controls: Only our employees, trusted agents, and contractors who genuinely need to access your personal data for their work are allowed to do so. They are trained on confidentiality and must follow our strict instructions.
• Staff Training: All our team members receive regular, mandatory training on data protection and confidentiality to ensure they understand their responsibilities.
• Incident Response: We have clear plans in place for what to do if there's ever a suspected data breach. If a breach happens, we'll quickly notify you and any relevant authorities if we're legally required to.

While we take every reasonable step to protect your information, no system is entirely risk-free. We want you to understand that while we do our utmost, absolute security of data transmitted over the internet or stored electronically can never be 100% guaranteed.

We only keep your personal data for as long as it's necessary to fulfil the reasons we collected it for, including meeting any legal, accounting, or reporting requirements.

To figure out how long to keep your data, we look at factors like: how much data we have, how sensitive it is, the risk if it's misused, why we're using it, and any legal requirements.

• Your Clinical Records (Health & Special Category Data): We keep these records according to professional guidelines for healthcare in the UK. This usually means a minimum of 8 years after your last treatment. If you were a minor when you had treatment, we'll keep your records until you reach 25 years old, whichever period is longer.
• Marketing Information: If you've agreed to receive marketing messages, we'll keep your contact details until you tell us you no longer want them, or you unsubscribe. We'll then remove your details promptly.
• Financial Records: We're legally required to keep financial records for 6 years plus the current financial year for tax purposes.
• Other Information: Other types of personal data will be held for a period that's appropriate for our business needs and to meet legal obligations.
• 
  

Under UK data protection law, you have important rights regarding your personal data. You won't have to pay a fee to exercise any of these rights. We might ask for some specific information from you to confirm who you are, just to make sure we're giving information to the right person.

Here are your rights:

• The Right to Be Informed: You have the right to know how your data is being used, which is what this Privacy Policy aims to do.
• The Right to Access: You can ask for a copy of the personal data we hold about you. This is called a Subject Access Request (SAR).
• The Right to Rectification: If you believe any information we hold about you is wrong or incomplete, you can ask us to correct it.
• The Right to Erasure (The 'Right to Be Forgotten'): In certain situations, you can ask us to delete your personal data. Keep in mind that this right isn't absolute, especially when we have legal obligations to keep health records.
• The Right to Restrict Processing: You can ask us to limit how we use your personal data in certain circumstances, for example, if you're disputing its accuracy.
• The Right to Data Portability: You can ask to receive your personal data in a structured, commonly used, and machine-readable format, and you can transfer this data to another service provider. This applies when our processing is based on consent or a contract and done automatically.
• The Right to Object: You can object to us processing your personal data if we're relying on a 'legitimate interest' as our legal basis, or if it's for direct marketing.
• Rights Related to Automated Decision-Making and Profiling: You have the right not to be subject to a decision made solely by automated means that significantly affects you. Skin and Essence Ltd does not currently use automated decision-making or profiling that has significant effects on our clients.

If you'd like to exercise any of these rights, please contact our Data Protection Point of Contact, Shane Havers, Managing Director, using the details in Section 1. We aim to respond to all legitimate requests within one month. If your request is very complex or you've made several requests, it might take us longer, but we'll always let you know and keep you updated.

Our website might contain links to other websites that we think might be of interest to you. Please remember that once you click on these links and leave our site, we have no control over that other website. This Privacy Policy only applies to our website, so we can't be responsible for how other websites handle your privacy. We recommend you always check the privacy policy of any new website you visit.

We regularly review our Privacy Policy to make sure it's always accurate, clear, and up-to-date with legal requirements. If we make any changes, we'll post the updated version on this page and change the "Effective Date" and "Last Reviewed" dates at the top. We recommend checking this page from time to time to stay informed.

If you have any concerns or complaints about how we handle your personal data, please get in touch with our Data Protection Point of Contact, Shane Havers, Managing Director, first. We're committed to doing our best to resolve any issue for you.

You also have the right to complain to the Information Commissioner's Office (ICO), which is the UK's independent authority for data protection issues:

• Information Commissioner's Office (ICO)
• Website: https://ico.uk/
• Helpline: 0303 123 1113