Privacy Notice

Privacy Notice

The Wellbeing and Weight Loss Clinic (Limited)

Trading as Health and Medical Aesthetics Cheshire Last Updated: 6 May 2026

1. Introduction

At The Wellbeing and Weight Loss Clinic Limited, Trading as Health and Medical Aesthetics Cheshire, we are committed to protecting your privacy and handling your personal data responsibly. This Privacy Notice explains what personal data we collect, why we collect it, how we use and store it, and what rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This notice applies when you visit our website (healthandmedicalaesthetics.co.uk), book a consultation, receive treatment, or contact us by any means.

We are registered with the Information Commissioner’s Office (ICO). Our registration number is ZB592482.

2. Data Controller

The data controller responsible for your personal data is:

The Wellbeing and Weight Loss Clinic Limited

Trading as Health and Medical Aesthetics Cheshire,

Email: info@healthandmedicalaesthetics.co.uk

ICO Registration Number: ZB592482

3. The Data We Collect

We may collect and process the following categories of personal data:

3.1 Identity and Contact Data

  • Full name
  • Email address
  • Telephone number
  • Postal address

3.2 Health and Medical Data (Special Category Data)

During consultations and treatments, we collect medical history, treatment records, consent forms, before-and-after photographs, and clinical notes. This is classified as Special Category Data under UK GDPR and is handled with the highest level of care and confidentiality.

3.3 Financial Data

Payment information processed through our payment providers (Stripe and SumUp). We do not store your full card details on our systems.

3.4 Technical Data

When you visit our website, we may collect your IP address, browser type, and browsing behaviour through cookies and similar technologies (see Section 8 below).

3.5 Booking Data

Appointment details, booking history, and consultation records managed through our booking system (Aesthetic Nurse Software).

4. Lawful Basis for Processing

Under UK GDPR, we must have a valid lawful basis for processing your personal data. The bases we rely on are:

  • Consent: We ask for your explicit consent before processing your health data, sending you marketing communications, and setting non-essential cookies on our website. You may withdraw your consent at any time.
  • Contractual Necessity: We process your identity and contact data as necessary to manage your appointments, provide the treatments you have booked, and fulfil our obligations to you.
  • Legal Obligation: We are required by law to maintain medical records for specified periods, comply with health and safety legislation, and meet our regulatory obligations (including CQC requirements where applicable).
  • Legitimate Interests: We may process limited personal data where we have a legitimate business interest, such as improving our services and website performance, provided this does not override your rights and freedoms.

5. How We Use Your Data

We use your personal data to:

  • Provide safe, appropriate aesthetic and wellbeing treatments
  • Manage your appointments and respond to your enquiries
  • Maintain accurate medical and treatment records
  • Process payments securely
  • Comply with legal, regulatory, and insurance requirements
  • Improve our website and services
  • Send you marketing communications where you have given your consent

6. Who We Share Your Data With

We do not sell your personal data to any third party. However, we may share your data with the following service providers who assist us in running our business. These providers are required to handle your data securely and only for the purposes we specify:

  • Aesthetic Nurse Software: Our clinic management and booking system, used to manage your appointments and clinical records.
  • Stripe: Our online payment processor, used to handle card payments securely.
  • SumUp: Our in-person card payment processor.
  • Google: We use Google Analytics and Google Search Console to monitor website traffic and performance. Data collected is anonymised where possible.
  • Insurance providers: We may share relevant data with our professional indemnity insurers where required.
  • Regulatory bodies: We may be required to share information with bodies such as the CQC, NMC, or ICO where we have a legal obligation to do so.

We will never share your data with third parties for their own marketing purposes.

7. How We Store and Protect Your Data

We take the security of your personal data seriously. We use appropriate technical and organisational measures to protect your information from unauthorised access, loss, or misuse. These measures include secure storage systems, access controls, and encryption where appropriate.

7.1 Retention Periods

  • Medical and treatment records: Retained for a minimum of 10 years from the date of your last treatment, in line with UK medical record-keeping guidelines and insurance requirements. Records relating to treatments performed on patients under 18 are retained until the patient’s 25th birthday, or 26th if they were 17 at the time of treatment.
  • General enquiries and contact data: Retained for up to 2 years from your last interaction with us, unless you request earlier deletion.
  • Financial transaction records: Retained for 7 years as required by HMRC.
  • Website analytics data: Retained in accordance with Google’s data retention settings (currently set to 14 months).

When data is no longer required, it will be securely deleted or anonymised.

8. Cookies

Our website uses cookies — small text files placed on your device — to help us understand how visitors use our site and to improve your experience.

8.1 Types of Cookies We Use

  • Essential cookies: These are necessary for the website to function properly (e.g., security, accessibility). They do not require your consent.
  • Analytics cookies: We use Google Analytics to collect anonymised data about how visitors use our site, such as which pages are most popular. These cookies are only set with your consent.

8.2 Managing Cookies

When you first visit our website, you will be presented with a cookie banner giving you the choice to accept or decline non-essential cookies. You can change your cookie preferences at any time through your browser settings. Please note that disabling certain cookies may affect website functionality.

9. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

  • Right of access: You can request a copy of the personal data we hold about you (a Subject Access Request).
  • Right to rectification: You can ask us to correct any inaccurate or incomplete data.
  • Right to erasure: You can request that we delete your personal data, subject to our legal obligations to retain certain records (such as medical records).
  • Right to restrict processing: You can ask us to limit how we use your data in certain circumstances.
  • Right to data portability: You can request that we provide your data in a structured, commonly used format so it can be transferred to another provider.
  • Right to object: You can object to the processing of your data where we are relying on legitimate interests as our lawful basis.
  • Right to withdraw consent: Where we process your data based on consent (such as marketing or cookies), you can withdraw that consent at any time. This will not affect the lawfulness of any processing carried out before you withdrew your consent.

To exercise any of these rights, please contact us using the details in Section 11 below. We will respond to your request within one month.

10. Data Breaches

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to you, we will also notify you directly and without undue delay.

We have internal procedures in place to detect, investigate, and report data breaches promptly.

11. Contact Us

If you have any questions about this Privacy Notice, wish to exercise any of your rights, or have concerns about how your data is handled, please contact:

Alexandra McKenzie

Health and Medical Aesthetics Cheshire (Limited)

Email: info@healthandmedicalaesthetics.co.uk

12. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office

Website: ico.org.uk

Telephone: 0303 123 1113

We would appreciate the opportunity to address your concerns before you contact the ICO, so please do get in touch with us first if possible.

13. Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, services, or legal requirements. Any significant changes will be communicated through our website. We encourage you to review this notice periodically.