Privacy & Cookie Policy

1. About this policy

This Privacy & Cookie Policy explains how ELM Aesthetics ("we", "us", or "our") collects, uses, stores and protects your personal data when you visit our website, contact us, book a consultation, or attend an appointment at our clinic.

We take your privacy seriously. Everything we do with your data complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. As a regulated nurse-led practice, we are also bound by the confidentiality standards set out by the Nursing & Midwifery Council (NMC).

2. Who we are

The clinic trades as ELM Aesthetics and operates from Regent Place, Suite 2, 646 King Lane, Leeds, West Yorkshire LS17 7AN. It is owned and operated by ELM Aesthetics Limited, a private limited company registered in England & Wales. Our lead practitioner is Melody Steel, Nurse Prescriber.

For the purposes of UK data protection law, ELM Aesthetics Limited is the data controller of any personal data you provide to us.

• Trading name: ELM Aesthetics
• Registered company: ELM Aesthetics Limited
• Company number: 14057828
• Clinic address: Regent Place, Suite 2, 646 King Lane, Leeds, West Yorkshire LS17 7AN
• Phone: 0113 833 1810 or 07501 016602
• Email: hello@elmaesthetics.co.uk

3. What information we collect

We only collect the information we need to give you safe, appropriate care and to keep proper clinical records. Depending on how you interact with us, that may include:

Identity & contact details

• Your name, date of birth, and gender
• Postal address, email address, and phone number
• Emergency contact details (where you provide them)

Medical & consultation information

• Your medical history, current medications, allergies and relevant lifestyle information
• Treatment notes, consent forms, and aftercare instructions
• Before-and-after photographs taken during treatment, where you have consented
• Any concerns or goals you share with us during consultation

Payment information

• Deposit and treatment payments are processed through secure third-party payment providers
• We do not see or store your full card details on our systems

Website & technical data

• Your IP address, browser type, device type and operating system
• Pages visited, time spent on each page, and how you arrived at our site
• Cookie preferences (see Section 9)

Marketing preferences

• Whether you have consented to receive emails, texts or newsletters from us
• Your interaction with any marketing we have sent (e.g. opens, clicks)

4. How and why we use your information

We use your data to deliver the care you've come to us for, run the clinic responsibly, and meet our legal obligations. Specifically:

• To provide treatment: assessing suitability, planning and delivering your treatment, and ensuring continuity of care across visits
• To manage appointments: sending booking confirmations, reminders, aftercare information and follow-up checks
• To keep clinical records: as required by professional standards and to support future care
• To answer your enquiries: responding to messages sent through our contact form, email, phone or social media
• To take payment: processing deposits and treatment fees via our secure payment provider
• To meet legal duties: responding to lawful requests from regulators, courts or law enforcement
• To improve our website and service: analysing anonymous usage data so we can make the site work better
• To send marketing — but only if you've expressly consented, and you can opt out at any time

5. Our lawful basis for processing your data

UK GDPR requires us to identify a specific lawful basis for everything we do with your data. We rely on:

• Contract: we need to process your data to provide the treatment or service you've booked
• Legitimate interests: running our clinic safely, keeping records, and improving our service
• Legal obligation: meeting our duties under healthcare regulations and UK law
• Consent: for special-category data (like medical history and photographs), marketing communications, and non-essential cookies
• Vital interests: in a medical emergency where your life or safety is at risk

6. Who we share your information with

We never sell, rent or trade your personal data. We share it only when necessary, and only with carefully selected providers and authorities:

• Other healthcare professionals — only where appropriate, and only with your consent (for example, if your GP needs to be informed about a treatment)
• Our payment processor — to take secure card payments for deposits and treatments
• Our IT and booking system providers — who help us run the website and manage appointments under strict data-protection contracts
• Our insurance providers and professional indemnity insurers — only where directly relevant to an incident or claim
• Regulatory or legal authorities — where the law requires us to disclose information

Where we use third-party services, we choose providers who can demonstrate appropriate data-protection standards, and we have written agreements with them covering how they handle your data.

Where your data is processed (transfers outside the UK)

Some of the providers that help us run the clinic — for example, our website hosting and contact-form provider, and our online booking and appointment system — store or process data on servers located outside the UK, including in the United States.

Whenever your personal data is transferred outside the UK, we make sure it remains protected to the standards required by UK data protection law. We rely on one or more of the following safeguards:

• Adequacy — the provider being covered by UK “adequacy” regulations, where the UK government recognises that country or framework as offering an equivalent level of protection (for example, the UK Extension to the EU–US Data Privacy Framework); or
• Approved contractual safeguards — the UK government’s International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses together with the UK Addendum.

In every case we share only the data that is necessary, and our providers are contractually required to keep it secure and to use it only on our instructions. If you’d like more detail about the safeguards in place for a particular provider, please ask using the contact details in Section 14.

7. How long we keep your data

We keep your information only for as long as we need it. Different types of data have different retention periods:

• Medical and treatment records: retained for at least 10 years from the date of your last treatment, in line with UK clinical record-keeping standards
• Consent forms and treatment photographs: retained for the same period as your medical record
• Appointment booking data: retained for up to 3 years after your last interaction with us
• Marketing preferences: retained until you withdraw consent, then deleted within a reasonable period
• Website analytics: typically retained for up to 26 months in anonymised or aggregated form

When we no longer need your data, we will securely delete or anonymise it.

8. Your rights under UK GDPR

You have the following rights over your personal data, and we will respond to any request within one month (and usually much sooner):

• The right to be informed — about how your data is used (this policy explains exactly that)
• The right of access — to a copy of the personal data we hold about you
• The right to rectification — to have inaccurate or incomplete information corrected
• The right to erasure — to ask us to delete your data, where there's no good reason for us to keep it. Note: we are legally required to keep clinical records for the retention periods set out above
• The right to restrict processing — to ask us to pause processing your data in certain circumstances
• The right to data portability — to receive your data in a structured, machine-readable format
• The right to object — including to direct marketing, which you can stop at any time
• Rights relating to automated decision-making — we don't make automated decisions about you

To exercise any of these rights, please contact us at hello@elmaesthetics.co.uk.

If you're not satisfied with how we've handled your data, you have the right to complain to the Information Commissioner's Office (ICO): www.ico.org.uk — though we'd really like the chance to put things right first.

9. Cookies and tracking technologies

A cookie is a small text file placed on your device when you visit a website. It helps the site remember things about you and how you use it. We use cookies for the following purposes:

Strictly necessary cookies

These are essential for the website to work properly — for example, remembering your cookie preferences or keeping forms working as you fill them in. These cannot be switched off.

Analytics cookies

These help us understand how visitors use the site (which pages are most read, where people leave, and so on) so we can improve it. The information is anonymous and aggregated — we can't identify individual visitors from it.

Functional cookies

These remember choices you've made on the site (such as preferred language or region) to give you a smoother experience next time.

You can control cookies through your browser settings, including blocking or deleting them. Most browsers also have a "private" or "incognito" mode that limits cookie use. Be aware that disabling essential cookies may stop certain parts of the site working as expected.

10. How we keep your data secure

We take security seriously and have appropriate technical and organisational measures in place to protect your information:

• All electronic records are stored in secure, password-protected systems
• Access to your data is restricted to authorised personnel involved in your care
• Paper records are kept in locked, secure storage when not in active use
• Payment data is processed by PCI-DSS compliant third-party providers; we never store full card details ourselves
• We use up-to-date anti-virus software and apply security patches regularly
• Our team is trained on data protection and confidentiality

In the unlikely event of a personal data breach that affects your rights, we will notify you and the ICO as required by law.

11. Children's data

Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe we may have inadvertently received information from a minor, please contact us so we can investigate and delete it.

12. Photography and consent

We sometimes take before-and-after photographs to document your treatment progress. These are stored as part of your clinical record. We will never share your photographs publicly — on our website, social media, or anywhere else — without your specific, written consent. You can withdraw that consent at any time.

13. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, technology, legal requirements or for other operational reasons. The "Last updated" date at the top of this page shows when the policy was most recently changed. Significant changes will be brought to your attention where appropriate.

14. Contact us

If you have any questions about this Privacy & Cookie Policy, want to exercise any of your data rights, or would like to make a complaint about how we've handled your information, please get in touch: