Privacy Policy
Dr.Annamaria Aesthetics customer privacy notice
This privacy notice tells you what to expect us to do with your personal information.
- Contact details
- What information we collect, use, and why
- Lawful bases and data protection rights
- Where we get personal information from
- How long we keep information
- Who we share information with
- How to complain
Contact details
Telephone
+44 7783 723293
aesthetics@drannamariakiss.com
What information we collect, use, and why
We collect or use the following information to provide services and goods, including delivery:
- Names and contact details
- Addresses
- Date of birth
- Health information (including dietary requirements, allergies and health conditions)
- Website user information (including user journeys and cookie tracking)
- Photographs or video recordings
- Records of meetings and decisions
- Information relating to compliments or complaints
We also collect or use the following special category information to provide services and goods, including delivery. This information is subject to additional protection due to its sensitive nature:
- Health information
We collect or use the following information to comply with legal requirements:
- Name
- Contact information
- Health information such as medical history, allergy status, medication history, social history, patient demographics, data relevant to ensure safe assessment of the patient and provide safe aesthetic care.
We also collect or use the following special category information to comply with legal requirements. This information is subject to additional protection due to its sensitive nature:
- Health information
Lawful bases and data protection rights
Under UK data protection law, we must have a ‘lawful basis’ for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.
Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:
- Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.
- Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. You can read more about this right here.
- Your right to erasure - You have the right to ask us to delete your personal information. You can read more about this right here.
- Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. You can read more about this right here.
- Your right to object to processing - You have the right to object to the processing of your personal data. You can read more about this right here.
- Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. You can read more about this right here.
- Your right to withdraw consent - When we use consent as our lawful basis you have the right to withdraw your consent at any time. You can read more about this right here.
If you make a request, we must respond to you without undue delay and in any event within one month.
To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.
Our lawful bases for the collection and use of your data
Our lawful bases for collecting or using personal information to provide services and goods are:
- Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
- Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
- Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
- To ensure the highest standards of clinical care, we collect accurate and up-to-date personal and medical information. This includes details about your medical history, allergy status, medications, previous treatments, and relevant lifestyle factors such as social and occupational history. Gathering this information is essential for assessing treatment suitability, identifying potential risks, and delivering appropriate care.
- This data is collected directly and voluntarily from you and is stored securely in compliance with medical regulations. Patient records are retained for a minimum of 8 years following your last treatment, in line with professional and legal standards for healthcare documentation.
For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.
Our lawful bases for collecting or using personal information for legal requirements are:
- Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
- Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
- Collecting accurate and up to date personal and medical information is in the best interest of both the practitioner carrying out the aesthetic procedures, and the patient to ensure safe and effective practice. During the process we will collect information relevant to medical history, allergy status, medication history, previous treatments, social and occupational history. The data is collected directly and voluntarily from the patient and stored securely a minimum of 8 years after their last treatment.
For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.
Where we get personal information from
- Directly from you
How long we keep information
Data Retention Schedule
Effective from: 1 December 2024
Reviewed annually or as required by law
Purpose
This schedule outlines how long we retain personal and medical data collected in the course of providing aesthetic treatments, in accordance with professional, legal, and regulatory obligations in the UK.
1. Patient Records (Medical and Personal Information)
| Data Type | Examples | Retention Period | Legal Basis |
|---|---|---|---|
| Medical Records | Consultation notes, consent forms, treatment plans, photos | 8 years after the date of the last appointment | Legal obligation under medical standards (e.g. JCCP/NMC/GMC guidelines); ICO and GDPR |
| Personal Identifiable Information | Name, contact details, DOB, address, GP details | 8 years after the date of the last appointment | Legitimate interest, legal obligation |
| Consent Forms | Signed pre-treatment consent, photographic consent | 8 years after the date of the last appointment | Legal and medical documentation |
| Appointment and Booking History | Date/time of visits, treatments provided, cancellations | 8 years after the date of the last appointment | Business recordkeeping, compliance |
2. Marketing and Communication Records
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Email marketing consent (e.g., newsletter opt-ins) | Until withdrawn by data subject | Consent |
| Communication history (email, contact form enquiries) | 2 years from last interaction | Legitimate interest |
3. Financial & Business Records
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Invoices, receipts, payment history | 6 years (as per HMRC requirements) | Legal obligation (HMRC) |
Data Disposal
After the retention period ends, personal and medical data will be securely deleted or anonymised. Paper records will be shredded using a confidential waste disposal provider. Digital records will be permanently deleted from secure systems and backups.
Your Rights
You have the right to request access to your personal data, correction, or erasure in line with data protection laws, subject to the legal obligations outlined above.
For more information on how long we store your personal information or the criteria we use to determine this please contact us using the details provided above.
Who we share information with
Data processors
https://www.aestheticnursesoftware.com
We use Aesthetic Nurse Software as our data processor. This platform provides our booking system and securely stores patient records, including personal details and treatment-related information.
Others we share personal information with
- Emergency services (when necessary and in the patient's best interest)
- Suppliers and service providers involved in delivering your care
How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s OfficeWycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint
Last updated: 15 April 2025