Privacy Policy

1. Introduction

We are committed to safeguarding your data and taking necessary steps to ensure it stays secure. This privacy policy explains how Shore Skin Clinic Ltd (“we”, “us”, “our”) collects, uses, stores and protects your personal data when you:

– Visit our website at shoreskin.co.uk
– Use our membership portal at members.shoreskin.co.uk
– Attend our clinic for consultations or treatments
– Subscribe to a membership plan

This policy applies where we are acting as a data controller with respect to the personal data of our clients, website visitors and membership subscribers.

2. Lawful Basis for Processing

Under UK GDPR Article 6, we process your personal data on the following lawful bases:

Contract (Art. 6(1)(b)) — To provide membership services, process payments, and deliver treatments you have signed up for.

Legal Obligation (Art. 6(1)(c)) — To comply with healthcare regulations, tax obligations, and professional record-keeping requirements.

Legitimate Interests (Art. 6(1)(f)) — To improve our services, communicate with you about your membership, and ensure security of our systems.

Consent (Art. 6(1)(a)) — For marketing communications, social media photography, and any optional data processing where we specifically ask for your agreement.

3. Special Category Data (Health Data)

Some of the data we process relates to your health and is classified as special category data under UK GDPR Article 9. We process this data under the following conditions:

– Explicit consent (Art. 9(2)(a)) — you provide consent during your consultation and when signing your membership agreement
– Health or social care purposes (Art. 9(2)(h)) — processing is necessary for the provision of healthcare treatment
– Legal obligation — we are required by our professional regulators and insurers to maintain medical records

Health data we may hold includes: medical history relevant to aesthetic treatments, treatment records, before/after photographs, and allergy or contraindication information. This data is held in our clinic records system and is not stored on the membership portal.

4. What Data We Collect

4.1 Clinic Data (collected in person)

When you attend the clinic for consultations or treatments, we collect:

– Full name, date of birth, address, phone number and email
– Medical history relevant to your treatment
– Treatment records and clinical notes
– Before and after photographs (required by our insurer)
– Signed consent forms

4.2 Membership Portal Data (collected digitally)

When you use our membership portal at members.shoreskin.co.uk, we collect:

– Full name and email address
– Phone number
– Membership plan details and subscription status
– Login credentials (email and encrypted password)
– Payment information (processed securely by Stripe — see Section 6)

The membership portal does not store medical records, treatment notes or clinical photographs. These are held separately in our clinic records system.

4.3 Website Data

When you visit shoreskin.co.uk, we collect data through our contact form (name, email, message) and through cookies as described in Section 13.

5. How We Use Your Data

We use your personal data to:

– Provide and manage your membership subscription
– Process monthly membership payments via Stripe
– Send transactional emails about your membership (payment confirmations, reminders, renewal notices)
– Deliver aesthetic treatments safely and effectively
– Maintain clinical records as required by law and professional standards
– Respond to your enquiries and communicate about appointments
– Comply with legal, regulatory and insurance obligations
– Improve our services and membership platform

We will only share your personal data with third parties where required and only with your written consent; for example, if we deemed it necessary for a second opinion from another medical expert.

6. Payment Processing and Stripe

Membership payments are processed securely by Stripe Payments Europe, Ltd. When you subscribe to a membership plan, Stripe collects and processes your payment card details. We do not see, store or have access to your full card number.

Stripe may collect:

– Card number, expiry date and CVC (processed directly by Stripe)
– Billing name and address
– Transaction history and payment status

Stripe is certified to PCI-DSS Level 1, the highest level of payment security certification. Stripe acts as an independent data controller for payment data it collects. You can read Stripe’s privacy policy at: https://stripe.com/gb/privacy

We receive from Stripe: confirmation of successful/failed payments, the last four digits of your card, card type, and subscription status. This information is used solely to manage your membership.

7. Email Communications

We send automated transactional emails related to your membership, including:

– Welcome and onboarding emails
– Payment confirmations and receipts
– Payment failure notifications
– Membership renewal reminders
– Changes to your membership terms

These transactional emails are sent using Resend, a third-party email delivery service. Resend processes your email address and name solely for the purpose of delivering emails on our behalf. You can read Resend’s privacy policy at: https://resend.com/legal/privacy-policy

Transactional emails about your membership are not marketing and are necessary for the performance of your membership contract. You cannot opt out of these while your membership is active. If we send any marketing emails, we will obtain your separate consent first and you can unsubscribe at any time.

8. Data Sharing and Third-Party Processors

We share your personal data with the following categories of third parties, who act as data processors on our behalf:

Stripe — Payment processing — Data shared: Name, email, payment card details, billing address

Google (Google Analytics) — Website analytics on shoreskin.co.uk — Data shared: Anonymised IP address, page visits, session data

Resend — Transactional email delivery — Data shared: Name, email address

Cloud hosting provider — Hosting the membership portal — Data shared: All membership portal data (encrypted at rest)

British College of Aesthetic Medicine — Professional audit (anonymised) — Data shared: Anonymised clinical records only

We will not sell your personal data to any third party. We will only share data beyond the above where required by law or with your explicit written consent.

9. International Data Transfers

Some of our third-party service providers are based outside the UK. Where your data is transferred internationally, we ensure appropriate safeguards are in place:

– Stripe — operates in the US and EU. Transfers are protected by Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA).
– Resend — based in the US. Transfers are protected by Standard Contractual Clauses.
– Google (Google Analytics) — operates in the US and EU. We instruct Google to anonymise IP addresses. Transfers are governed by Google’s Data Processing Terms and Standard Contractual Clauses.

We only transfer data to countries or organisations that provide adequate protection for your personal data in accordance with UK GDPR Article 46.

10. How We Protect Your Data

Physical records (clinic)

Any paper records stored on-site are in a locked premises within locked storage.

Digital records (membership portal)

The membership portal at members.shoreskin.co.uk uses the following security measures:

– HTTPS encryption for all data in transit
– Encrypted data storage at rest
– Secure password hashing
– Access controls restricting data to authorised personnel only

No method of electronic storage or transmission is 100% secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security.

11. How Long We Keep Your Data

Medical/clinical records — 10 years from last treatment — Professional and legal obligation (aesthetic treatment records and potential late-onset complications)

Membership account data — 10 years after membership ends — Contract and legal obligation

Payment transaction records — 10 years after transaction — HMRC tax obligations and continuity of records

Email correspondence — 10 years — Legitimate business interest and continuity of care

Social media images (with consent) — Until you request removal — Consent-based

Website contact form enquiries — 10 years — Legitimate interest and continuity of care

After the retention period expires, your data will be securely deleted or anonymised. Paper records will be shredded by a licensed confidential waste provider. Digital records will be permanently deleted from our systems.

12. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 15) — You can request a copy of all personal data we hold about you.

Right to Rectification (Art. 16) — You can ask us to correct any inaccurate or incomplete data.

Right to Erasure (Art. 17) — You can ask us to delete your data, subject to legal retention requirements.

Right to Restrict Processing (Art. 18) — You can ask us to limit how we use your data in certain circumstances.

Right to Data Portability (Art. 20) — You can request your data in a commonly used, machine-readable format.

Right to Object (Art. 21) — You can object to processing based on legitimate interests or for direct marketing.

Right to Withdraw Consent — Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within one month. If your request is complex, we may extend this by a further two months and will notify you accordingly.

Please note that some rights are not absolute. For example, we cannot delete medical records where we have a legal obligation to retain them.

13. Cookies

Our websites use cookies to help make your experience better. Most browsers allow you to view, manage, delete and block cookies.

13.1 shoreskin.co.uk

_ga — Google Analytics — 2 years — Distinguishes unique visitors
_gat — Google Analytics — 1 minute — Throttles request rate
_gid — Google Analytics — 24 hours — Distinguishes unique visitors

We instruct Google to anonymise your personal data by removing part of your IP address. For more information about Google Analytics cookies, visit: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

13.2 members.shoreskin.co.uk

The membership portal uses only essential cookies required for the site to function:

– Session cookie — maintains your login session while you are using the portal

No analytics or tracking cookies are used on the membership portal.

For guidance on managing cookies in your browser, visit: https://ico.org.uk/your-data-matters/online/cookies/

14. Data Protection Impact Assessments

We carry out Data Protection Impact Assessments (DPIAs) where our processing of personal data is likely to result in a high risk to individuals. This includes our processing of health data and the operation of our membership portal. DPIAs are reviewed annually or when significant changes are made to our data processing activities.

15. Photographs

When you undergo a treatment, we are required by our insurance company to take photographs before and after treatments. This data is kept secure and is not shared with anyone.

If someone had a complication, we will seek separate consent to share your image with the manufacturer or other healthcare professionals.

Photographs taken for social media are completely separate and have a different consent form. No photographs will be shared without your consent, whether recognisable or anonymised.

16. Professional Audits

We are a proud member of the British College of Aesthetic Medicine and are required to complete an annual survey and audit of our records. Records are selected at random and any information sent is fully anonymised. We share demographics and statistics, and they ensure our clinical notes meet professional standards.

17. Children

Our membership services are not intended for anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately.

18. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. If we make material changes, we will notify active members by email. The “last updated” date at the top of this policy indicates when it was last revised.

19. Contact Us and Complaints

Data Protection Officer

Our Data Protection Officer is Benjamin Norman. You can contact them by:

– Via email: https://shoreskin.co.uk/contact
– Via post: Shore Skin Clinic Ltd, 28 Singleton Crescent, Ferring, Worthing, BN12 5DG

Complaints

If you are unhappy with how we have handled your personal data, please contact us first so we can try to resolve the issue. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

– Website: www.ico.org.uk
– Telephone: 0303 123 1113

Shore Skin Clinic Ltd | Company No. 11359810 | ICO Registration: ZA391385
This policy was last reviewed on 07 March 2026