Privacy Policy

Light Touch Clinic is committed to ensuring the privacy of our patients and website visitors. This policy explains what personal data we may collect about you when you interact with us and how we use it.

Last Updated: 16th May 2026
Version: 2.0

OUR PROMISE TO YOU

  • We will only use your data to improve your experience of our services
  • We will only use your sensitive personal data to ensure your care and safety as a patient
  • We will only contact you about things you have shown an interest in or consented to
  • We will never sell your personal data to any third party, under any circumstances
  • We will keep your data secure using industry-standard encryption and access controls

WHO ARE WE?

Light Touch Clinic is operated by CYM Ltd, registered in England and Wales. We are a CQC-registered aesthetic medical clinic. For the purposes of UK data protection law, CYM Ltd is the data controller in relation to personal data collected through our services.

You can contact our Data Protection Officer at:

  • Email: info@lighttouchclinic.co.uk
  • Post: Data Protection Officer, Light Touch Clinic, 50 Church Street, Weybridge, Surrey, KT13 8DS
  • Telephone: 01932 849552

We are registered with the Information Commissioner’s Office (ICO) as a data controller. Our registration can be verified at ico.org.uk.

YOUR PERSONAL DATA AND SENSITIVE PERSONAL DATA

Personal Data

This is data related to an identified or identifiable person. Examples of personal data we collect include names, email addresses, telephone numbers, postal addresses, date of birth and online identifiers.

Sensitive Personal Data (Special Category Data)

This is data considered more sensitive under data protection law. For a medical clinic this includes medical records, health data, treatment history, medications, allergies and similar clinical information. We only use this data for the purposes of your treatment and to ensure your care and safety. We never use your sensitive personal data for marketing purposes.

WHAT PERSONAL DATA DO WE COLLECT?

  • Full name, date of birth, contact details (email, telephone, address)
  • Medical history, medications, allergies and other health information provided as part of your treatment
  • Consultation notes and clinical records created by our practitioners
  • Treatment records including what treatments you have received and when
  • Before and after photographs (with your explicit consent)
  • Payment details and transaction records
  • Enquiry details including how you found us and what you are interested in
  • Next of kin name and contact details
  • Details of your interactions with us by phone, email, WhatsApp or in clinic
  • Your reviews, survey responses and feedback
  • Technical information from our website including pages visited and cookies
  • Records of your consent to treatments and to this privacy policy

WHEN DO WE COLLECT YOUR DATA?

  • When you contact us by phone, email, WhatsApp or online enquiry form
  • When you book or attend an appointment
  • During consultations and as part of providing treatment
  • When you complete a medical questionnaire or consent form
  • When you acknowledge this privacy notice
  • When you make a payment or request a refund
  • When you engage with us on social media
  • When you respond to surveys or leave reviews
  • When you visit our website (via cookies and analytics)
  • When you are recorded on CCTV at our clinic premises (for security purposes)

HOW AND WHY DO WE USE YOUR DATA?

We use your personal data for the following purposes:

  • To provide healthcare and aesthetic treatments to you safely and effectively
  • To contact you regarding your enquiry, appointment or treatment
  • To send appointment reminders and aftercare information
  • To remind you when you may be due for a follow-up or repeat treatment (based on your treatment history)
  • To create and maintain your medical and treatment records
  • To process payments and manage your account
  • To comply with our legal and regulatory obligations as a CQC-registered clinic
  • To improve our services through anonymised analysis of patient outcomes
  • To send you our newsletter and promotional offers (only with your explicit consent)
  • To operate and improve our website

THE LEGAL BASES WE RELY ON

Article 9(2)(h) — Health and Social Care

This is our primary lawful basis for processing your medical and health data. As a CQC-registered healthcare provider, we are legally permitted to process special category health data for the purposes of providing you with medical treatment and managing your care. This basis does not require your consent for clinical data, but does require transparency — which this notice provides.

Legitimate Interests

We rely on legitimate interests for operational communications such as appointment reminders, treatment follow-up reminders and rebooking prompts. You can opt out of these at any time.

Contractual Obligation

We process payment and booking data to fulfil our contractual obligations to you when you book and pay for treatments.

Legal Compliance

We are required to retain medical records and other data to comply with our CQC registration obligations, clinical governance requirements and applicable law.

Explicit Consent (PECR)

We only send marketing communications (newsletter, promotional offers) where you have given us your explicit and separate consent to do so. You can withdraw this consent at any time and we will stop all marketing communications immediately. Withdrawing marketing consent does not affect your clinical care or appointment communications.

HOW WE PROTECT YOUR DATA

We take the security of your data seriously. Our protective measures include:

  • All patient health data is encrypted at rest using AES-256-CBC encryption
  • All data is transmitted over encrypted HTTPS connections
  • Two-factor authentication is required for all staff login to clinical systems
  • Sessions automatically time out after 60 minutes of inactivity
  • Access to patient records is logged with a full audit trail
  • All staff receive data protection training
  • We never sell your data to any third party under any circumstances

HOW LONG DO WE KEEP YOUR DATA?

We retain different types of data for different periods as required by law and clinical governance guidance:

  • Medical and clinical records: 8 years from the date of last treatment for adults, or until the patient’s 25th birthday (whichever is longer) for patients who were under 18 when treated. This is a legal requirement and records cannot be deleted on request during this period.
  • Financial and payment records: 7 years as required by HMRC
  • Enquiry and marketing records: until you withdraw consent or request removal, subject to the above
  • CCTV recordings: 30 days unless required for an investigation

Important note on the right to erasure: While you have the right to request deletion of your personal data, medical and clinical records must be retained for the periods set out above to comply with our legal and regulatory obligations as a CQC-registered healthcare provider. We cannot delete medical records on request during the mandatory retention period. We will always explain this clearly if you make a deletion request.

THE SYSTEMS AND SERVICES WE USE TO PROCESS YOUR DATA

To deliver our services we use a number of third-party systems and services. Each acts as a data processor on our behalf and is bound by a Data Processing Agreement. We only use systems we consider to be secure and reputable. The categories of processor we use include:

  • A UK-hosted clinical management platform, used to store patient records, appointments, invoices and clinical notes. Data is held on servers within the UK or EU with full clinical audit trails.
  • Anthropic Claude AI, used to assist practitioners with clinical note-taking during consultations. Notes are reviewed and confirmed by your practitioner before being saved to your record. No data is used to train AI models.
  • Email and SMS communications providers, used to send appointment confirmations, reminders, clinical communications and (where you have consented) newsletters.
  • An address lookup service, used to find your address from your postcode when registering.
  • A website analytics provider, used to analyse anonymous website traffic. No patient data is included.
  • An enquiry and marketing automation platform, used to manage enquiries and (where you have consented) marketing communications.

If you would like to know the specific provider used for any of the above, please contact our Data Protection Officer.

We may update this list as our systems change. If you have questions about a specific system, please contact our Data Protection Officer.

WHO DO WE SHARE YOUR DATA WITH?

We do not sell your data. We may share your data only in the following circumstances:

  • With clinical staff involved in your treatment at Light Touch Clinic
  • With third-party systems listed above, solely to deliver our services to you
  • With regulatory bodies such as the CQC or GMC if required for inspection or investigation
  • With law enforcement or government bodies if required by law
  • With Meta (Facebook/Instagram) to show you relevant advertising, based on your acceptance of cookies on our website. See our Cookie Policy for details.
  • With a successor organisation in the event of a business sale or restructure (you will be informed in advance)

INTERNATIONAL DATA TRANSFERS

We aim to keep all patient data within the UK or EU. Some of our third-party service providers (such as Anthropic and SendGrid) are US-based companies. Where data is transferred outside the UK or EU, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses or equivalent protections recognised under UK GDPR. For more information, please contact our Data Protection Officer.

MARKETING COMMUNICATIONS AND YOUR NEWSLETTER

We send a regular newsletter and occasional promotional offers to patients who have opted in. We will only send you marketing communications if you have given us your explicit consent to do so.

You can opt out of marketing communications at any time by:

  • Clicking the unsubscribe link at the bottom of any marketing email
  • Replying to any marketing email with ‘unsubscribe’
  • Contacting us at info@lighttouchclinic.co.uk
  • Asking any member of our team in clinic or by phone

Opting out of marketing will not affect your clinical appointment reminders, aftercare communications or treatment follow-up messages, which we send under our legitimate interests basis as part of your ongoing care.

YOUR RIGHTS UNDER UK GDPR

You have the following rights in relation to your personal data:

  • Right of access: You can request a copy of all personal data we hold about you (a Subject Access Request). We will respond within one month.
  • Right to rectification: You can ask us to correct inaccurate or incomplete data about you.
  • Right to erasure: You can ask us to delete your data. Note: medical records cannot be deleted during the mandatory retention period (see above).
  • Right to restrict processing: You can ask us to stop processing your data in certain circumstances.
  • Right to data portability: You can ask for your data in a portable format.
  • Right to object: You can object to processing based on legitimate interests, including direct marketing (which we will always honour).
  • Right to withdraw consent: Where we rely on consent, you can withdraw it at any time. This will not affect processing carried out before withdrawal.

To exercise any of these rights, please contact our Data Protection Officer at info@lighttouchclinic.co.uk or write to us at the address above. We will always explain clearly if we are unable to fulfil a request and why.

CHILDREN

We do not knowingly provide treatments to or collect data from children under the age of 16 without verifiable parental or guardian consent. For patients aged 16–17, parental consent is sought for treatments where clinically appropriate. If you believe we hold data about a child in error, please contact our Data Protection Officer immediately.

THIRD-PARTY LINKS

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to read their privacy notices when you visit them.

COOKIES

Our website uses cookies to improve your experience and to understand how our website is used. For full details please see our Cookie Policy at lighttouchclinic.co.uk/cookies.

CHANGES TO THIS PRIVACY POLICY

We may update this privacy policy from time to time to reflect changes in our services, systems or legal obligations. When we make material changes, we will notify you by email (if we hold your email address) and update the version number and date at the top of this document. The most current version will always be available at lighttouchclinic.co.uk/privacy.

All existing patients will be asked to acknowledge the updated policy via our clinic management system. Patients who have not acknowledged the current version will be flagged and prompted to do so at their next appointment.

COMPLAINTS

If you have concerns about how we have handled your personal data and are not satisfied with our response, you have the right to complain to the UK Information Commissioner’s Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would always appreciate the opportunity to address your concerns directly before you contact the ICO, so please do contact us first.

CONTACT US

If you have any questions about this privacy policy or how we handle your data, please contact us:

This policy was last updated on 16 May 2026 (Version 2.0). Previous version: 18 September 2019. This policy has been prepared with reference to UK GDPR, the Data Protection Act 2018, the Data (Use and Access) Act 2025 and ICO guidance for health and social care organisations. Light Touch Clinic recommends periodic review by a qualified healthcare data protection consultant.