Privacy Policy

CARA Medical Aesthetics is a medical aesthetics clinic based in South Gloucestershire, United Kingdom. We are the data controller for the personal information we collect about you.

Contact details:
CARA Medical Aesthetics
South Gloucestershire, Gloucestershire
Email: hello@caramedical.co.uk
Website: caramedical.co.uk

We may collect and process the following personal data:

• Identity data: name, date of birth, gender
• Contact data: email address, phone number, postal address
• Health data: medical history, treatment records, consultation notes, before/after photographs (special category data)
• Financial data: payment information processed securely via Stripe (we do not store card details)
• Technical data: IP address, browser type, device information, pages visited (only with your consent)
• Communication data: correspondence via email, phone, or contact forms

We use your personal data for the following purposes:

• To provide medical aesthetic treatments safely and effectively
• To manage bookings, consultations, and appointment scheduling
• To process payments for treatments and products
• To maintain accurate medical records as required by professional and legal obligations
• To communicate with you about your appointments, treatments, and aftercare
• To send marketing communications (only with your explicit consent)
• To improve our website and services through anonymous analytics (only with your consent)

We process your personal data under the following legal bases as defined by UK GDPR:

• Consent: For marketing communications, analytics cookies, and the processing of before/after photographs
• Contractual necessity: To fulfil our obligations when you book and receive treatments
• Legal obligation: To maintain medical records and comply with healthcare regulations
• Legitimate interests: To improve our services and manage our business effectively, where this does not override your rights
• Vital interests / Explicit consent: For the processing of special category health data necessary for medical treatment

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Medical records: Retained for a minimum of 10 years from the date of your last treatment, in line with professional healthcare guidance
• Financial records: Retained for 7 years as required by HMRC
• Marketing consent: Until you withdraw consent
• Website analytics: Anonymised data retained for 26 months

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your data (subject to legal retention requirements)
• Right to restrict processing: Request that we limit how we use your data
• Right to data portability: Request your data in a structured, commonly used format
• Right to object: Object to processing based on legitimate interests or direct marketing
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at hello@caramedical.co.uk. We will respond to your request within one month.

Our website uses the following types of cookies:

• Strictly necessary cookies: Required for the website to function correctly. These cannot be disabled and do not require consent.
• Analytics cookies: Used to understand how visitors interact with our website (Google Analytics). These are only set with your explicit consent.
• Marketing cookies: Used to measure the effectiveness of our advertising campaigns (Meta Pixel). These are only set with your explicit consent.

You can manage your cookie preferences at any time using the cookie banner on our website. In accordance with UK GDPR, non-essential cookies are not loaded until you provide explicit opt-in consent.

We may share your data with the following categories of third parties, only where necessary and with appropriate safeguards:

• Payment processors: Stripe processes payments securely on our behalf. We do not store your card details.
• Booking platforms: Ovatu manages our appointment scheduling and booking system.
• Analytics providers: Google Analytics and Google Tag Manager (only with your consent).
• Advertising platforms: Meta (Facebook/Instagram) for advertising measurement (only with your consent).
• Hosting providers: Vercel hosts our website infrastructure.

We do not sell your personal data to any third parties. Where data is transferred outside the UK, we ensure appropriate safeguards are in place as required by UK GDPR.

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include encrypted connections (SSL/TLS), secure payment processing, and restricted access to personal data.

If you have any questions about this privacy policy or wish to exercise your data rights, please contact us:

Email: hello@caramedical.co.uk

If you are not satisfied with how we have handled your data or your complaint, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

We may update this privacy policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. Any significant changes will be communicated via our website. We encourage you to review this policy periodically.