Privacy Policy

Who we are and how to contact us

Promeds Clinic is a private clinic providing laser treatment and other aesthetic services in Derby, United Kingdom. For the purposes of data protection law, Promeds Clinic is the data controller of your personal data described in this Policy.

If you have any questions about this Policy, how we handle your information, or if you wish to exercise your data protection rights, please contact our Data Protection Lead:

Information we collect about you

The type of personal data we collect depends on how you interact with us. We may collect and process the following categories of information:

• Identity and contact data, such as your name, title, date of birth, postal address, email address, telephone number, and any emergency contact details you provide.
• Medical and special category data, including information about your health, medical history, previous treatments, allergies, lifestyle information relevant to your care, photographs and treatment notes. This may include information you provide through online forms or during consultations.
• Appointment and financial data, such as appointment dates and times, the services you receive, invoices, payment status and partial payment details (for example, transaction references). We do not store full payment card numbers or security codes on our systems.
• Technical and usage data, such as your IP address, browser type and version, operating system, device identifiers, language settings, the pages you visit on our website, the time and date of your visits, the time spent on pages, and other diagnostic and usage data. This may be collected automatically when you use our website.
• Marketing and communication preferences, including your choices about receiving marketing from us and your communication preferences (for example, email, SMS, phone).
• Correspondence and feedback, including information you provide when you contact us by email, phone or via online forms, complete surveys, submit reviews, or otherwise give us feedback.

How we collect your information

We may collect personal data about you in the following ways:

• Direct interactions, when you complete forms on our website, contact us by email or phone, book or attend appointments, or give information directly to our clinicians and staff.
• Automated technologies, when you interact with our website. As you navigate our site, we may automatically collect technical data about your equipment, browsing actions and patterns using cookies and similar technologies (see the section on cookies and analytics below).
• Third parties, for example referring healthcare professionals, laboratories, payment providers, analytics providers, and other partners who are involved in your care or support our services, where this is lawful and appropriate.

We may anonymise or aggregate personal data so that it can no longer identify you. Such information is not considered personal data and may be used for analysis, research and service improvement.

How we use your information and our legal bases

We act as a data controller when we collect and use your personal data in connection with our website and clinical services. Under UK GDPR, we must have a valid legal basis each time we process your personal data. Depending on the circumstances, we rely on one or more of the following legal bases:

• Consent – where you have given clear, informed consent for us to process your data for a specific purpose (for example, marketing).
• Contract – where processing is necessary to enter into or perform a contract with you (for example, to provide treatments or manage your bookings).
• Legal obligation – where we must process your data to comply with a legal or regulatory requirement (for example, clinical record keeping, tax or accounting rules).
• Vital interests – where processing is necessary to protect someone's life or prevent serious harm.
• Legitimate interests – where we use your data in a way that is necessary for our legitimate business interests (or those of a third party), and your interests and fundamental rights do not override those interests.

When we process special category data (such as information about your health), we rely on additional conditions under Article 9 of UK GDPR, primarily that processing is necessary for the purposes of medical diagnosis and the provision of health or social care (Article 9(2)(h)), and for the establishment, exercise or defence of legal claims (Article 9(2)(f)).

We may use the information we collect for the following purposes:

• To provide our services, including assessing suitability for treatments, providing consultations, delivering laser and aesthetic treatments, and managing your care, appointments and follow-ups (legal basis: contract; special category data: provision of health care).
• To create and manage records, including your patient file or user account, and to send administrative information such as booking confirmations, reminders, invoices and service updates (legal basis: contract, legitimate interests, legal obligation).
• To respond to enquiries and provide support, including answering questions, handling complaints and providing aftercare (legal basis: contract, legitimate interests).
• To send marketing communications, such as news, updates and offers about our services, where you have chosen to receive them (legal basis: consent). You can withdraw your consent at any time.
• To request feedback and conduct surveys to help us improve our services and patient experience (legal basis: legitimate interests).
• To improve and personalise our website and services, including monitoring usage, troubleshooting, data analysis, testing, research, and statistical purposes (legal basis: legitimate interests, consent for non-essential cookies/analytics).
• To protect the security of our systems and services, including preventing abuse, fraud and malicious use of our website or clinic, and ensuring network and information security (legal basis: legitimate interests, vital interests, legal obligation).
• To comply with our legal and regulatory obligations, including obligations relating to health and safety, clinical governance, insurance and regulatory reporting, and to respond to lawful requests from public authorities (legal basis: legal obligation, public interest).

We may combine or aggregate some of your personal data in anonymised form to better understand how our website and services are used and to improve them. We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you.

Use of your medical data and confidentiality

Your medical data is treated with the utmost confidentiality. Only healthcare professionals involved in your care, and staff who support them and are subject to a duty of confidentiality, have access to your medical records, and only to the extent necessary to perform their roles.

• We use your medical data primarily to provide you with safe and appropriate treatments, monitor your progress, and ensure continuity of care.
• We do not use your medical data for marketing purposes without your explicit consent.
• We may use anonymised or pseudonymised medical data for internal training, audit, quality improvement, service evaluation, and to enhance our clinical practices. Where reasonably possible, information used for these purposes does not identify you.

Because medical information is classed as "special category" data, we apply additional protections and only process it where the law allows, for example to provide health care, manage risks to you and others, or comply with legal obligations.

Privacy of children and young people

Our website is intended for use by adults. We do not knowingly collect personal data via our website from children under the age of 18. If you are under 18, please do not submit personal information through our website forms.

If you have reason to believe that a child under the age of 18 has provided personal information to us through the website, please contact us so that we can delete that information where appropriate.

We may provide clinical services to young people under 18 in our clinic. In these cases, we will usually work with a person with parental responsibility and provide age‑appropriate information about how we use the young person's data. Records relating to children are kept with particular care and in line with professional guidance.

Cookies, automatic data collection and analytics

Our website may use cookies and similar technologies to distinguish you from other users, help the site function properly, and analyse how it is used. Some cookies are strictly necessary for the website to work; others are optional and help us improve our services.

Where required by law, we will ask for your consent before using non-essential cookies (for example, analytics or marketing cookies). You can manage cookies through your browser settings and, if available, through any cookie banner or preference centre on our website.

Automatic collection of information

When you open the website, our servers may automatically record information that your browser sends. This data can include your device's IP address, browser type and version, operating system, language preferences, the webpage you visited before coming to our website, the pages you visit on our website, the time spent on those pages, the information you search for, access times and dates, and other statistics.

Information collected automatically is used to help maintain the security of our website, identify potential cases of abuse, and establish statistical information regarding usage and traffic. This statistical information is not otherwise used in a way that would identify any particular user.

Analytics tools

Our website may use third‑party analytics tools that use cookies, web beacons or other similar technologies to collect standard internet activity and usage information. The information gathered is used to compile statistical reports on user activity, such as how often users visit our website, which pages they visit and how long they stay.

We use the information obtained from these analytics tools to monitor performance and improve our website and services. We do not use analytics tools to try to identify you personally and do not combine analytics data with other information in a way that would directly identify you.

Do Not Track signals

Some browsers incorporate a "Do Not Track" (DNT) feature that signals to websites that you do not want to be tracked across different sites. There is currently no universally accepted standard for how websites should respond to DNT signals.

At present, our website does not respond specifically to DNT signals. Even so, as described in this Policy, we limit the personal data we collect and how we use it. You can manage cookies and other tracking technologies through your browser settings.

Social media features and links to other sites

Social media features

Our website may include social media features, such as Facebook or Instagram buttons and share widgets ("Social Media Features"). These Features may collect your IP address, which page you are visiting on our website, and may set a cookie to enable the Feature to function properly.

Social Media Features are either hosted by their respective providers or directly on our website. Your interactions with these Features are governed by the privacy policies of the companies providing them, not by this Policy. We encourage you to review those policies before using such Features.

Links to other resources

Our website may contain links to other websites or resources that are not owned or controlled by us. We are not responsible for the privacy practices of such third‑party websites or services. When you follow a link to another site, we recommend that you read the privacy policy of that site to understand how your information will be used.

Managing your information and how long we keep it

Managing and updating your information

It is important that the personal data we hold about you is accurate and up to date. Please let us know if your information changes during your relationship with us.

Where you have an online account with us (if applicable), you may be able to view and update some of your details directly. You can also contact us using the details above to request corrections to your information.

Retention of information

We will retain your personal data only for as long as reasonably necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements, and to respond to complaints or legal claims.

Clinical and medical records are retained in accordance with applicable healthcare regulations, professional guidance, and our insurer's requirements. This often means we need to keep records for a number of years after your last appointment (for example, at least 7 years, and in some cases longer, such as for records relating to certain treatments).

When we no longer need personal data, we will either securely delete or anonymise it. Once data is anonymised, it is no longer personal data and you will not be identifiable from it.

Sharing your information and international transfers

How we share your information

We will not sell your personal data. We only share your information where necessary and lawful, and we ensure appropriate safeguards are in place. Depending on the services you use, we may share your information with:

• Clinicians and healthcare professionals involved in your care, including any specialists or external providers where you have been referred or where you ask us to share information.
• Service providers who support our business operations (for example, IT providers, hosting companies, booking systems, email or SMS providers, payment processors, analytics providers and professional advisers). These organisations act as our data processors and are only permitted to use your data in accordance with our instructions.
• Regulatory bodies, insurers, auditors, law enforcement agencies, courts, or other public authorities, where we are required to do so by law, regulation or professional obligations, or in order to protect your vital interests or those of another person.

We require all third parties who process your data on our behalf to respect the security and confidentiality of your personal data and to treat it in accordance with the law. We do not permit our service providers to use your personal data for their own unrelated purposes.

International data transfers

Some of our service providers may be located outside the United Kingdom or the European Economic Area (EEA). If your personal data is transferred outside the UK/EEA, we will ensure that appropriate safeguards are in place, such as:

• Use of countries that the UK has determined provide an adequate level of protection.
• Use of standard contractual clauses or the UK International Data Transfer Agreement or Addendum approved by the Information Commissioner's Office (ICO).

You can contact us for more information about the specific mechanisms we use when transferring your personal data outside the UK/EEA.

Email marketing and notifications

Email marketing

We may offer electronic newsletters or marketing emails about our services that you can choose to receive. We will only send you marketing communications where we have your consent or where the law otherwise allows. You can withdraw your consent or opt out of marketing at any time by using the unsubscribe link in our emails or by contacting us.

Even if you opt out of marketing emails, we may still send you non‑marketing communications that are necessary for the services we provide, such as appointment confirmations, reminders, safety notices or important information about changes to our services.

Push notifications

If we offer push notifications through a mobile app or your browser, you will be asked whether you want to receive them. To ensure notifications reach the correct device, we may use a third‑party provider that relies on a device token. This token does not reveal your identity to us.

You can stop receiving push notifications at any time by adjusting the settings on your device or browser.

Information security and data breaches

How we keep your information secure

We take appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful access, accidental loss, destruction or damage. These measures include access controls, encryption where appropriate, secure storage, policies and staff training.

However, no method of transmission over the internet or method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. The security of your data also depends on you: for example, keeping any login details confidential and using up‑to‑date security on your devices.

Data breaches

In the event that we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will investigate and take appropriate remedial actions. Where required by law, we will notify the Information Commissioner's Office (ICO) and, where appropriate, the individuals affected, without undue delay.

When notification to you is required, we will do so by email, telephone, letter, or by posting a notice on our website, as appropriate.

Your data protection rights

Under the UK GDPR and, where applicable, the EU GDPR, you have a number of rights in relation to your personal data. These rights are not absolute and may be subject to certain conditions and exemptions, especially in relation to health records, but we will always consider your request and explain our decision.

• Right to be informed – to receive clear information about how we use your data (which is the purpose of this Policy and any other notices we provide).
• Right of access – to request a copy of the personal data we hold about you and certain information about how we process it.
• Right to rectification – to ask us to correct or complete inaccurate or incomplete personal data.
• Right to erasure – to request that we delete your personal data in certain circumstances, for example where it is no longer needed for the purpose it was collected. This right may be limited where we need to retain data for legal or clinical reasons.
• Right to restrict processing – to ask us to limit how we use your data in certain situations, for example while we are considering a request you have made.
• Right to data portability – to receive certain personal data in a structured, commonly used and machine‑readable format, and to transmit it to another controller where this is technically feasible.
• Right to object – to object to our processing of your personal data where we are relying on legitimate interests or where we are using your data for direct marketing.
• Rights relating to automated decision‑making – to not be subject to a decision based solely on automated processing (including profiling) that has legal or similarly significant effects on you. Promeds Clinic does not carry out such automated decision‑making.
• Right to withdraw consent – where we rely on your consent, you have the right to withdraw it at any time. This will not affect the lawfulness of any processing carried out before you withdrew your consent.

You can exercise your rights by contacting us using the details in the "Who we are and how to contact us" section. We may ask you for proof of identity before responding to your request. We aim to respond within one month, or explain if we need longer in complex cases.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you are unhappy with how we use your data:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Website: www.ico.org.uk
Telephone: 0303 123 1113

We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance if possible.

Changes to this Privacy Policy and how to contact us

Changes and updates

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. The updated version will be indicated by an updated "last updated" date and will be effective as soon as it is published on our website, unless otherwise stated.

Where we make significant changes, we may also notify you by email or by displaying a prominent notice on our website. We encourage you to review this Policy periodically to stay informed about how we protect your information.

Contacting us

If you have any questions, concerns or complaints about this Privacy Policy or the way we handle your personal data, or if you wish to exercise your data protection rights, please contact us:

Email: support@promeds.co.uk
Phone: +44 7376 284 835
Address: Promeds Clinic Limited, 4 Wentworth House, Vernon Gate Street, Derby DE1 1UR, United Kingdom

We will do our best to respond promptly and resolve any issues you raise in line with applicable data protection laws.