DATA CONTROLLER — Be Elite Aesthetics ("Be Elite", "we", "us", "our") is the data controller responsible for your personal data. We are registered with the Information Commissioner's Office (ICO). Our Data Protection Officer can be contacted at dpo@beelite.clinic.
LEGAL FRAMEWORK — This policy is issued pursuant to the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR) 2003. Where we process special category data (health and medical information), we do so under Article 9(2)(h) UK GDPR for the purposes of preventive or occupational medicine, medical diagnosis, and the provision of health or social care treatment.
WHAT WE COLLECT — We collect and process: (a) Identity data: full name, date of birth, gender; (b) Contact data: email address, telephone number, postal address; (c) Health data: medical history, allergies, medications, treatment notes, clinical photographs, consent records — this constitutes special category data under UK GDPR; (d) Financial data: payment card details (processed by our PCI-DSS-compliant payment processor — we do not store full card numbers), transaction records, deposit and refund history; (e) Technical data: IP address, browser type and version, device information, pages visited, and session duration; (f) Communications data: records of correspondence including emails, chat messages, and telephone call summaries.
HOW WE COLLECT YOUR DATA — We collect data: (a) directly from you when you make a booking, complete a consultation form, sign consent forms, or contact us; (b) automatically through essential and analytics cookies when you use our website (see our Cookie Policy); (c) from third-party payment processors when you make a payment; (d) from referring practitioners or healthcare providers where you have given them permission to share information with us.
LAWFUL BASES FOR PROCESSING — We process your personal data under the following lawful bases: (a) Contract (Article 6(1)(b)): to perform our contract with you, including booking appointments, delivering treatments, and processing payments; (b) Legal obligation (Article 6(1)(c)): to comply with healthcare record-keeping requirements, financial reporting obligations (HMRC), and regulatory duties; (c) Legitimate interests (Article 6(1)(f)): to improve our services, maintain security, and communicate operationally about your appointments — we have conducted a Legitimate Interests Assessment for each such use; (d) Consent (Article 6(1)(a)): for marketing communications, non-essential cookies, and clinical photography used for purposes beyond your medical record. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. For special category health data, our additional condition is Article 9(2)(h): processing necessary for health care purposes by or under the responsibility of a health professional.
HOW WE USE YOUR DATA — We use your data to: manage your bookings and provide treatments; maintain your medical records as required by law; process payments and manage deposits and refunds; send appointment confirmations, reminders, and aftercare instructions; respond to your enquiries and complaints; comply with legal, regulatory, and professional obligations; improve our services and website functionality; and, where you have opted in, send marketing communications about treatments and offers.
DATA SHARING — We may share your personal data with: (a) our payment processor (Stripe) for processing transactions; (b) our hosting and infrastructure providers who store data within the UK or EEA; (c) professional and regulatory bodies where required by law; (d) HM Revenue & Customs, the Information Commissioner's Office, or other authorities where legally required; (e) our professional indemnity insurers in connection with a claim or potential claim. We do not sell your data to third parties. We do not transfer your data outside the United Kingdom unless we have ensured appropriate safeguards are in place, including adequacy decisions or Standard Contractual Clauses approved by the ICO.
DATA RETENTION — Medical and treatment records: 8 years from the date of last treatment, in accordance with NHS guidance and professional body requirements. For patients treated under the age of 18: records are retained until the patient's 25th birthday or 8 years after last treatment, whichever is later. Financial records: 7 years to comply with HMRC requirements under the Taxes Management Act 1970. Consent records: for the duration of consent plus 3 years following withdrawal or last treatment, to evidence compliance. Marketing consent records: retained for 1 year after consent is withdrawn. Complaints records: 10 years from resolution. Analytics data: 26 months. We conduct regular reviews of the data we hold and securely delete or anonymise data when it is no longer required for any lawful purpose.
YOUR RIGHTS — Under UK GDPR you have the right to: (a) Access: obtain confirmation of whether we process your data and request a copy (Subject Access Request) — we will respond within one calendar month; (b) Rectification: have inaccurate data corrected without undue delay; (c) Erasure ("Right to be Forgotten"): request deletion of your data where there is no compelling reason for continued processing — note that we cannot erase medical records within the mandatory retention period; (d) Restriction: request that we limit processing in certain circumstances; (e) Data Portability: receive your data in a structured, commonly used, machine-readable format; (f) Objection: object to processing based on legitimate interests or for direct marketing purposes — we will cease processing unless we can demonstrate compelling legitimate grounds; (g) Withdraw Consent: where processing is based on consent, withdraw at any time by contacting us or using the unsubscribe link in marketing emails. To exercise any of these rights, contact us at dpo@beelite.clinic. We may need to verify your identity before processing your request.
AUTOMATED DECISION-MAKING — We do not carry out any automated decision-making or profiling that produces legal or similarly significant effects on you. Our AI chat assistant provides general information only and does not make clinical decisions.
DATA SECURITY — We implement appropriate technical and organisational measures to protect your personal data, including: encryption of data in transit (TLS/SSL) and at rest; access controls limiting data access to authorised personnel; regular security assessments; staff training on data protection and confidentiality; secure disposal procedures for data that is no longer required.
DATA BREACHES — In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where the risk is high, notify you directly without undue delay, in accordance with Articles 33 and 34 UK GDPR.
COMPLAINTS — If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner's Office: ico.org.uk, telephone 0303 123 1113, or write to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would appreciate the opportunity to address your concern first — please contact dpo@beelite.clinic.
CHANGES TO THIS POLICY — We may update this policy from time to time. Material changes will be communicated via our website and, where appropriate, by email. The effective date at the top of this policy indicates when it was last updated. Continued use of our services after changes constitutes acceptance of the updated policy.