LEGAL
This Privacy Policy explains how CurrentBody Skin Ltd uses, stores and shares the information we collect about you, how you can exercise your rights in respect of that information and the procedures that we have in place to safeguard your privacy. This Privacy Policy supplements any other fair processing or privacy notice that may be provided to you from time to time. CurrentBody Skin Ltd is the controller and is responsible for the processing of your personal data (“Clinic, ”, “we”, “us”, or “our” in this Privacy Policy). CurrentBody Skin Ltd is a subsidiary of The Beauty Tech Group Limited (Group).
We are committed to protecting your privacy and complying with the UK GDPR and other applicable data protection rules (including the Data Protection Act 2018 and marketing and cookie laws, together with associated guidance) (the “Data Protection Laws”). This commitment exists throughout the lifecycle of your personal data, from the collection of data for provision of treatments to the deletion of that data. The Clinic only retains personal data about patients where it has a legal, regulatory or business need to do so.
This policy covers the following topics:
What personal data we collect about you
How we use your personal data
Who we share your personal data with
International transfers, storage and retention of your personal data
Marketing
Security
Cookies
Children
Automated decision making
Your choices and rights
Contact us
Changes to this privacy notice
What Personal Data We Collect About You
When we use the term “personal data” we mean any information about an individual from which that person can be identified. This doesn’t include, for example, any information which we have anonymised.
We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:
Identity Data includes first name, last name, gender, date of birth and before and after treatment photos.
Contact Data includes your residential address and telephone number.
Health Data includes your healthcare and general practitioner information and your past and present medical condition i.e. specific illnesses and mental health data. We will collect additional types of data about you which are considered to be more sensitive such as health and medical history data prior to the provision of a treatment
Treatment Data includes information about treatments that have been proposed and provided, consent for treatment and correspondence about you with other healthcare professionals. We will retain any relevant notes relating to conversations or incidents about patients
Financial Data includes your payment card details.
Transaction Data includes details about payments from you and other details of products and services you have purchased from us.
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access our website.
Usage Data includes information about how you interact with and use our website, products and services
Marketing and Communications Data includes your preferences in receiving marketing from us, our third parties and your communication preferences
How We Use Your Personal Data
Under the Data Protection Laws, we are required to explain what information we collect from you and how and why we use your personal information (the "processing activity"). We are also required to have a "lawful basis" on which to process your personal information. This is summarised in the table below.
Processing activities based on retention of personal data to meet CQC requirements
Processing activity: Why we use your personal data | What personal data we use | Lawful basis of processing | Where we collect the information from | How long we keep the information for |
|---|---|---|---|---|
To register you as a new patient |
| We process this data:
| From you directly via our Website, via face to face interaction, or when you interact with us via telephone or email. Occasionally we will also receive your details via a third party, for example the manufacturer or distributor of a treatment device where you have contacted them directly about a particular treatment. | We retain information regarding your registration for a minimum of 11 years from the date of registration because we are legally required to do so. |
To process appointment bookings and provide treatments |
| We process this data:
| From you directly via our Website, via face to face interaction or when you interact with us via telephone or email. | We retain information relating to your appointment bookings and the provision of treatments for a minimum of 11 years, so we can provide our treatment services to you. |
Processing activities based on retention of personal data for operational requirements
Processing activity: Why we use your personal data | What personal data we use | Lawful basis of processing | Where we collect the information from | How long we keep the information for |
|---|---|---|---|---|
To manage our relationship with you which will include: (a) Dealing with your requests and queries (b) Informing you about changes to our treatments and products (c) To manage fees, payments and charges (d) Collect and recover monies owed to us |
| We process this data:
| From you directly via our Website, or when you interact with us via telephone or email. | We retain your information and payments data for 6+1 years, in order to defend against legal claims which may result from our relationship with you and for contract limitation purposes |
To respond to complaints about the services we have provided to you |
| We process this data:
| From you directly via our Website, or when you interact with us via telephone or email. | We retain your complaints data for 8 years, to ensure that we can follow up on and respond to your complaints, as well as for litigation or regulatory review |
Use of special category data for statistical and reporting purposes on an anonymised basis |
| We process this data: on the basis of your explicit consent, where you have provided permission for the processing of special category data | From you directly via our Website, via face to face interaction or when you interact with us via telephone or email. | We retain information or statistical and reporting purposes for 1 year, so we can conduct analysis and report on the use of our services. |
To administer and protect our business and this Website (including troubleshooting, data analysis, testing, system maintenance, support, fraud prevention, reporting and hosting of data) |
| We process this data:
| Directly from you when you visit our Website, including using analytical cookies or other automated technologies. | Information regarding our usage of cookies and their duration is set out in our Cookies Policy. |
To deliver relevant website content |
| We process this data:
| Directly from you when you visit our Website | Information regarding our usage of cookies and their duration is set out in our Cookies Policy. |
To use data analytics to improve our Website, products and services, customer relationships and experiences and to measure the effectiveness of our communications and marketing |
| We process this data:
| From you directly when you use our Website, including using analytical cookies or other automated technologies. | Information regarding our usage of cookies and their duration is set out in our Cookies Policy. In respect of any data not collected via cookies, we will generally only retain this for 1 year following collection. |
To send you relevant marketing communications |
| We process this data:
| From you directly via our Website, or when you interact with us via telephone or email. | We retain data related to direct marketing for as long as we think you will be interested in receiving our marketing communications. Information relating to direct marketing will not be retained for longer than needed and where it is no longer needed the data will be deleted or anonymised |
We have determined, acting reasonably and considering the circumstances, that we are able to rely on legitimate interests as the lawful basis on which to process your personal information in certain circumstances (we have stated this above and set out our legitimate interests). We have reached this decision by carrying out a balancing exercise to make sure our legitimate interest does not override your privacy rights as an individual.
We consider that it is reasonable for us to process your information for the purposes of our legitimate interests outlined above as: (a) we process your information only so far as is necessary for such purpose; and (b) it can be reasonably expected for us to process your information in this way.
Where we process your personal information on the legal basis of consent (as indicated in the above table), you may refuse consent to our processing and you may also withdraw your consent at any time: (i) in respect of cookies and other tracking mechanisms on our Website, by using the cookie consent manager in our cookie notification banner, (ii) in respect of marketing communications, by clicking 'unsubscribe' in the footer of the relevant emails, or (iii) in respect of other matters, by using the contact details below. This would not affect your ability to use any features of our Website. Withdrawing consent does not affect any processing carried out without your consent.
We will retain your personal data for the periods set out in the table above, however, we will only retain it for as long as necessary for the purposes set out above and, where we no longer have a need to keep your data, we may delete it earlier than the periods set out above. In some circumstances, you may have a right to ask us to delete your data at any time: please see the "Your Choices and Your Rights" section below.
We like to keep your personal data to ourselves. Except as set out in this Privacy Policy, we do not disclose to, or share, your personal data with third parties. We do not use automated decision making in relation to your personal data.
We will require some of your personal data to allow us to process an appointment booking and provide you with a treatment. If you refuse to supply such personal data, then we will not be able to provide such services to you and will let you know that this is the case.
Who We Share Your Personal Data With
We share your personal data in the following circumstances and with the following categories of third party:
Health providers. Other organisations that already have or may provide health services to you. These organisations may be contacted to obtain or validate patient medical history records.
The Beauty Tech Group Trading Limited. Employees of the Clinic are employed by The Beauty Tech Group Trading Limited. We also share data with this entity for internal business purposes such as management and accounting but this data is anonymised and does not contain any personal information.
Payment Processors. A deposit or part payment for an appointment is required at the time of appointment booking online. These payments are processed through our payment processor Stripe. For further information on how Stripe processes your personal data, please refer to the Stripe Privacy Notice.
Any organisations which access your data (including any that may provide services on our behalf such as our appointment booking software provider or website hosting provider) will be governed by strict contractual restrictions to make sure that they protect your data and keep to all data privacy laws that apply. We may share your personal data with other third parties (for example in the event if a sale or merger of the company) or with law enforcement or government authorities.
In some cases, your personal data may be shared directly with us. For example we may obtain the data of potential patients (referrals) from equipment manufacturers or distributors who have received enquiries directly from potential patients (such as you) to assist in locating clinics within a specific local area. Where this is the case, these third parties act as data controllers and you must refer to that third party controller’s privacy notice for further information on how your data will be processed.
We may also share your personal data with social media platforms who may process your data with us as joint controllers. Links to these platforms’ privacy policies are outlined below. These include:
Facebook and Instagram: Meta Privacy Policy;
Tik Tok: Privacy Policy
International Transfers, Storage, and Retention of Personal Data
Please note that the provider of our Clinic Management System (Pabau) and our payment processor (Stripe) may transfer personal data outside of the UK. For further details on the safeguards that are in place for these transfers, please refer to Pabau GDPR Compliance and Stripe’s Data Transfers Addendum.
The Clinic does not transfer your data outside of the UK. If there are circumstances in which we need to transfer your personal data outside the UK or the EEA, we will ensure a similar level of protection is afforded to your personal data as UK law would afford it by ensuring that at least one of the following safeguards is implemented:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Secretary of State. You can find out more information here.
For certain service providers, we may use specific contracts which have been approved by the Information Commissioner's Office which give personal data the same protection it has in the UK. You can find out more information here.
For certain service providers based in the US, as an alternative to the specific contracts mentioned above, we may also transfer data to them if they are part of the UK US Data Bridge, which requires them to provide similar protection to personal data shared between the UK and the US. You can find out more information here.
Please contact us if you would like more information about these safeguards.
We ensure that any processors and sub-processors that interact with us comply with data protection legislation and have the necessary safeguards in place for data transfers.
Marketing
Depending on your marketing preferences, we may use your personal data to send you marketing messages by email. Some of these messages may be tailored to you, based on your previous activity, and other information we hold about you. We will only send you marketing messages relating to services offered by us as well as special discounts and promotions.
Although we hope you find our marketing messages interesting and useful, if you no longer want to receive marketing communications from us (or would like to opt back in!), you can change your preferences at any time by contacting us (using the details below) or clicking on the ‘unsubscribe’ link in our emails. If you unsubscribe from marketing, please note we will still retain some of your personal data to make sure we don't send you marketing communications you don't want to receive. Such personal data will be used for contacting patients to provide service messages such as appointment reminders.
Security
The protection and security of your personal data is important to us, and we have put in place appropriate policies, rules, technical and organisational measures to safeguard your personal data from accidental loss, damage or destruction and unauthorised or unlawful processing.
Whilst we do everything within our power to ensure that personal data is protected at all times from the Website, we cannot guarantee the security and integrity of the information that has been transmitted to the Website, nor the internet and email at large.
All special category data that you provide to us is processed securely, and access to such data is assigned to CurrentBody Skin Ltd only.
Cookies
Our Website uses cookies, social media plug ins and other similar technologies to improve the functionality of, and your experience on, our Website and to deliver advertising and marketing communications to you. Some of the personal data identified in the table above is collected through the use of these cookies and other similar technologies.
To learn more about what cookies we use, how and why we use them, and how you can disable them, you can access our Cookie Policy.
Children
Our Website is for adults. We do not knowingly target or collect personal data from children and our products and services are not intended for any person under 18 years of age.
Automated Decision-Making
We do not make decisions about you that have legal or similarly significant effects based solely on automated processing.
Your Choices and Your Rights
You have legal rights in relation to your personal data under Data Protection Laws, and these are set out below. You can exercise these rights by contacting us – please see the "Contact Us" section below, but please be aware that there are limitations to these rights, and there may be circumstances where we are not able to comply with your request fully or at all. Where this is the case, we will promptly let you know why.
What are my rights? | What does this mean? |
To be informed: | You have a right to be informed about the personal data that we collect, use and hold about you. |
Access: | You have a right to access and receive copies of the personal data we hold about you. |
Rectification: | If we hold inaccurate personal data about you, you have a right to ask us to rectify this. |
Erasure: | If you'd like us to delete personal data we hold about you, you have a right to ask us to do so. This is commonly known as the right to be forgotten, but this right will only apply where (for example):
|
Restriction of processing: | You have a right to limit how we use your personal data in certain circumstances, including (for example) where:
|
To object: | In certain circumstances, you have a right to object to the processing of your data, and this means that we will stop using it, unless we are able to demonstrate that, on balance, we have legitimate grounds for continuing to process your personal data which overrides your rights, or the data is needed for the establishment, exercise or defence of legal claims. |
Data portability: | Where we are processing your personal data and we are relying on the lawful basis of consent or the performance of a contract (where this is the case, this will be set out in the table above) and we are carrying out that processing by automated means, then you have a right data portability. This means that if you ask us to, we will provide your personal data to you in a structured, commonly used and machine-readable format and transfer your personal data to an organisation of your choice. |
To withdraw consent: | If we are processing your data and relying on the lawful basis of your "consent" (where this is the case, this will be set out in the table above), then you are entitled to withdraw your consent at any time. You can do this using the details set out in the "Contact Us" section below. |
To complain: | We hope that if you have any queries, comments or concerns about the way we handle your personal data, you will raise these with us in the first instance, and you can do so using the contact details contained in the "Contact Us" section below. However, if you are unhappy with the way we have responded, you have the right to complain to the Information Commissioner's Office, the regulator for data protection in the UK. Their address is: First Contact Team, Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF. You can find more information out at: ico.org.uk/for-the-public/how-to-make-a-data-protection-complaint. |
Contact Us
We hope that you find this Privacy Policy easy to understand, but if you have any questions, comments or concerns about this policy or how we handle your personal data, you can contact us by:
Email at bookings@currentbodyclinic.com
If you wish to make a Data Subject Access Request, please send an email to the above address with the title ‘Data Subject Access Request’ and we will investigate the request and respond accordingly.
Changes to this Privacy Notice
This Privacy Policy was last updated on 22 September 2025
Any changes to this Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by email. We will also post a notice on the Website landing page and on appropriate pages on the Website. Please check back frequently to see any updates or changes to this Privacy Policy.