UK Privacy Policy

1. Introduction

"Aesthetics by Fran" (referred to as "we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This privacy policy explains how we collect, use, and protect your personal data when you use our services, including consultations and skin injectable treatments.

2. Who We Are (Data Controller)

"Aesthetics by Fran" is the data controller responsible for your personal data.

3. Information We Collect

We may collect the following types of personal data:

• Identity Data: your name, date of birth, gender.

• Contact Data: your address, email address, phone number.

• Health Data: Information about your health, medical conditions, medications, allergies, and previous aesthetic treatments. This is considered "special category data" under the UK GDPR and requires specific protection.

• Treatment Data: details about the skin treatments you receive, including the products used, dosage, and treatment areas.

• Visual Data: photographs and videos taken before, during, and after treatments for treatment records and review of outcomes. This is also considered "special category data."

• Financial Data: payment details for booking and treatment purposes.

• Communication Data: records of our communication with you, including emails, messages, and notes from consultations.

4. How We Use Your Personal Data and the Lawful Basis for Processing

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• For the performance of our contract with you: this includes providing consultations and administering skin treatments.

• For compliance with a legal obligation: this may include record-keeping requirements.

• For our legitimate interests (or those of a third party), provided your interests and fundamental rights do not override those interests: our legitimate interests include maintaining business records, ensuring the quality of our services, and for marketing purposes (where we have your consent or a legitimate interest in direct marketing).

• Where you have given consent: specifically for processing your health data and visual data for treatment purposes and potentially for marketing. You have the right to withdraw your consent at any time (see section 9).

Specific purposes for processing your data include:

• To assess your suitability for treatment during consultations (Contract, Legitimate Interests).

• To administer skin treatments (Contract, Consent - for Health Data and Visual Data).

• To maintain accurate medical records (Legal Obligation, Legitimate Interests).

• To process payments and manage bookings (Contract).

• To communicate with you about appointments, treatments, and aftercare (Contract, Legitimate Interests).

• To send you marketing communications about our services (Consent, Legitimate Interests - where applicable).

• To comply with legal and regulatory requirements (Legal Obligation).

• To use pre and post-treatment photography for treatment records and review of treatment outcomes (Consent - for Visual Data, Legitimate Interests).

5. Special Category Data

The UK GDPR gives extra protection to "special category data," which includes data concerning health. We will only process your health data and visual data with your explicit consent, or where another legal basis applies (e.g., for the provision of healthcare under the responsibility of a healthcare professional).

6. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. These measures include:

• Secure storage of electronic and paper-based medical records.

• Encryption of personal data where appropriate.

• Access controls to limit who can access your personal data.

• Training on data protection.

• Secure disposal of personal data when it is no longer needed.

We have procedures to deal with any suspected personal data breach and will notify you and the Information Commissioner's Office (ICO) where we are legally required to do so.

7. Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Specifically, we will retain medical records for the period required by UK healthcare regulations (typically several years after your last treatment). Pre and post-treatment photographs will be retained for the duration of your treatment history with us and potentially longer for legitimate business purposes (e.g., training, anonymised case studies) with appropriate safeguards.

8. Sharing Your Personal Data

We may need to share your personal data with the following categories of recipients:

• Healthcare professionals directly involved in your treatment (with your explicit consent).

• Payment processors to facilitate transactions.

• Our professional advisors, such as lawyers and accountants.

• The Information Commissioner's Office (ICO) if required to do so for regulatory purposes.

• Law enforcement agencies or other regulatory bodies if required by law.

We will not sell your personal data to third parties.

9. Your Rights Under the UK GDPR

Under the UK GDPR, you have several rights in relation to your personal data:

• The right to be informed: About how we collect and use your personal data (this privacy policy).

• The right of access: To request a copy of the personal data we hold about you.

• The right to rectification: To ask us to correct any inaccurate or incomplete personal data.

• The right to erasure ('the right to be forgotten'): To ask us to delete or remove your personal data where there is no good reason for us to continue to process it.

• The right to restrict processing: To ask us to suspend the processing of your personal data, for example, if you want us to establish its accuracy.

• The right to data portability: To request the transfer of your personal data to another party in a commonly used and machine-readable format.

• The right to object: To object to the processing of your personal data in certain circumstances, including for direct marketing purposes.

• Rights in relation to automated decision making and profiling: We do not currently use automated decision-making or profiling that significantly affects you.

• The right to withdraw consent: Where we are relying on your consent to process your personal data, you have the right to withdraw this consent at any time. To withdraw your consent, please contact us using the details provided above.

10. Making a Complaint

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

11. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. Any changes will be posted on our website. The date of the last update will be clearly displayed with the policy.

Last Updated: 07/03/2026