Privacy policy 1 12 2025
Last updated: 01 December 2025
This Privacy Notice explains how Continental Skin Clinic (“we”, “us”, “our”) collects, uses and protects your personal data when you visit our clinic, use our website, book appointments, receive treatments, or otherwise interact with us.
We are committed to protecting your privacy and handling your personal data in a fair, lawful and transparent way, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
Data Controller:
Rosemayne Limited (trading as Continental Skin Clinic)
Registered office: Suite 1, Cochrane House, Admirals Way, London E14 9UD, United Kingdom
Clinic address: 108–110 Judd Street, London WC1H 9PX, United Kingdom
Email: info@continentalskinclinic.co.uk
Telephone: 020 3940 8402
We are registered with the Information Commissioner’s Office (ICO) under registration number ZB813636 and pay the applicable data protection fee each year.
Where we use third-party providers to process personal data on our behalf (for example, booking software or payment processors), they act as our data processors and may only process your data in accordance with our instructions and applicable data protection laws.
2. Personal data we collect
Depending on the services you receive and how you interact with us, we may collect and process the following categories of personal data:
2.1 Identity and contact details
· Full name
· Home address and postcode
· Email address
· Telephone number and WhatsApp number (where applicable)
· Date of birth
2.2 Proof of identity and address
For certain treatments and services (for example, prescription-only medicines, medical weight-loss programmes, high-value packages or instalment plans), we may also collect:
· Passport, driving licence or other photo identification
· Recent proof of address (such as a utility bill or bank statement)
2.3 Health and treatment information
· Medical history, current and past health conditions
· Medications, allergies and relevant lifestyle factors
· Consultation forms, medical history forms and consent forms
· Details of treatments and services provided
· Practitioner notes for each appointment, including clinical observations and recommendations
2.4 Images and photographs
Clinical photographs taken before, during and after consultations and treatments
Images used for assessment, treatment planning, monitoring of results, record-keeping and medico-legal purposes
Where we wish to use identifiable images for marketing or educational purposes (such as on our website, social media, or in presentations), we will seek separate, specific consent. You can refuse or withdraw this marketing-image consent at any time without affecting your right to receive treatment.
2.5 Communication records
· Emails between you and the clinic
· SMS text messages and WhatsApp messages relating to your bookings, care or enquiries
· Internal notes of telephone or in-person conversations where relevant to your care or our services
2.6 Payment and account information
· Records of payments made to us and refunds issued
· Partial card details and tokenised card references stored securely by our payment providers where you choose to save a card for future payments (we do not store full card numbers or security codes ourselves)
· Bank details you provide to us for the purpose of processing a refund
We do not collect more personal data than we need and we will not retain your data for longer than is necessary for the purposes described in this notice.
3. How we collect your personal data
· We collect personal data directly from you when you:
· Register as a client or update your details
· Complete consultation, medical history and consent forms
· Book an appointment online, by phone, in person or via messaging
· Receive treatments or attend reviews at the clinic
· Communicate with us by email, phone, SMS, WhatsApp, social media or via our website
· Provide ID, proof of address or payment/refund details
We also collect some information automatically when you interact with our website (for example, via cookies or similar technologies) – see our separate Cookie Policy (if applicable) for more details.
Your personal data is stored primarily in our clinic management software (currently Phorest), and in some cases in secure email systems, secure cloud storage and limited paper records held on site.
4. Why we process your personal data (purposes and legal bases)
We process your personal data under one or more of the lawful bases set out in UK GDPR.
4.1 Performance of a contract
We process your data where it is necessary to enter into or perform a contract with you, including to:
· Register you as a client
· Book, manage and administer your appointments
· Provide consultations, treatments and follow-up care
· Communicate with you about your bookings, care and any changes to services
· Take payment and issue receipts or refunds
· Manage your loyalty points, prepaid courses and instalment plans
4.2 Legal obligation
We process certain personal data to comply with our legal and regulatory obligations, including to:
· Maintain appropriate clinical and medical records
· Comply with health and safety law and professional/clinical standards
· Keep financial and transaction records in line with tax and accounting requirements
· Respond to requests from regulatory bodies or law enforcement where required by law
4.3 Legitimate interests
We process personal data where necessary for our legitimate interests, provided your rights and freedoms do not override those interests. These purposes include:
· Managing and improving our services and clinic operations
· Ensuring the quality and safety of treatments, including supervision and audit
· Dealing with complaints, queries or potential claims
· Protecting our business, staff and clients from fraud, abuse or other harmful activity
· Maintaining appropriate insurance coverage and evidencing care provided if a claim arises
Where we rely on legitimate interests, we have balanced those interests against your rights and privacy and concluded that our processing is proportionate and reasonable.
4.4 Consent
In some situations, we rely on your consent to process personal data. This includes:
· Sending you direct marketing communications by email, SMS, WhatsApp or other electronic means (for example, news, offers and promotions)
· Using your identifiable images for marketing or educational purposes
· Collecting and processing certain types of health information where explicit consent is required
Where we process personal data based on your consent, you are free to withdraw that consent at any time. This will not affect the lawfulness of processing carried out before consent was withdrawn and will not affect your access to treatment or services.
5. Special category data (health information)
We collect and process information about your health, medical history, medications and other relevant conditions in order to:
· Assess your suitability for specific treatments
· Deliver treatments safely and effectively
· Identify any risk factors or contraindications
· Provide you with appropriate advice and aftercare
This health information is treated as special category data under UK GDPR. We process it on the basis of:
· Your explicit consent, and
· The provision of healthcare and treatment by appropriately trained professionals, in line with data protection law and professional obligations.
You may withdraw your consent to certain processing of your health information, subject to legal, insurance and contractual restrictions (for example, where we are required to keep clinical records for a minimum period).
6. How long we keep your data (retention periods)
We retain your personal data only for as long as necessary for the purposes set out in this notice and in line with legal, regulatory and insurance requirements.
In particular:
· Clinical and medical records – including consultation notes, medical history forms, consent forms, treatment records, clinical photographs and relevant ID used in a clinical context – are retained for a minimum of 10 years from your last treatment, or longer where required by our insurers, professional guidelines or law.
· Financial and transaction records – including details of payments and refunds – are normally retained for at least 6 years to comply with tax and accounting obligations.
· Communication records – such as emails, SMS and WhatsApp messages relating to your care – are retained as part of your clinical or customer record and will follow the same retention periods where they form part of your treatment or account history.
· Marketing data – including your contact details and marketing preferences – is retained until you withdraw your consent or object to marketing, or where we become aware that your details are no longer accurate.
After the relevant retention period has expired, personal data will be securely deleted or anonymised so that it can no longer be linked to you.
7. Your rights as a data subject
Under UK data protection law, you have the following rights in relation to your personal data:
Right to be informed – to be told how your personal data is collected and used, which is the purpose of this notice.
Right of access – to request a copy of the personal data we hold about you, and to understand how we use it.
Right to rectification – to have inaccurate or incomplete personal data corrected.
Right to erasure – to request deletion of your personal data where there is no compelling reason for us to continue processing it.
Right to restrict processing – to request that we limit how we process your data in certain circumstances.
Right to data portability – to request that we move, copy or transfer your personal data to another organisation in a structured, commonly used and machine-readable format, where technically feasible and where processing is based on consent or contract.
Right to object – to object to processing based on our legitimate interests and to object at any time to your personal data being used for direct marketing.
Rights in relation to automated decision-making and profiling – we do not carry out automated decision-making that produces legal or similarly significant effects on you.
Limits to erasure and access for clinical records
Please note:
In many cases we are required by law, professional standards and/or our insurers to retain clinical records (including consultation notes, consent forms and clinical photographs) for a minimum of 10 years from your last appointment.
We may also need to retain personal data where it is necessary for the establishment, exercise or defence of legal claims.
In these situations we will not be able to delete the relevant records until the applicable retention period has expired, but we will ensure they are held securely and used only for these limited purposes.
Requests under data protection law relate to your personal data. They do not give a right of access to our proprietary treatment protocols, training materials, internal pricing structures or other confidential business information which does not constitute personal data.
To exercise any of your rights, please contact us using the details at the end of this notice. We may need to verify your identity before responding. We aim to respond to all valid requests within one month.
8. Marketing communications
We may send you information about our services, treatments, news and offers where:
· you have opted in to receive such communications; or
· you are an existing client and we are permitted to do so under applicable law.
You can unsubscribe or change your marketing preferences at any time by:
· clicking the “unsubscribe” link in our marketing emails;
· replying “STOP” to SMS/WhatsApp marketing messages where applicable; or
· contacting us using the details below.
Opting out of marketing will not affect service-related communications (appointments, reminders, clinical information, etc.).
9. Data sharing and processors
We do not sell or rent your personal data to any third party.
We may share your personal data with:
· Service providers (data processors) who act on our instructions to support our business, for example:
· Clinic management and booking software (currently Phorest)
· IT support and secure cloud hosting providers
· Email and SMS/WhatsApp communication platforms
· Payment service providers and card processors
· Professional advisers, such as insurers, legal advisers or accountants, where necessary to obtain advice, manage claims or meet legal obligations.
· Regulatory bodies, law enforcement or public authorities, where we are legally required to do so.
Where we use third-party processors, we have appropriate written agreements in place. These processors may only process your personal data in accordance with our instructions, must keep it secure, and must not use it for their own purposes.
10. International transfers
Our main clinic software (Phorest) processes and stores personal data within the European Union using Amazon Web Services (AWS) data centres. Data is encrypted in transit and at rest.
If we need to transfer your personal data outside the UK or EU (for example, where an IT provider uses servers in another country), we will ensure that appropriate safeguards are in place, such as:
· the use of approved standard contractual clauses; or
· transfers to countries which the UK recognises as providing an adequate level of data protection.
11. Security of your personal data
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction or damage.
These measures include:
· Use of secure, encrypted connections (HTTPS / TLS) when accessing our clinic software and systems
· Role-based access controls and unique login credentials for staff
· Staff training on confidentiality and data protection
· Locked filing cabinets or safes for any paper records, accessible only by authorised personnel
· Regular review of our security practices and access permissions
While we take reasonable steps to protect your personal data, no system is entirely risk-free and we cannot guarantee absolute security.
12. Consequences of not providing personal data
If you choose not to provide certain personal information when requested, we may not be able to:
· enter into or perform a contract with you; or
· provide certain services or treatments safely and effectively.
For example, if you do not provide relevant medical history or consent, we may have to decline treatment in order to protect your health and comply with our professional and legal obligations.
13. Children’s privacy
We do not routinely provide treatments to children. Where we do treat clients under the age of 16, we only do so with the consent and involvement of a parent or legal guardian, in accordance with our child treatment policy.
We do not knowingly collect the personal data of children under the age of 16 without appropriate parental or guardian consent. If you believe that we hold information from or about a child under 16 without such consent, please contact us and we will investigate and take appropriate steps.
14. Complaints and contact details
If you have any questions about this Privacy Notice or how we handle your personal data, or if you wish to exercise any of your rights, please contact:
Data Protection Officer / GDPR Owner
Continental Skin Clinic
108–110 Judd Street
London WC1H 9PX
United Kingdom
Email: info@continentalskinclinic.co.uk
Telephone: 020 3940 8402
You also have the right to make a complaint at any time to the supervisory authority:
Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
We would appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance if you have a complaint.
15. Changes to this Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in our practices, services or legal requirements. The latest version will always be available on our website and in the clinic. Where appropriate, we will notify you of significant changes by email or other suitable means.