Your trust is the foundation of every Derma Sense consultation. This Privacy Policy explains, in clear language, what personal information we collect, why we collect it, how we keep it safe, and what rights you have under the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
SUMMARYAt a glance
Plain English summary. We only collect what we need to deliver safe, lawful aesthetic treatment and to run our clinic. We treat your medical history and clinical photographs as special category data, with extra care. We never sell your data. We never share it for advertising without your consent. You can ask for a copy, a correction, or deletion at any time by emailing privacy@dermasense.co.uk.
- We are the data controller for your information.
- We process health data under Article 9(2)(h) UK GDPR (provision of treatment by a health professional).
- We retain adult treatment records for a minimum of 8 years from your last visit, in line with insurance and professional guidance.
- You can withdraw marketing consent at any time using the unsubscribe link in any email or by writing to us.
- You have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.
01Who we are
Derma Sense (the Clinic, "we", "us", or "our") is the data controller responsible for your personal information. Our trading and registered correspondence address is:
Derma Sense
15 Station Parade, Cockfosters, EN4 0DL, London, United Kingdom
Telephone: 07450 008852
Email: customerservice@dermasense.co.uk
Privacy enquiries: privacy@dermasense.co.uk
The Clinic is registered with the Information Commissioner's Office (ICO) as a data controller. We will publish our ICO registration number on this page as soon as it has been issued.
02What data we collect
We collect only the information we need to run a safe and compliant aesthetic clinic. The categories below describe the data we may hold about you.
| Category | Examples |
|---|---|
| Identification & contact | Full name, date of birth, postal address, email address, mobile number, emergency contact details, photographic ID where age verification is required. |
| Special category: health | Medical history, current and recent medications, allergies, prior aesthetic and surgical history, pregnancy / breastfeeding status, contraindications, consent forms, treatment notes, aftercare adherence. |
| Clinical photography | Before, during, and after images required for the clinical record (mandatory), and (optionally, with your express consent) for training and marketing use. |
| Financial | Deposit and payment records. Card details are processed by our PCI DSS compliant payment providers (Stripe, Square, or the in-clinic terminal); we do not store full card numbers. |
| Booking & operations | Appointment history, cancellations, no-shows, communications and SMS/WhatsApp threads with the clinic, complaint or incident records. |
| Marketing preferences | Your consent choices for email, SMS, WhatsApp, phone, and image use, with timestamps and version of the consent text shown. |
| Technical & analytics | IP address, browser type, device, referrer, pages viewed, basic event data (button clicks, form submissions). See section 11 for the cookies we set. |
03Lawful bases (UK GDPR)
We rely on different lawful bases for different categories of personal data. Where we process special category (health) data, we apply both a lawful basis under Article 6 and a condition under Article 9.
- Contract (Article 6(1)(b))
- To deliver the consultation, treatment, follow-up, and related services you have booked.
- Legitimate interests (Article 6(1)(f))
- For clinical record keeping, clinical audit, complaint handling, fraud prevention, IT security, and protecting the Clinic's legal interests. We balance these interests against your rights and freedoms.
- Legal obligation (Article 6(1)(c))
- To meet our duties under tax law (HMRC), accounting law, insurance requirements, health and safety law, and professional regulation.
- Consent (Article 6(1)(a))
- For marketing communications, marketing use of photographs, non-essential cookies, and any treatment that is not covered by our general clinical record duties.
- Article 9(2)(h)
- For the provision of health or social care, treatment, or medical diagnosis by, or under the responsibility of, a health professional. This is our primary basis for processing health data.
- Article 9(2)(a)
- Your explicit consent, for example to share images for marketing or to disclose information to your GP outside of an emergency.
- Vital interests (Article 6(1)(d) & Article 9(2)(c))
- In a medical emergency, where you are unable to give consent and disclosure is necessary to protect your life or someone else's.
04How we use your data
- To confirm bookings, send appointment reminders, and manage your visits.
- To assess suitability for treatment, perform consultations, and deliver the procedure safely.
- To maintain accurate treatment records as required by professional, insurance, and regulatory bodies.
- To take and store the clinical photographs required for your treatment record.
- To process payments and issue receipts.
- To respond to questions, manage complaints, and improve our services.
- To send transactional messages (booking confirmations, aftercare instructions, follow-up safety checks).
- To send marketing communications, but only where you have given consent.
- To meet our legal, tax, and regulatory obligations.
- To defend the Clinic in the event of a complaint, claim, or insurance investigation.
05Your health data
Aesthetic medicine routinely involves special category data under UK GDPR. We process this data only where it is necessary for the provision of treatment, and only under the strict duty of confidentiality that applies to health professionals.
- Your medical history is collected at consultation and updated at each visit.
- It is reviewed by a qualified Practitioner and, where prescription only medicines are involved, by the Prescriber.
- It is stored in a secure, access-controlled clinical record.
- We do not share your health data with marketing partners.
- We only share with your GP or another clinician with your consent, or in an emergency under our vital interests duty.
06Clinical photography
Clinical photography is part of safe practice in aesthetic medicine. It allows us to monitor outcomes, plan follow up sessions, evidence aftercare, and respond to complaints.
Mandatory clinical record use
Before, during, and after photographs taken as part of your clinical record cannot be opted out of. These images are stored confidentially with your treatment notes and used only for clinical purposes (Article 9(2)(h)).
Optional marketing use
Use of your images on our website, social media, or printed materials is entirely optional. You decide at the point of treatment and you can withdraw consent at any time. To withdraw, email privacy@dermasense.co.uk stating which images and channels you would like removed.
We will use reasonable efforts to remove images from channels we control. We cannot guarantee removal from third party reposts, screenshots, archived caches, or printed materials already in circulation.
07Who we share data with
| Recipient | Purpose |
|---|---|
| Your GP or other clinician | Only with your consent, or in a medical emergency. |
| The Prescriber | For prescription only medicines such as Botulinum Toxin, in line with MHRA and GPhC rules. |
| Our professional indemnity insurer | To assess and manage incidents or claims. |
| Regulators | Save Face, JCCP, CQC, GMC, GDC, NMC, GPhC, ICO, Local Authority Environmental Health, where required. |
| Payment processors (Stripe, Square, terminal acquirer) | To process card payments under PCI DSS. |
| Booking & calendar platforms (Treatwell) | To manage appointment availability and booking history. |
| IT processors (hosting, email, CRM, SMS gateway, secure backup) | To run our infrastructure. All bound by written contracts. |
| Professional advisors (accountants, lawyers) | For tax, legal, and regulatory advice, only where strictly necessary. |
| Law enforcement | Where required by law (court order, statutory request). |
We do not sell your personal data and we do not allow our processors to use it for their own marketing purposes.
08International transfers
Most of our processing happens in the UK and the European Economic Area (EEA). Where any processor is located outside the UK, we use appropriate safeguards, including:
- The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
- Transfer Risk Assessments where required;
- Transfers to jurisdictions subject to a UK adequacy decision.
09Retention periods
| Record type | Retention |
|---|---|
| Adult treatment records | Minimum 8 years from the date of the last treatment (professional and insurance guidance). |
| Minors | Until the client reaches age 25 (or 26 if the last entry was made at age 17). |
| Clinical photographs (record use) | Same retention as treatment records. |
| Clinical photographs (marketing use) | Until consent is withdrawn. |
| Marketing data | Until consent is withdrawn or after a reasonable period of inactivity (typically 36 months). |
| Financial records | At least 6 years to meet HMRC requirements. |
| CCTV (if installed) | 30 days, unless retained for an active incident. |
| Website analytics | 26 months (Google Analytics 4 default). |
10Marketing communications
We send marketing emails, SMS, WhatsApp, and (rarely) phone calls only where you have given consent. You can unsubscribe at any time by:
- Clicking the unsubscribe link in any marketing email;
- Replying STOP to a marketing SMS;
- Replying STOP or muting our WhatsApp number;
- Emailing privacy@dermasense.co.uk;
- Telling us in person at your next appointment.
Withdrawing marketing consent does not affect transactional messages (booking confirmations, aftercare instructions, follow up safety checks) which we are required to send.
11Cookies & tracking
Our website uses cookies and similar technologies. We set essential cookies without consent (because they are needed for the site to work) and we ask for consent before setting analytics and advertising cookies. Full details are in our Cookie Policy.
- Essential: session, cart, checkout, security, fraud prevention.
- Analytics: Google Analytics 4 (GA4) to measure site usage.
- Advertising: Meta Pixel, Google Ads conversion tag, and similar pixels used to measure ad performance and to show relevant content. You can manage these in your browser, in your device settings, and via Your Online Choices.
12Your rights
Subject to applicable exemptions under the UK GDPR and DPA 2018, you have the following rights in respect of your personal data:
- Right of access
- You can ask for a copy of the personal data we hold about you (a Subject Access Request, "SAR").
- Right to rectification
- You can ask us to correct inaccurate or incomplete data.
- Right to erasure
- You can ask us to delete your data where we no longer have a lawful basis to keep it. This right is limited where we are required to retain treatment records under professional or insurance guidance.
- Right to restrict processing
- You can ask us to pause certain uses of your data while a query or complaint is being investigated.
- Right to data portability
- For data we process under contract or consent, you can ask for a machine readable copy.
- Right to object
- You can object to processing carried out under our legitimate interests, including direct marketing.
- Rights relating to automated decision making
- We do not use solely automated decision making that produces legal effects on you.
- Right to withdraw consent
- Where we rely on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please email privacy@dermasense.co.uk. We will normally respond within one calendar month. We may ask you to verify your identity before we release records that contain special category data.
13Security
We take the security of your data seriously. Our measures include:
- Encrypted storage of clinical records and backups;
- Role based access controls and unique logins for clinic staff;
- Strong password and multi factor authentication policies on systems that hold personal data;
- Secure disposal of paper records (cross cut shredding) and digital records (secure wipe);
- Written processor agreements with all third party providers;
- Regular review of our security posture and supplier contracts.
If a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you and the ICO without undue delay.
14Children
We do not provide Botulinum Toxin or dermal / cosmetic filler treatments to anyone under 18 for cosmetic purposes (Botulinum Toxin and Cosmetic Fillers (Children) Act 2021). We do not knowingly process personal data of children for marketing.
15Changes to this notice
We may update this Privacy Policy from time to time. The version in force is shown at the top of this page. Material changes will be communicated by email (if we have one for you) and through a banner on the website before they take effect.
16Contact & complaints
For any privacy related question, please contact:
Derma Sense - Data Protection
15 Station Parade, Cockfosters, EN4 0DL, London, United Kingdom
Email: privacy@dermasense.co.uk
Phone: 07450 008852
We would like the chance to resolve any concerns first. If you remain unhappy, you have the right to complain to the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk
17Treatment consent record
For every aesthetic treatment, we ask you to sign a treatment specific informed consent and disclaimer document. That document forms part of your clinical record and is referred to in our Disclaimer and Terms and Conditions.
The full consent and disclaimer document is available for you to read at the clinic and to download here:
Download Client Consent & Disclaimer (PDF, 950 KB) Download Academy Course Fact Sheet (PDF, 1.0 MB)