Privacy Policy
Effective Date: 31 October, 2025
Review Date: 29 September 2026
Version: 2.0
Policy Owner: Aesthetic by Maria – Data Protection Lead
At Aesthetic by Maria, we respect your privacy and are committed to protecting your personal information in accordance with the UK GDPR, the Data Protection Act 2018, and the Care Quality Commission (CQC) requirements for clinical governance. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you visit https://aesthetic-by-maria.com, book appointments, undergo treatment, or communicate with us.
1) Information We Collect
We collect and process personal data to deliver safe, effective, and compliant aesthetic and wellness treatments. This may include:
Personal Information: Name, contact details (email, phone), date of birth, and information provided during bookings or consultations.
Medical / Treatment Information: Medical history, allergies, lifestyle information, and any aesthetic concerns you share to assess suitability and safety.
Consent Forms & Treatment Photos: Signed consent forms, before/after treatment images, and treatment notes form part of your clinical record.
Payment Information: Processed securely through third-party providers (we do not store card details).
Communication Data: Emails, WhatsApp messages, and other correspondence with us.
Website & Analytics Data: IP address, browser type, device information, and browsing behaviour collected via cookies, Google Analytics, and Meta Pixel.
2) How We Use Your Information
We use your personal information to:
Manage appointments and treatments through our booking system (Fresha).
Record clinical care and maintain treatment notes as required by healthcare standards.
Obtain and record your informed consent for treatments, photos, and marketing use (where applicable).
Provide safe, personalised, and regulated aesthetic treatments.
Process payments and maintain financial records.
Improve our website and service quality through analytics.
Meet our legal, regulatory, and clinical governance obligations, including CQC and tax compliance.
Send marketing communications only where you have provided explicit consent.
3) Legal Basis for Processing
Under the UK GDPR, we process personal data under the following lawful bases:
Consent – for marketing, communications, and image use.
Contract – to provide aesthetic or wellness services you have booked.
Legal Obligation – for essential operations, service improvement, training, and fraud prevention.
Legitimate Interest – for essential business operations, service improvement, and fraud prevention.
Public Interest in Healthcare – for maintaining clinical care records and patient safety.
4) Data Security, Access & Confidentiality& Cookies
All patient and treatment records are stored securely, either digitally within Fresha or on encrypted local systems. Access to these records is strictly limited to authorised personnel involved in your care or clinic administration. All staff receive regular training on data protection and confidentiality, and access permissions are reviewed routinely, with internal audits conducted to ensure ongoing compliance. We implement robust technical measures, including encryption, secure passwords, and firewalls, to safeguard your data. Any data breaches are monitored, logged, investigated, and reported in accordance with ICO and CQC requirements.
5) Data Sharing with Third Parties
We never sell your personal data. We may share it only where necessary with:
Fresha – for appointment scheduling and management.
Payment providers – to securely process payments.
Analytics & marketing tools – such as Google Analytics and Meta Pixel.
Medical professionals – only if required for safe treatment and with your consent.
Regulatory or legal authorities – if required by law or for patient safety.
If we work with overseas partners, manufacturers, or marketing/influencer collaborations (e.g., with Korean aesthetic brands), we ensure that:
1) Data sharing is governed by Data Processing Agreements or Standard Contractual Clauses (SCCs).
2) Recipients meet UK GDPR standards for protection.
3) Transfers occur only when strictly necessary and with your explicit consent.
6) Use of Images, Testimonials & Marketing
We will never use identifiable patient photographs, videos, or testimonials for marketing, social media, or promotional purposes without your explicit written consent. You may withdraw this consent for marketing use at any time. Clinical photographs taken solely for treatment records are kept confidential and stored securely as part of your care record. Any public use of images will either be anonymised or conducted only with explicit consent, in accordance with CQC expectations and data protection standards.
7) Data Retention & Disposal
We retain personal data only for as long as required by law and clinical guidelines:
Treatment & medical records: Minimum of 8 years after last treatment (or until 25 years of age if the patient was under 18).
Consent forms & treatment photos: Retained with the clinical record.
Financial records: Minimum 6 years for tax purposes.
Marketing records: Until you withdraw consent.
Secure disposal includes permanent deletion from digital systems and confidential shredding of physical documents.
8) Data Breach & Incident Management
In the unlikely event of a data breach, we will take immediate steps to contain and investigate the incident. Our Data Protection Lead will assess the associated risks and determine whether notification to the Information Commissioner’s Office (ICO) or affected individuals is required under UK GDPR. All breach incidents are documented within our internal clinical governance and incident reporting system to ensure accountability, transparency, and organisational learning.
9) Your Data Protection Rights
Under data protection law, you have several rights in relation to your personal information. You have the right to access the data we hold about you, request corrections to any inaccurate or incomplete details, and, where legally permissible, request the deletion of your personal information. You may also ask us to restrict or object to certain types of data processing and withdraw your consent for non-essential or marketing purposes at any time. If you have concerns about how your data is being handled, you also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk. To exercise any of these rights, please contact our Data Protection Lead using the details provided in Section 13.
10) Cookies & Consent
Our website uses cookies and similar technologies to enhance your browsing experience, improve website performance, and support analytics and marketing activities. When you visit our site, a cookie banner allows you to accept or manage your preferences. You may withdraw or change your cookie consent at any time through your browser settings or by contacting us directly. Please note that by booking an appointment via Fresha, you provide consent for the necessary use of your personal information to manage and deliver your care effectively.
11) Policy Review, Audit & Version Control
This Privacy Policy is reviewed on an annual basis or sooner if required by changes in law, technology, or our business operations. The Data Protection Lead at Aesthetic by Maria is responsible for ensuring compliance with this policy, maintaining a documented audit trail, and providing regular staff training on data protection and confidentiality. All versions of this policy, along with their review and update dates, are recorded and retained as part of our evidence for compliance with CQC governance and regulatory standards.
12) Contact Us
If you have questions about this Privacy Policy or how we handle your data, please contact us:
Aesthetic by Maria
10 Adam and Eve Mews
Kensington, London W8 6UJ
Phone: +44 208 129 5005
Phone: +44 7494 281058
Email: hello@aesthetic-by-maria.com