Data Controller	Oximis Aesthetic LTD
Registered Address	93 Thornton Road, Carshalton, England, SM5 1NN
Email	lanakornijcuka@gmail.com
Phone	07743 750 230
Website	oximisaesthetic.co.uk

Oximis Aesthetic LTD ("Company", "we", "our", "us") is the Data Controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to protecting your privacy and ensuring that your personal data is handled securely and lawfully.

Information We Collect

1.1 Contact Information

Name, phone number, email address, and address provided when booking appointments or contacting us.

1.2 Appointment & Service Information

Details of treatments booked and provided, appointment history, and clinical notes relating to your care.

1.3 Health Information (Special Category Data)

Relevant medical history, allergies, medications, pregnancy or breastfeeding status, autoimmune conditions, and other health information necessary to assess suitability and safely deliver aesthetic treatments. This is classified as special category data under Article 9 UK GDPR and is processed only with your explicit consent.

1.4 Payment Information

Payments are processed securely via third-party providers. We do not store full card details on our systems.

1.5 Technical & Usage Data

IP address, browser type, device type, and website interaction data collected through cookies and analytics tools when you visit our website. Please refer to our Cookie Policy for further detail.

1.6 Clinical Photographs

Clinical photographs may be taken before and after treatment for the purpose of medical documentation and treatment monitoring. Photographs are stored securely as part of your clinical record. They will not be used for marketing without your separate explicit written consent.

Lawful Basis for Processing

We process your personal data under the following legal bases:

Contractual necessity — to provide the services you have booked and manage your appointments
Legal obligation — to comply with medical, insurance, and regulatory requirements under applicable UK law
Legitimate interests — to improve our services, manage our business operations, and maintain accurate records, where these interests are not overridden by your rights
Explicit consent — for the processing of health data (special category data) and for sending marketing communications

Special Category Data Health information is processed strictly in accordance with Article 9(2)(a) UK GDPR (explicit consent). You may withdraw this consent at any time; however, withdrawal may affect our ability to provide certain treatments safely.

How We Use Your Information

We use your personal data to:

Assess treatment suitability and ensure your safety
Provide aesthetic and wellness services
Manage and confirm appointments
Process payments
Communicate with you regarding your bookings and care
Maintain accurate clinical records as required by professional and regulatory standards
Comply with legal, insurance, and regulatory obligations
Send marketing communications — only where you have provided explicit consent, and only for as long as that consent remains active

We will not use your personal data for any purpose incompatible with the purposes listed above without first obtaining your consent.

Sharing of Data

We do not sell, rent, or trade your personal data. We may share your data only in the following limited circumstances:

Booking & scheduling platforms — we use Acuity Scheduling to manage appointments; your data is stored on their secure servers as our data processor under a data processing agreement
Payment processors — secure third-party providers who process transactions on our behalf
Website & hosting providers — for the operation and maintenance of our website
Professional advisers — including insurers, legal advisers, or accountants, where necessary
Regulatory authorities — where we are legally required to disclose information

All third parties acting as data processors are required to process your data solely in accordance with our instructions and in compliance with UK data protection law. We do not transfer your personal data outside the UK or European Economic Area without appropriate safeguards in place.

Data Retention

We retain your personal data only for as long as is necessary for the purposes for which it was collected, or as required by law.

Data Type	Retention Period
Clinical & medical records	Minimum 10 years from the date of last treatment, in accordance with medical record-keeping standards
Clinical photographs	Minimum 10 years from the date of treatment
Appointment & booking records	7 years from the date of appointment
Payment records	7 years, in accordance with HMRC requirements
Marketing consent records	Until consent is withdrawn, plus 3 years
Website usage data	As set out in our Cookie Policy

Upon expiry of the applicable retention period, data will be securely deleted or irreversibly anonymised.

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:

Secure, password-protected systems with restricted access
Encrypted data storage and transmission where applicable
Use of reputable third-party platforms with their own security certifications
Regular review of our data handling practices

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it, and will inform you where required by law.

Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

Right of Access Request a copy of the personal data we hold about you.

Right to Rectification Request correction of inaccurate or incomplete data.

Right to Erasure Request deletion of your data, subject to legal obligations that require us to retain it.

Right to Restrict Processing Request that we limit how we use your data in certain circumstances.

Right to Data Portability Request your data in a structured, machine-readable format.

Right to Withdraw Consent Withdraw consent at any time where processing is based on consent.

Right to Object Object to processing based on legitimate interests, including direct marketing.

Right to Complain Lodge a complaint with the ICO if you believe your data has been mishandled.

To exercise any of the above rights, please contact us at lanakornijcuka@gmail.com. We will respond within one month of receiving your request. There is no charge for exercising your rights in most circumstances.

Information Commissioner's Office You have the right to lodge a complaint with the ICO at any time. Visit ico.org.uk or call 0303 123 1113. We would, however, appreciate the opportunity to address your concerns directly before you approach the ICO.

Children

Our services are strictly for individuals aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has provided us with personal data, please contact us immediately and we will take steps to delete it.

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. The most current version will always be published on this page, with the "Last updated" date revised accordingly.

Where changes are material, we will make reasonable efforts to notify you directly — for example, by email or a notice on our website — prior to the changes taking effect.

Contact Details

For any questions, concerns, or requests relating to this Privacy Policy or how we handle your data, please contact us:

Company	Oximis Aesthetic LTD
Address	93 Thornton Road, Carshalton, England, SM5 1NN
Email	lanakornijcuka@gmail.com
Phone	07743 750 230
Website	oximisaesthetic.co.uk

Privacy Policy