Privacy policy 26 06 2026
Last updated: 26 June 2026
| • | Version: June 2025 |
| • | This Privacy Policy explains how Continental Skin Clinic collects, uses, stores and protects your personal data when you visit our clinic, use our website, book appointments, receive treatments, buy products, enter into an instalment plan, participate in loyalty or referral schemes, communicate with us or otherwise interact with us. |
| • | We handle personal data fairly, lawfully and transparently in accordance with UK data protection law, including the UK General Data Protection Regulation, the Data Protection Act 2018 and applicable electronic marketing rules. |
Key Points
| • | We collect personal, health, treatment, payment and communication information to provide safe treatment and manage your account. |
| • | Clinical photographs are required for many treatments and are stored with your clinical record. |
| • | Marketing, social media, website, promotional or external educational image use is optional and requires separate consent. |
| • | CCTV is used at the clinic for safety, security, crime prevention and protection of staff, patients and property. |
| • | Our website uses cookies and similar technologies. |
| • | We do not sell your personal data. |
| • | Clinical records are retained for at least 10 years from your last treatment, or longer where required. |
| • | You have data protection rights, but some records cannot be deleted where we must retain them for clinical, legal, insurance, accounting, complaints or defence-of-claims reasons. |
- Who We Are
| 1.1 | Data Controller: Rosemayne Limited, trading as Continental Skin Clinic. |
| 1.2 | Registered office:Unit 8a Rockware Business Centre, Greenford, London, United Kingdom, UB6 0AA |
| 1.3 | Clinic address: |
| 108-110 Judd Street, London WC1H 9PX United Kingdom |
| 1.4 | Email: info@continentalskinclinic.co.uk |
| 1.5 | Telephone: 020 3940 8402 |
| 1.6 | We are registered with the Information Commissioner’s Office under registration number ZB813636. |
| 1.7 | For privacy enquiries, please contact our Data Protection Lead / GDPR Contact using the details above. |
- Personal Data We Collect
| • | Depending on how you interact with us and the services you receive, we may collect and process the following personal data. |
2.1 Identity and Contact Details
| • | Full name Home address and postcode Email address Telephone number WhatsApp, iMessage, Apple ID, social media or other contact details where you use these channels to contact us Date of birth Customer or clinic account ID |
2.2 Identity, Address and Payment Verification
| • | For selected services or circumstances, we may collect: |
| Photographic ID Proof of address Payment verification information Evidence that a payer is authorised to use the payment method |
| • | This may apply to instalment plans, prescription-only treatments, medical weight-loss programmes, treatments involving prescription medication or injectable medicines, high-value bookings, third-party payments, payment mismatch, safeguarding concerns, fraud-prevention checks or where required by our insurer, prescriber, pharmacy, payment provider, regulator or internal policy. |
| • | For instalment plans, we may require government-issued photographic ID and recent proof of address. |
2.3 Health and Treatment Information
We may collect and process health and treatment information, including:
- Medical history
• Current and past health conditions
• Medications
• Allergies
• Contraindications
• Relevant lifestyle factors
• Consultation forms
• Medical history forms
• Consent forms
• Prescription records
• Blood-test, phlebotomy, laboratory, prescribing, pharmacy or medication-related information
• Treatment records
• Practitioner notes
• Patient-care records relating to treatment delivered
• Device/product use records where relevant to patient care, safety, governance, product traceability or compliance
• Batch or lot details
• Clinical observations
• Recommendations
• Aftercare advice
• Treatment reviews
• Side effects
• Adverse events
• Complaints
• Outcomes
• Follow-up records
Treatment records may include information about the treatment provided to you, the area treated, your suitability, practitioner observations, clinical endpoints, your response to treatment, aftercare advice, side effects, adverse events, outcomes and review notes.
For some treatments, including laser, light-based, radiofrequency, ultrasound, energy-based, body contouring and laser lip treatments, the Clinic may also create or maintain internal device, protocol, audit, monitoring, training and compliance records. These records may include or refer to device settings, treatment ranges, parameter frameworks, wavelength options, fluence or energy ranges, pulse settings, treatment passes, endpoint guidance, escalation rules, contraindication frameworks, practitioner guidance, safety checks and other protocol information.
These internal device, protocol, audit, monitoring, training and compliance records are created and maintained for clinical governance, practitioner training, safety monitoring, insurance, quality control, consistency of treatment delivery, business protection and compliance purposes. They form part of the Clinic’s confidential business information, proprietary clinical know-howand operating procedures.
The Clinic’s confidential internal protocol ranges, device-setting frameworks, treatment-planning methods, parameter-selection methods, training materials, escalation rules, audit methodology and operating procedures are separate from the patient-care information we process about you.
To the extent that health and treatment records identify you or relate to your health, treatment suitability, treatment received, response, side effects, adverse events, outcomes or follow-up care, they may constitute special category data under UK data protection law.
2.4 Clinical Photography and Treatment Images
| • | Clinical photography before, during and after treatment is a standard part of many treatments and may be required for: |
| Assessment Treatment planning Monitoring Comparison Clinical governance Supervision Insurance Complaints Medico-legal records Continuity of care |
| • | Clinical photographs are stored securely with your treatment notes. |
| • | Clinical photographs may be used internally for clinical review, training, audit, supervision, insurance and medico-legalpurposes. |
| • | If clinical photographs are necessary for safe or appropriate treatment and you decline them, we may be unable to provide, continue or assess certain treatments. |
2.5 Marketing, Social Media and Educational Image Use
| • | Marketing, social media, website, promotional or external educational use of images is optional and requires separate consent. |
| • | Refusing marketing image use does not affect your access to treatment. |
| • | This applies to identifiable images and to cropped, anonymised, de-identified, body-area, before-and-after or partially obscured images unless the image is truly anonymous and cannot reasonably be linked back to you. |
| • | You may withdraw marketing image consent at any time. |
| • | Withdrawal will stop future use where reasonably possible. It may not reverse use that has already occurred, including printed materials, screenshots, reposts, third-party sharing, archived materials, completed campaigns or materials lawfully published before withdrawal. |
2.6 CCTV
| • | CCTV operates at the clinic. |
| • | CCTV may cover areas such as the entrance, reception, waiting areas, corridors, external areas and other non-private areas. |
| • | CCTV is not used in treatment rooms, changing areas or toilets. |
| • | CCTV is used for: |
| Safety and security Crime prevention and detection Protection of staff, patients, visitors and property Investigation of incidents, complaints or disputes Insurance and legal purposes |
| • | CCTV footage is stored securely and access is restricted. |
| • | CCTV footage is normally retained for 14 days unless it is needed for an incident, complaint, insurance matter, legalclaim, police request or other lawful purpose if reported within 14 days from the incident. |
| • | CCTV footage may be shared with the police, insurers, legaladvisers, regulators or other appropriate parties where lawful and necessary. |
| • | CCTV signs are displayed at the clinic. |
2.7 Communication Records
| • | We may keep records of communications, including: |
| Emails SMS messages WhatsApp messages iMessages FaceTime records where relevant Social media direct messages Platform messages Telephone notes In-person conversation notes |
| • | These may relate to bookings, treatment, care, complaints, payment, aftercare or enquiries. |
2.8 Payment and Account Information
| • | We may process: |
| Payment records Booking fees Consultation fees Package payments Instalment payments Refunds Outstanding balances Payment disputes Accounting records Bank details provided for refunds Partial card details and tokenised card references stored by payment providers |
| • | We do not store full card numbers or card security codes ourselves. |
2.9 Website, Cookies and Online Data
| • | When you use our website, we may collect information through cookies and similar technologies. |
| • | This may include: |
| Device information Browser type IP address Pages visited Time spent on the website Referral source Website usage data Preferences Analytics information Marketing or advertising data where permitted |
| • | Cookies may be used for: |
| Website functionality Security Analytics Performance monitoring Remembering preferences Improving the website Marketing and advertising, where permitted |
| • | Non-essential cookies are used only where required consent has been obtained. |
| • | You can manage cookie preferences through our cookie banner, browser settings or Cookie Policy where available. |
- How We Collect Personal Data
| • | We collect personal data directly from you when you: |
| Register as a patient Book an appointment Attend a consultation Receive treatment Complete forms Update your details Communicate with us Provide ID or payment information Enter an instalment agreement Take part in loyalty or referral schemes Raise a complaint or concern Use our website |
| • | We may also collect information from prescribers, pharmacies, laboratories, insurers, payment providers, professional advisers or other relevant third parties where necessary. |
| • | Your personal data may be stored in clinic management systems, booking systems, secure email systems, secure cloud storage, payment systems and limited paper records. |
| • | We may use clinic software systems including Phorest and Zenoti. |
| • | During or after migration between systems, some records may remain in legacy systems, archives, backups, audit logs or processor systems where necessary. |
- Why We Use Your Personal Data
| • | We use personal data for purposes including: |
| Registering you as a patient Booking and managing appointments Assessing suitability Providing consultations and treatments Maintaining clinical records Prescribing and medication safety Laboratory testing Taking payment Managing refunds, courses, packages, instalments, loyalty rewards and referral rewards Sending appointment and service communications Sending marketing where permitted Handling complaints, reviews, incidents and disputes Preventing fraud and protecting the Clinic Maintaining safety and security Complying with legal, accounting, insurance and regulatory requirements Establishing, exercising or defending legal claims |
- Lawful Bases for Processing
| • | We process personal data only where we have a lawful basis under UK data protection law. |
| • | Depending on the purpose, we may rely on: |
| Performance of a contract Legal obligation Legitimate interests Consent Establishment, exercise or defence of legal claims Provision of healthcare or treatment Explicit consent where appropriate |
| • | For health and treatment information, we use both: |
| An Article 6 lawful basis, such as contract, legitimate interests, legal obligation or consent; and an Article 9 special category condition, such as healthcare or treatment, explicit consent where appropriate, or legal claims. |
| • | Where we rely on consent, you may withdraw consent at any time. |
| • | Withdrawal of consent does not affect processing carried out before withdrawal. |
| • | Withdrawal of consent does not automatically require deletion of records we must keep for clinical, legal, insurance, accounting, contractual or defence-of-claims reasons. |
- Direct Marketing Communications
| • | We may send you information about our services, treatments, news and offers where you have opted in or where we are permitted to contact existing patients about similar services. |
| • | You can unsubscribe or change your marketing preferences at any time. |
| • | Opting out of marketing will not stop service-related communications, including: |
| Appointment confirmations Appointment reminders Clinical information Payment messages Aftercare Safety notices Responses to enquiries |
- Data Sharing and Processors
| • | We do not sell or rent your personal data. |
| • | We may share personal data with: |
| Clinic management and booking software providers IT support and secure cloud providers Communication platform providers Payment service providers Card processors Laboratories Pharmacies Prescribers Insurers Legal advisers Accountants Professional advisers Debt recovery providers Regulators Law enforcement or public authorities where lawful or required |
| • | Where third parties process data on our behalf, we use appropriate agreements requiring them to keep data secure and comply with data protection law. |
| • | We only share information that is reasonably necessary for the relevant purpose. |
- International Transfers
| • | Some providers may process or store personal data outside the UK or European Economic Area. |
| • | Where this happens, we will use appropriate safeguards, such as adequacy regulations, standard contractual clauses or another lawful transfer mechanism. |
- How Long We Keep Your Data
| • | We keep personal data only for as long as necessary for the purposes described in this policy. |
| • | Clinical and medical records, including consultation notes, medical history forms, consent forms, treatment records, prescription records, clinical photographs, relevant communications and relevant ID used in a clinical or prescription context, are retained for a minimum of 10 years from your last treatment. |
| • | Records may be kept longer where required by insurers, professional guidance, law, complaints, incidents, paymentdisputes or claims. |
| • | Financial and transaction records are normally retained for at least 6 years. |
| • | CCTV footage is normally retained for 14 days unless needed for an incident, complaint, legal matter, insurance matter, police request or other lawful purpose and requested within 14 days. |
| • | ID, proof of address and payment-verification records are retained only where reasonably necessary for the purpose collected. |
| • | Complaint, incident, payment-dispute, debt-recovery and legal-claim records may be retained for as long as necessary to investigate, resolve, evidence or defend the matter. |
| • | Marketing preference data is retained until you withdraw consent, object to marketing, unsubscribe or we become aware that your details are no longer accurate. We may retain a suppression record to ensure we do not contact you again for marketing. |
| • | Marketing images are retained and used according to the consent given, unless consent is withdrawn. Withdrawal may not reverse prior lawful use. |
| • | After the relevant retention period expires, personal data will be securely deleted or anonymised. |
- Your Rights Under UK data protection law, you have rights in relation to your personal data, subject to legal limits and exemptions.
These rights include:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights relating to automated decision-making and profiling
We do not carry out automated decision-making that produces legal or similarly significant effects.
You have the right to object at any time to your personal data being used for direct marketing.
Some records cannot be deleted immediately where retention is required for clinical safety, legal obligations, insurance, accounting, contractual reasons, complaints, payment disputes, regulatory matters or legal claims.
Requests under data protection law relate to your personal data. They do not give you ownership of the Clinic’s records, systems, treatment protocols, clinical methods, training materials, device-setting frameworks, parameter-selection methods, protocol ranges, internal audit records, monitoring tools, operating procedures, supplier information, pricing structures or commercially sensitive business information.
For laser, light-based, radiofrequency, ultrasound, energy-based, body contouring and laser lip treatments, device settings, parameter ranges, wavelength selections, fluence or energy ranges, pulse settings, treatment passes, escalation rules, endpoint guidance and similar information may form part of the Clinic’s confidential and proprietary treatment protocols, safety systems, practitioner guidance, audit records, training materials and business know-how.
Where a record contains both your personal data and the Clinic’s confidential or proprietary information, the Clinic may provide your personal data in a redacted, extracted or summarised form. The Clinic may withhold, redact or summarise confidential business information, proprietary clinical methods, device-setting frameworks, internal protocol ranges, treatment-planning logic, training content, operating procedures, audit methodology and commercially sensitive information where permitted by law.
Unless disclosure is required by law, court order, regulator or another lawful authority, or is reasonably necessary for legal advice, insurance, complaints, claims, regulatory compliance or the defence of legal proceedings, the Clinic does not disclose its proprietary device-setting frameworks, protocol ranges, parameter-selection methods, laser lip treatment settings frameworks or internal clinical protocols to patients, competitors or third parties.
Where required under data protection law, the Clinic will provide personal data relating to you. This does not require the Clinic to disclose full internal records, proprietary protocols, treatment algorithms, parameter frameworks, training materials, audit methodology or commercially sensitive know-how.
To exercise your rights, please contact us using the details in this policy.
We may need to verify your identity before responding.
We aim to respond to valid requests within one month unless an extension is permitted by law.
- Complaints, Reviews and Clinical Investigations
If you raise a clinical complaint, treatment concern, side effect, adverse reaction, payment dispute or legal claim, we may process relevant personal data to assess, investigate, respond to and evidence the matter.
This may include:
- Consultation records
- Consent forms
- Medical history
- Treatment records
- Clinical photographs
- Communications
- Payment records
- Practitioner notes
- Appointment history
- Aftercare compliance
- Review appointment records
- Relevant prescription, pharmacy, laboratory or product records
- Relevant device/product use records
- Relevant complaint, incident, insurance or legal correspondence
If a complaint, adverse event, treatment concern, payment dispute or legal claim arises, the Clinic may review internal device, protocol, audit, monitoring, training and compliance records to assess whether treatment was planned, delivered and monitored appropriately. These internal review materials may include confidential protocol information and proprietary clinical know-how. They are used for safety, governance, insurance, legal, quality-control and defence-of-claims purposes and are not automatically disclosable to the patient except where disclosure is required by law.
For clinical complaints, you may be required to attend an in-person review.
Failure to attend review may limit our ability to investigate your concern, assess the treatment outcome, provide clinical advice or offer a resolution.
Where necessary, we may share relevant information with insurers, legal advisers, prescribers, pharmacies, laboratories, payment providers, debt recovery providers, regulators, law enforcement, public authorities or other professional advisers where lawful and appropriate.
- Security of Your Personal Data
| • | We take appropriate technical and organisational measures to protect personal data. |
| • | These may include: |
| Secure systems Encrypted connections Role-based access controls Unique login credentials Staff confidentiality Staff data-protection training Restricted access to paper records Secure storage Review of access permissions |
| • | No system is completely risk-free, but we take reasonablesteps to protect your personal data. |
- Consequences of Not Providing Personal Data
| • | If you do not provide information we reasonably require, we may be unable to: |
| Register you as a patient Assess suitability Provide treatment safely Prescribe or administer medication Process payment Offer an instalment plan Investigate a complaint Comply with legal obligations Provide certain services |
| • | Treatment may be declined, delayed, adapted or stopped. |
- Children’s Privacy
| • | We do not routinely provide treatments to children. |
| • | Where we treat patients under 16, we do so with appropriate parent or legal guardian involvement and consent in accordance with our child treatment policy. |
| • | We do not knowingly collect personal data from or about children under 16 without appropriate parental or guardian involvement. |
- Privacy Complaints and Contact Details
| • | If you have questions about this Privacy Policy, how we handlepersonal data, or if you wish to exercise your rights, please contact: |
| Data Protection Lead / GDPR Contact Continental Skin Clinic 108-110 Judd Street London WC1H 9PX United Kingdom |
| • | Email: info@continentalskinclinic.co.uk |
| • | Telephone: 020 3940 8402 |
| • | You also have the right to complain to the Information Commissioner’s Office. |
| • | ICO contact details: |
| Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF |
| • | Telephone: 0303 123 1113 |
| • | Website: ico.org.uk |
| • | We would appreciate the opportunity to deal with your concerns before you approach the ICO, so please contact us first where possible. |
- Changes to This Privacy Policy
| • | We may update this Privacy Policy from time to time. |
| • | The latest version will be available on our website and in the Clinic. |
| • | Where appropriate, we may notify you of significant changes by email or another suitable method. |