Privacy Policy
Treeline Aesthetics Privacy Policy
Last updated: [Date]
Effective from: [Date]
This Privacy Policy describes how Treeline Aesthetics (“we”, “us”, “our”) collects, uses, stores, shares, and protects your personal data when you use our services, website, or otherwise interact with us. We are committed to handling your information with care, transparency, and integrity.
1. Who We Are & Our Data Responsibility
We operate under the regulatory environment of facial aesthetic clinics, in which we must comply with UK GDPR, the Data Protection Act 2018, and professional obligations, such as those from the General Dental Council (for clinicians) and applicable medical / aesthetic guidelines.
We act as the data controller for your personal information: that means we decide how and why your data is processed.
We have appointed a Data Protection Officer (DPO) (or designated person) who oversees compliance and is your point of contact for privacy matters.
2. What Personal Data We Collect
We may collect and process personal data across several categories:
Category | Examples of Data | Purpose / Use |
Identity & Contact Information | Name, date of birth, address, email, phone number | To communicate with you, schedule appointments, coordinate care |
Health & Medical Information (Sensitive / Special Category) | Medical history, medications, allergies, previous aesthetic treatments, skin type | To assess suitability, plan safe treatments, aftercare, audits |
Treatment / Clinical Records | Treatment details, photos, consent forms, notes | To provide care, monitor outcomes, legal & clinical record-keeping |
Financial & Payment Data | Invoicing, payment method, billing history | To charge for services, manage refunds, accounting |
Technical & Usage Data | IP address, cookies, device/browser info, analytics | Website performance, improving user experience, security |
Communications & Preferences | Marketing consent, correspondence history | To send newsletters, updates (if consented), respond to queries |
We only collect data that is necessary and relevant, and we limit what we hold to what is essential for our operations (data minimisation principle).
3. Legal Bases for Processing
Under UK GDPR, we must have lawful bases to process your data. These include:
- Consent — for certain communications, marketing, sharing photos/testimonials, etc.
- Contract / Performance of Service — to provide the treatments and services you request.
- Legal Obligation — to comply with regulatory or legal requirements (e.g. record retention, audit).
- Legitimate Interest — for internal business operations, security, quality assurance, or fraud prevention—balanced against your rights.
For special category data (health / medical information), our lawful bases include:
- Explicit consent, or
- Provision of health care / treatment, orPublic interest / medical diagnosis / healthcare management, as permitted by UK law.
4. How We Use & Share Your Data
How we use it
- To assess your suitability for treatments, plan safe protocols, and deliver care
- To send appointment reminders, follow-up communications, aftercare instructions
- To manage billing, insurance claims, accounting
- To store and maintain clinical records
- To analyse data for audit, quality improvement, training
- To send you marketing or promotional materials (only where you have given explicit consent)
With whom we may share it
We may share your data with third parties on a need-to-know basis, with appropriate safeguards:
- Other healthcare professionals, if required for your treatment
- Laboratory, diagnostics or imaging services
- Regulatory bodies (e.g. GDC, local health authorities) when legally required
- IT / software service providers (appointment systems, CRM, cloud storage)
- Legal advisors, auditors, or insurers
- With your explicit consent: when publishing photos, testimonials, or marketing materials
We will not sell your data or share it for unrelated third-party marketing without your consent.
5. Data Storage & Security
- All digital records are stored on encrypted, access-controlled systems.
- Paper or physical records are locked in secure filing systems.
- Access is limited to authorised personnel only, governed by role-based permissions.
- Regular backups, security audits, and penetration testing are performed.
- We follow practices of pseudonymisation or anonymisation when possible.
- In the event of a data breach, we will respond quickly, assess impact, and notify the Information Commissioner’s Office (ICO) within 72 hours if required, as well as inform affected individuals if there is a high risk to their rights and freedoms.
6. Data Retention
We retain your personal and clinical records only for as long as needed and in accordance with legal, regulatory, and professional guidelines. For aesthetic and medical clinics, this often means keeping records for a minimum time (e.g. 8–11 years) after the last treatment.
When data is no longer needed, we securely anonymise or delete it.
7. Your Rights & How to Exercise Them
Under UK GDPR, you have these rights in relation to your personal data:
- Right of access — you can request a copy of what we hold
- Right to rectification — ask us to correct inaccurate data
- Right to erasure (“right to be forgotten”) — when lawful
- Right to restrict processing — in certain situations
- Right to object — especially where processing is based on legitimate interest
- Right to data portability — receive data in structured format
- Right to withdraw consent — for processing based on consent
- Rights related to automated decision making/profiling — if we ever use such systems
To exercise any of these, contact our DPO or data protection lead (contact details below). We will respond within one month (extended to two months if needed, with explanation).
8. Cookies & Website Tracking
Our website uses cookies and tracking tools (e.g. Google Analytics) to enhance user experience, monitor traffic, and improve performance. You can control cookie settings via your browser, and some cookies are strictly necessary for site function.
We may also collect aggregated analytics or anonymised usage data.
9. Marketing & Communication Preferences
If you agree, we may send newsletters, special offers, or updates by email, SMS or post. You can opt-out or change your preferences any time by contacting us or using opt-out links.
We do not send unsolicited marketing without your explicit opt-in.
10. Photographs, Before & After Images, Testimonials
If you provide your consent, we may take photos or videos (before & after) to document your treatment progress. We will always ask specifically for your permission before publishing or using these materials in marketing. You can withdraw this consent at any time, and we will cease usage going forward.
11. Children, Minors & Vulnerable People
We do not knowingly collect personal data from children (under 16) without parental or guardian consent. If you believe we have done so inadvertently, contact us and we will promptly delete it.
If you are a vulnerable individual requiring assistance, we will take extra care in how data is processed and obtain consents consistent with your legal capacity.
12. Changes to This Policy
We may update this Policy to reflect legal, regulatory, or business changes. When material changes occur, we’ll communicate them via our website or direct notice. The updated Policy will take effect from the stated “Last updated” date.
13. Contact & Complaints
If you have questions, concerns, or wish to exercise your rights, you can contact:
Data Protection Officer / Lead
Treeline Aesthetics
[Address]
Email: [DPO Email]
Phone: [Clinic Phone]
If you feel we have not responded properly or violated your rights, you also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).