Privacy Policy

Last updated: 15 April 2026

1. Who we are

Laser Skin Clinics is a trading name operated by Maxine Harish. We are based at 4 Perton Farm Barns, Jenny Walkers Lane, Wolverhampton, WV6 7HB. For data protection enquiries, contact us at info@laserskinclinics.co.uk or call 01902 256667.

We are the data controller for the personal information we collect and process through this portal (my.laserskinclinics.co.uk) and our clinic operations.

2. What personal data we collect

We collect the following categories of personal data:

  • Identity data: full name, date of birth, gender
  • Contact data: email address, phone number, postal address
  • Health data: medical history, allergies, skin type (Fitzpatrick), pregnancy status, medications, GP details
  • Emergency contact details: name, relationship, phone number
  • Treatment data: treatment notes, machine settings, skin response, clinical photographs
  • Consent records: digital signatures, timestamps, form responses
  • Payment data: transaction amounts and references (card details are processed securely by Stripe and never stored on our systems)
  • Account data: login credentials (email), authentication tokens
  • Communication preferences: WhatsApp, email, SMS opt-in/opt-out status

3. How we collect your data

We collect personal data through:

  • Our online portal when you create an account, fill in forms, or book appointments
  • In-clinic consultations and treatment appointments
  • WhatsApp, email, or phone conversations with our team
  • Digital consent and medical history forms signed before treatment
  • Clinical photographs taken during treatment (with your consent)

4. Why we process your data (legal basis)

Contract performance: To provide treatments you have booked, manage appointments, process payments, and deliver aftercare instructions.

Legal obligation: To maintain medical treatment records as required by UK health and safety regulations, and to comply with insurance and regulatory requirements.

Vital interests: To process medical history data that is essential for your safety during treatment (e.g., allergies, contraindications, pregnancy).

Legitimate interest: To send appointment reminders, request feedback, and improve our services.

Consent: To send marketing communications (offers, promotions). You can withdraw consent at any time via your profile settings or by contacting us.

5. Special category data (health data)

We process special category health data (medical history, allergies, skin conditions) because it is necessary for the provision of health care and treatment. This processing is carried out by a health professional (or under their responsibility) and is subject to professional confidentiality obligations.

We will never share your medical data with third parties except where required by law, with your explicit consent, or in a medical emergency.

6. Who we share your data with

We share personal data only with the following categories of recipients, all of whom have appropriate data processing agreements in place:

  • Supabase (database hosting, authentication) — data stored in EU/UK data centres
  • Stripe (payment processing) — PCI DSS Level 1 compliant; we never see or store your card details
  • Netlify (website hosting) — static content delivery only
  • Anthropic (AI treatment note summarisation) — treatment notes are processed to create structured summaries; no personal identifiers are sent
  • Twilio (appointment reminders via SMS/WhatsApp) — only your phone number and appointment details are shared

We do not sell your personal data to any third party. We do not use your data for automated decision-making or profiling.

7. How long we keep your data

  • Treatment records and consent forms: 10 years from the date of last treatment (in line with NHS records retention guidance)
  • Clinical photographs: 10 years from date of capture, or until you request deletion
  • Account data: until you delete your account or request deletion
  • Payment records: 7 years (HMRC requirement)
  • Marketing consent records: until you withdraw consent, plus 12 months for audit purposes

8. Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Right of access: request a copy of all personal data we hold about you
  • Right to rectification: ask us to correct inaccurate or incomplete data
  • Right to erasure ('right to be forgotten'): ask us to delete your data (subject to legal retention requirements)
  • Right to restrict processing: ask us to limit how we use your data
  • Right to data portability: receive your data in a machine-readable format
  • Right to object: object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent: withdraw marketing consent at any time without affecting prior processing

To exercise any of these rights, email info@laserskinclinics.co.uk or speak to a member of our team. We will respond within 30 days.

9. Cookies and tracking

This portal uses essential cookies only — specifically, authentication session cookies set by Supabase to keep you logged in. These are strictly necessary for the portal to function and do not require consent.

We do not use any analytics cookies, advertising trackers, or third-party tracking scripts (no Google Analytics, no Meta Pixel, no Hotjar).

10. Data security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • All data transmitted over HTTPS (TLS encryption in transit)
  • Database encryption at rest (Supabase managed infrastructure)
  • Row-level security policies restricting data access to authorised users only
  • Admin access restricted to authorised staff via email allowlist and password authentication
  • Payment data handled exclusively by Stripe (PCI DSS Level 1 compliant) — we never process or store card numbers
  • Digital signatures stored securely with timestamp records

11. Children

Our services are not intended for anyone under the age of 18. We do not knowingly collect personal data from children. All clients must confirm they are 18 or over before booking a treatment.

12. Changes to this policy

We may update this privacy policy from time to time. We will notify you of significant changes via email or through the portal. The "last updated" date at the top of this page indicates when this policy was last revised.

13. Complaints

If you are unhappy with how we handle your personal data, please contact us first at info@laserskinclinics.co.uk. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

Laser Skin Clinics · 4 Perton Farm Barns, Jenny Walkers Lane, Wolverhampton, WV6 7HB · info@laserskinclinics.co.uk · 01902 256667