Privacy Policy

Last updated: 22 January 2025 | Effective date: 1 February 2025

1. Introduction

Aestheticc ("we", "our", or "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our software-as-a-service platform designed for UK aesthetic clinics.

This policy applies to all users of our services, including aesthetic clinic professionals and their patients whose data is processed through our platform. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By using our services, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller Information

Aestheticc Limited

Company Registration Number: [To be provided]

Registered Office: [To be provided]

ICO Registration Number: [To be provided]

For UK aesthetic clinics using our platform: You act as the data controller for your patients' personal data, while we act as a data processor. We process data on your behalf in accordance with our Data Processing Agreement.

3. Types of Data We Collect

3.1 Clinic Account Information

  • Business name and registration details
  • Contact information (email, phone, address)
  • Billing and payment information
  • Professional credentials and certifications
  • Staff user accounts and permissions

3.2 Patient Data (processed on behalf of clinics)

  • Personal details (name, date of birth, contact information)
  • Medical history and treatment records
  • Consent forms and signatures
  • Before/after treatment photographs
  • Appointment history and scheduling data
  • Communication preferences and history

3.3 Technical Data

  • IP addresses and device information
  • Browser type and version
  • Operating system
  • Login data and access logs
  • Usage data and analytics

3.4 Special Category Data

We process special category personal data (health data) relating to patients on behalf of aesthetic clinics. This includes:

  • Medical conditions and allergies
  • Treatment history and outcomes
  • Aesthetic treatment preferences
  • Photographic records of treatments

5. How We Use Your Data

5.1 Service Provision

  • Operating and maintaining the Aestheticc platform
  • Processing appointments and bookings
  • Facilitating patient management and CRM functions
  • Generating treatment documentation and consent forms
  • Enabling communication between clinics and patients
  • Processing payments and managing subscriptions

5.2 Platform Improvement

  • Analyzing usage patterns to improve features
  • Conducting research and development
  • Testing new features and updates
  • Providing customer support and training

5.3 Security and Compliance

  • Monitoring for security threats and vulnerabilities
  • Preventing fraud and unauthorized access
  • Maintaining audit logs for compliance
  • Backing up data for disaster recovery

6. Data Sharing and Third Parties

We do not sell personal data. We share data only in the following circumstances:

6.1 Service Providers

We work with trusted third-party service providers who process data on our behalf:

  • Amazon Web Services (AWS) - Cloud hosting and data storage
  • Google OAuth - Authentication services
  • Stripe/LemonSqueezy - Payment processing
  • Twilio - SMS communications
  • OpenAI - AI-powered content generation (no patient data shared)

6.2 Legal Requirements

We may disclose data when required by law, including:

  • Responding to court orders or legal processes
  • Cooperating with regulatory authorities (e.g., ICO, CQC)
  • Protecting our legal rights and interests

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to the same privacy protections.

7. International Data Transfers

Some of our service providers operate outside the UK. When we transfer data internationally, we ensure appropriate safeguards:

  • EU-UK adequacy decisions for transfers to the EEA
  • Standard Contractual Clauses (SCCs) for other international transfers
  • Additional security measures for transfers to the United States

AWS servers used for data storage are located in the EU (Ireland region) to minimize international transfers.

8. Data Retention

We retain personal data for as long as necessary to fulfil the purposes outlined in this policy:

8.1 Active Accounts

  • Clinic account data: Duration of subscription plus 30 days
  • Patient records: As directed by the clinic (typically 7-10 years for medical records)
  • Transaction records: 6 years for tax compliance

8.2 Inactive Accounts

  • Inactive clinic accounts: Anonymized after 2 years
  • Backup data: Retained for 90 days after deletion
  • Audit logs: Retained for 1 year

8.3 Data Deletion

Upon account termination or data deletion request:

  • Active data deleted within 30 days
  • Backup data purged within 90 days
  • Anonymized data may be retained for analytics

9. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

9.1 Access Right

You can request a copy of the personal data we hold about you, including:

  • What data we process
  • Why we process it
  • Who we share it with
  • How long we keep it

9.2 Rectification Right

You can request correction of inaccurate or incomplete personal data.

9.3 Erasure Right ("Right to be Forgotten")

You can request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary
  • You withdraw consent (where applicable)
  • You object to processing
  • The data was unlawfully processed

9.4 Restriction Right

You can request that we restrict processing of your data while disputes are resolved.

9.5 Portability Right

You can request your data in a structured, machine-readable format for transfer to another service.

9.6 Objection Right

You can object to processing based on legitimate interests or for direct marketing purposes.

9.7 Automated Decision Rights

You have the right not to be subject to decisions based solely on automated processing, including profiling.

9.8 How to Exercise Your Rights

To exercise any of these rights, please contact us using the details in Section 14. We will respond within one month of receiving your request.

9.9 Complaints

If you're not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk

Phone: 0303 123 1113

Live chat: Available on ICO website

10. Security Measures

We implement appropriate technical and organizational measures to protect personal data:

10.1 Technical Measures

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Secure authentication with multi-factor authentication (MFA) options
  • Regular security audits and penetration testing
  • Web Application Firewall (WAF) protection
  • Regular software updates and patch management
  • Secure backup procedures with encrypted storage

10.2 Organizational Measures

  • Staff training on data protection and security
  • Access controls based on least privilege principle
  • Data protection impact assessments (DPIAs)
  • Incident response procedures
  • Regular review of security policies
  • Confidentiality agreements with all staff

10.3 Data Breach Procedures

In the event of a data breach, we will:

  • Notify affected users within 72 hours where required
  • Report to the ICO if necessary
  • Investigate and remediate the cause
  • Document all actions taken

11. Cookies and Tracking

We use cookies and similar technologies to enhance your experience:

11.1 Essential Cookies

Required for platform functionality:

  • Session management and authentication
  • Security tokens
  • Load balancing
  • User preferences

11.2 Analytics Cookies

Help us understand platform usage:

  • Google Analytics (anonymized)
  • Performance monitoring
  • Error tracking

11.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may impact platform functionality.

For more details, see our separate Cookie Policy.

12. Children's Privacy

Our services are not directed at individuals under 18 years of age. Aesthetic clinics using our platform are responsible for ensuring appropriate consent when treating minors, in accordance with UK medical guidelines and regulations.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of significant changes by:

  • Email notification to registered users
  • Prominent notice on our platform
  • Updating the "Last updated" date

Continued use of our services after changes indicates acceptance of the updated policy.

14. Contact Information

For privacy-related questions, requests, or complaints, please contact our Data Protection Officer:

Data Protection Officer

Email

privacy@aestheti.cc

dpo@aestheti.cc

Postal Address

Aestheticc Limited
[Address to be provided]
United Kingdom

Phone

[To be provided]

We aim to respond to all privacy requests within 30 days.

Note for Patients: If you are a patient of a clinic using Aestheticc, please contact your clinic directly for questions about your personal data. They are the data controller for your information.

Additional Resources

Related Policies

Regulatory Links

This privacy policy was last updated on 22 January 2025.