This policy aims to explain fully and clearly what personal data I collect from you, what happens to that data, and what your rights are in relation to your personal data.

If I can clarify anything or if I can improve the explanations I give about privacy here or elsewhere, please don’t hesitate to get in touch with me a using the contact details below.

This policy covers:

  • Who I am
  • My privacy promise
  • What data I collect and why
  • My legal basis for processing your information
  • How I store your data and for how long
  • Your rights in respect of your personal data

This policy may be updated from time to time so please check back occasionally to make sure you’re happy with any changes.

WHO I AM

I am Debbie Watson, a facialist and beauty therapy specialist with over 35-years’ experience. I work independently, trading as Simply Skincare UK. You can contact me by emailing debbie@simplyskincareuk.com. You can also call me on 07743 852 448 or write to me at Simply Skincare UK, 265 Sunny Bank, Preston Road, Grimsargh, Preston, Lancashire, PR2 5JR.

MY PRIVACY PROMISE

I promise to:

  • Keep your data safe and private
  • Never to sell your data
  • To give you options to manage your marketing and contact choices

WHAT DATA I COLLECT AND WHY

Through the provision of services, I collect and make use of the following information, all of which is provided by you at our initial consultation or by making in online purchase from me:

  • First and last name
  • Address
  • Telephone number
  • Email address
  • Date of birth
  • Next of kin or trusted friend name and telephone number
  • Medical history and ethnicity (only where it pertains to possible contraindications of your course of treatment, see below)
  • Purchase and treatment history

I collect website browsing data using statistical tools such as Google Analytics. These tools provide me with technical and visit specific information about each visit to the website but I am unable to easily identify your visit specifically. All contact forms on the Simply Skincare UK website also use Google's ReCAPTCHA (v3) spam detection service, which works in the background to detect and block 'bots' and suspicious activity.

Processing special categories of data: The EU General Data Protection Regulation (“GDPR”) recognises certain categories of personal information as sensitive and therefore requiring more protection, for example, information about your health, ethnicity and religious beliefs. I do collect and use healthcare and ethnicity data, where it pertains to possible contraindications of your chosen course of treatment with me (such as for all AlumierMD, Crystal Clear COMCIT, Matis, HD Brows and LVL Lash Lift treatments). Please be assured that I only process these special categories of data if there is a valid reason for doing so and with your permission.

HOW I USE PERSONAL DATA AND MY LEGAL BASIS FOR PROCESSING INFORMATION

Data Protection law says that I am allowed to use personal data only when I have a valid reason for doing so. This includes sharing it with anyone else. The law says that I must have one or more of the following reasons:

  • To fulfil a contract with you
  • When I have a legal obligation
  • When it is in your vital interests
  • When I have obtained your consent
  • When it is on my legitimate interest

Legitimate interest is when I have a commercial reason to use your information. But, even then, this must not outweigh your own rights.

Most of the personal information I collect from you is necessary for me to provide you with the safe, effective and personalised skincare treatments you require. It is important, for example, that I can identify any potential adverse reactions (contraindications) that may occur from the treatments you are considering and advise you accordingly. In such cases, it is the fulfilment of my contract with you that provides my legal basis for holding and using your data.

It is also important that I am able to contact you in relation to the smooth running of our appointments, to advise you of any unexpected changes or to remind you of our pre-agreed arrangement. My use of your mobile phone information to send reminders by text in this case is also a validated through my contract with you.

At our initial consultation, I routinely ask customers if they would like to receive my email newsletter and/or details of late availability appointments and special offers by text. Where you have agreed to one or both of these services, wether verbally or in writing, I use your contact data on the basis of your active consent – although you may withdraw this at any time by simply advising me.

Also if you wish to purchase AlumierMD products online and have provided consent for me to do so, I may use your name and email address to ‘invite you’ to join the AlumierMD online portal. In such cases, I am sharing your data with AlumierMD, which will process it in order to fulfil any contract (i.e. purchase) you make via the portal.

I retain details of our financial transactions, either made in person or via my website on the basis of a combination of my legal obligation to disclose financial information and to retain records for UK agencies, such as HMRC, and also my own legitimate interest in the sustainable management of my business.

Finally, in very rare circumstances I may need to share certain information about you with a medical professional or your nominated emergency contact in a medical emergency. In such cases, I would do so on the basis that this is in your vital interest and, in the case of your nominated contact, that you have consented to me doing so.

In the course of conducting my business, I do make use of some third-party organisations to process data and/or deliver services on my behalf. These suppliers may include individual contractors as well as software providers and social media platforms (e.g. Facebook and Instagram). Most of these providers are based in the European Economic Area (EEA) and are therefore subject to the same data protection legislation as I am. However, some software providers may store information outside EEA, in which case I seek to ensure that they adhere to GDPR standards.

HOW I STORE YOUR DATA AND FOR HOW LONG

All data is securely stored and retained, excepting certain limited circumstances, for my sole use.

Hard copies of your induction and treatment forms are stored in my treatment room, which is locked when not in use.

Your name, email address and mobile telephone number are also transferred to my appointment management system, SalonLite, for which I have a password protected account. Also, if you have provided your consent, I will store your name and email address to my email marketing platform, called Mailchimp. This account is also password protected.

For insurance and accounting purposes, most data is held for up to 5-years after the date of your last treatment with me. Where you request it, your personal information may be removed from my SalonLite or Mailchimp accounts with immediate effect.

YOUR RIGHTS IN RESPECT OF YOUR PERSONAL DATA

You are entitled to make certain requests of me in respect of your personal information. These are called your Data Subject Rights and there is more information on these on the Information Commissioners website www.ico.org.uk. They include (but are not limited to):

  • Right of access – to request access to your personal information
  • Right to rectification – to have your personal information corrected if it is inaccurate
  • Right to erasure (also known as the Right to be Forgotten) – to have your personal information erased
  • Right to restriction of processing – to restrict processing of your personal information (to ask me not to process your data in certain ways)

If you have any general questions about your rights or want to exercise your rights please contact me at debbie@simplyskincareuk.com.

If you think I am handling your data incorrectly or inappropriately, you should approach me in the first instance and I will do everything possible to rectify the situation. If you are not happy with my response, you have a right to contact the supervisory authority, in this case the Information Commissioner’s Office.