Privacy Notice
How we collect, use and protect your personal information — including the health information you share with us — written plainly. We hold your trust as carefully as we hold your data.
Last updated June 2026
The data controller.
KM Aesthetics Ltd (“we”, “us”, “the clinic”) is the data controller responsible for your personal data. We are an aesthetics clinic based in Pencoed, Bridgend.
KM Aesthetics Ltd
36 Penybont Road, Pencoed, Bridgend CF35 5RA
Email: info@kmaesthetics.com
ICO registration reference to be confirmed before go-live.
The information we hold.
We only collect what we genuinely need to care for you safely and to run the clinic responsibly.
Identity & contact
Your name, email address, mobile number and postal area — used to book, confirm and care for your appointments.
Health information
Medical history, medications, skin and treatment details, consultation notes and consent records. This is special-category (health) data and we treat it with extra care.
Booking & website
Appointment history, deposit and payment confirmations (we do not store full card details), and limited technical data such as device and analytics information.
Why we are allowed to use it.
Under UK GDPR we must have a lawful basis for everything we do with your data. Ours are set out below.
Contract
To provide the treatment or consultation you book, take your deposit and manage your appointment.
Legal obligation
To keep clinical and financial records we are required by law and professional standards to retain.
Legitimate interests
To run and improve the clinic, secure our systems and respond to your enquiries — balanced against your rights.
Consent
For optional marketing messages and for any use of your health information beyond your direct care, including marketing. You can withdraw consent at any time.
Explicit consent / healthcare (special-category data)
For health information, we additionally rely on your explicit consent and/or the provision of healthcare. We never build marketing audiences from your health data without separate, explicit consent.
Your health information.
Anything you tell us about your health, medications or the treatment you are interested in is special-category data under UK GDPR. We use it solely to assess your suitability, treat you safely and keep the clinical records we are required to hold. We will never use it to target marketing at you unless you give us separate, explicit consent to do so.
Used only for your care
Assessment, treatment, aftercare and the records we must keep.
Never segmented for marketing
Your treatment interest is not used to build audiences without explicit consent.
Always your choice
You can ask what we hold, correct it or ask us to delete it where the law allows.
Consent & opt-out.
We will only send you marketing messages — by email, SMS or messaging app — where you have given us consent for that specific channel, or where we are permitted to do so under PECR’s soft opt-in for our existing clients in relation to similar treatments. Consent is asked for separately from any enquiry or booking, is never pre-ticked, and is recorded per channel.
Every marketing message includes a simple way to opt out. You can unsubscribe at any time, with no effect on your care. To stop all marketing, reply to any message or email info@kmaesthetics.com.
We do not sell your data, and we do not use your health information to target marketing without your separate, explicit consent.
How our website behaves.
Our website uses a small number of cookies. Strictly necessary cookies keep the site working and are always on. Any analytics or measurement cookies are only set where you have given consent, and you can change your choice at any time.
Booking is handled by our booking provider on their own platform; when you proceed to book, their privacy terms also apply to the information you enter there.
A full cookie list will be confirmed alongside our cookie banner before go-live.
How long we keep it.
We keep personal data only for as long as we need it. Clinical and consent records are retained in line with healthcare record-keeping standards and our legal and insurance obligations; routine enquiry and marketing data is held only while it is relevant or until you ask us to stop. When data is no longer needed, we securely delete or anonymise it.
Specific retention periods to be confirmed before go-live.
What you can ask of us.
Under UK GDPR you have rights over your personal data. To exercise any of them, just get in touch.
Access
Ask for a copy of the personal data we hold about you.
Rectification
Ask us to correct anything that is inaccurate or incomplete.
Erasure
Ask us to delete your data where we are not required to keep it.
Restriction & objection
Ask us to pause certain uses, or object to processing based on legitimate interests.
Portability
Ask to receive certain data in a portable, machine-readable format.
Withdraw consent
Withdraw any consent you have given, at any time, without affecting your care.
If you have a concern we can’t resolve, you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.
We’re happy to help.
Email us and we’ll respond promptly. For anything clinical, your privacy is always protected.
See also our booking terms and aftercare guidance.
