Privcy Policy

Introduction

Epilight New Skin Clinic is committed to adhering to new GDPR guidance and regulations in order to protect your data and preserve your privacy.

This privacy policy details how we collect, use, store and protect your information.

Lamphall Ltd T/A Epilight New Skin Clinic (registered 54 Rodney St, Liverpool, L1 9AD (referred to in this document as “us” “we” “our”) is committed to protecting the privacy of all website (https://www.epilightnewskin.co.uk/) visitors, customers and service users. This policy applies to us acting as a data controller, with respect to how we determine the purposes and means of collecting, processing and storing your personal data.

Usage Data

Data collected to provide a better user experience for our website visitors. When you visit our website, click on our online adverts, visit our social media pages or in some way interact with our digital services, we will collect, store and process data about your use of our website and services. This data may include:

  • IP address
  • Geographical location
  • Gender
  • Age
  • Web browser and version type
  • Operating system
  • Referral source
  • How long you spent on our website
  • Website pages you visited
  • How you navigated around our website
  • How you interacted with our website including contact form submissions

Usage data is collected and stored via Google Analytics, Google Adwords, Facebook Marketing and other partner platforms. We do not store any usage data on our own computers or servers and data is accessed via password protected online partner portals. We have determined that the legal basis for the processing of this data is our legitimate interest to be able to monitor traffic and users of our website, in order to improve our services, customer experience and better understand our customer base.

Account Data

When You contact us (via our website contact forms, Email, Phone, Social Media or other), we may collect personal data so that we can create your account on our client management system. We create this account in order to track and manage your initial enquiry, set up appointments and access our products and services. We may collect your name, email address, phone number and any information relating to your enquiry such as products and services that you are interested in. This data may include:

  • Full Name
  • Email Address
  • Phone Number
  • Address, Post Code or Geographical Location
  • Details of products or services that you may be interested in

We use this data to provide products and services to you, operate our website, produce bills and account statements, and in the general operation and administration of our business.

We may also use this data to communicate with you (via phone, mail or electronic mail) regarding past, present or future transactions including initial enquiries and to communicate, with you, any information regarding our services or appointments to ensure the smooth operation of the business for both us and You, the customer.

We may also use this data to communicate with you (via phone, mail or electronic mail) regarding similar products or services that you hold a legitimate interest in. You have the right to opt out of these communications and they do not affect your legal rights.

The legal basis for processing and use of this data is the undertaking of a contract between you and us and/or to take the necessary steps to enter into a contract for products and services at your request.

The legal basis for processing and use of personal data to communicate with you is our legitimate interest to be able to provide our products and services to you, after you have initiated contact with us (online, over the phone, in person etc) and freely provided us with this personal information. By providing us with your personal information it is reasonably expected that your data will be used in the performance of responding to or actioning your request and communicating to you details of our similar products and services and that this is your legitimate interest.

Patient Information Data

When You visit us in person for an initial consultation or to undertake one of our services, we will ask you to fill in a Patient Information Form. This information is collected in order for us to be able to assess your suitability for certain treatments and to ensure our services are delivered safely and effectively. The data that is collected may include:

  • Full Name
  • Email Address
  • Phone Number
  • Address, Postcode or Geographical Location
  • Date of Birth
  • Occupation
  • Gender
  • Your Doctors Contact Details
  • Emergency Contact Details
  • Reason for Visiting
  • Details of products or services that you may be interested in
  • Indictations
  • Contraindications
  • Customer Consent and Liabilities Statement

We use this data to provide products and services to you, produce bills and account statements, and in the general operation and administration of our business.

We may also use this data to communicate with you (via phone, mail or electronic mail) regarding past, present or future transactions including initial enquiries and to communicate, with you, any information regarding our services or appointments to ensure the smooth operation of the business for both us and You, the customer.

We may also use this data to communicate with you (via phone, mail or electronic mail) regarding similar products or services that you hold a legitimate interest in. You have the right to opt out of these communications and they do not affect your legal rights.

The legal basis for processing and use of this data is the undertaking of a contract between you and us and/or to take the necessary steps to enter into a contract for products and services at your request. We also have a legal obligation to collect this information before we can provide our services and products.

Transaction Data

We may process data to allow us to supply products and services to You, process payments for Our products and services to you and keep records of transactions. This data may include Your contact details, service and product history and your payment details. We do not store any personal payment data. All electronic payments made in person are transacted through a chip and pin card reading machine and this data is stored by the relevant financial institutions. If payment details are taken over the phone, all payment data is destroyed immediately after it’s intended and consented use and is not stored by us.

We may process information relating your transactions with us. Transaction data may include:

  • Your contact details
  • Your payment card details
  • Details of the transaction

Transaction data may be processed for the purpose of supplying products and services and for accounting records, that we have a legal requirement to maintain. The legal basis for processing this data is the performance of a contract between you and us and/or to take steps to enter in to a contract at your request and also the legal basis of our legitimate interest in proper administration and record keeping of our business.

Other Uses of Your Data

We may process any of the data detailed in this privacy policy where necessary to establish, execute or in the defence of legal action, whether they are in court proceedings or in an administrative or out-of- court process.

We may process any of the data detailed in this privacy policy if necessary in order to obtain or maintain insurance cover, manage risks or obtain professional advice. We may also process any of the data detailed in this privacy policy to comply with a legal obligation that we are bound to, or to protect your rights or vital interests or the rights and vital interests of another person.

The legal basis for this data processing is our legitimate interests, the protection and assertion of our legal rights, protection of your legal rights and the legal rights of others.

We may process any of the data detailed in this privacy policy if necessary for insurance purposes, risk management or in obtaining professional advice.

The legal basis for this processing is our legitimate interests, our legal obligation to maintain appropriate insurance cover, the protection of our business against risks and our rights to seek professional advice.

In addition to the specified purpose for which we may process any of the data detailed in this privacy policy, we may also process any data if processing of that data is necessary to comply with a legal obligation, protect your vital interests or protect the vital interests of another person.

Information That We Collect and How It Is Used

Any data or information that you share with us is on the basis that You agree to Our Privacy Policy and that you agree to the processing and use of your data as detailed in this Privacy Policy.

If you are submittIng data on someone’s behalf, that person must understand how we are going to use their data and agree to our Privacy Policy. We are not liable for any harm or damages caused by permission not being obtained from a data subject.

Data supplied to us, for the purposes detailed in this Privacy Policy, should only be submitted by the owner of that data or with their knowledge and agreement to our Privacy Policy. We are not responsible nor liable for any harm, damage or infringement of the rights, freedoms and/or vital interests of any persons as a result of the necessary consent not being obtained before submittIng personal data to us. Please do not supply any other person’s personal data to us without their full understanding and consent for the use and processing of their data as detailed in this Privacy Policy.

Disclosure of Your Personal Data

We do not sell or share your information with any third parties for the purpose of marketing products and services outside of our company or group of companies.

We may share your data with any third parties detailed in this section for the general administration of our business and as detailed in this Privacy Policy. If our company is merged or sold, your data may be shared with our new owners and/or partners. We may also share your data within our group of companies if it is deemed necessary for any of the purposes detailed in this policy.

Some of the third parties we share your data with may be located outside of the EEA. We do not sell or share your data with third parties for the purpose of Direct Marketing outside of our own company or group of companies.

If our business and a third party enters into a joint venture or our business is sold to or merged with a third party, your data may be shared with our new business partners. We may disclose your personal information to any member within our group of companies (including subsidiaries, sister brands, holding company and/or its subsidiaries) where it is deemed reasonably necessary for the purposes, and on the legal basis, detailed in this Privacy Policy.

Third Parties We May Share Your Data With

We may disclose your personal data to our suppliers and service providers where necessary, for the purposes detailed in this section and on the legal basis set out in this Privacy Policy for each category of data:

iContact (https://www.icontact.com/legal/privacy) – Elements of Account data (Email Address) and Transaction data (Service History) are shared with this service provider for the purpose of marketing and marketing email sending. Email addresses shared with this service provider ARE NOT linked to any other Account data such as names, addresses or phone number. Marketing emails are sent individually to each email address, CC or BCC are never used and individual email addresses are never shared with or discoverable by other recipients. This service is accessed via a secure online portal that is password protected and only accessed by members of staff or our partners.

Gamma (https://www.gamma.co.uk/legal/) – Elements of Account data (Phone Number) are shared with this service provider for the purpose of making phone calls via our VOIP (Voice Over Internet) telephone system. Phone Numbers shared with this service provider ARE NOT linked to any other Account data such as names, addresses or email addresses. This service is accessed via a secure online portal that is password protected and only accessed by members of staff or our partners.

Text Marketer (https://www.textmarketer.co.uk/pdfebooks/Text_Marketer_Privacy_Policy.pdf) – Elements of Account data (Phone Number) are shared with this service provider for the purpose of sending marketing text messages to our customers. Phone Numbers shared with this service provider ARE NOT linked to any other Account data such as names, addresses or email addresses. Marketing texts are sent individually to each recipient and individual phone numbers are never shared with or discoverable by other recipients. This service is accessed via a secure online portal that is password protected and only accessed by members of staff or our partners.

Google Adwords (https://policies.google.com/privacy) – Usage data is shared with this service provider for the purpose of advertising & retargeting based on website traffic data. This service is accessed via a secure online portal that is password protected and only accessed by members of staff or our partners.

Google Analytics (https://policies.google.com/privacy) – Usage data is shared with this service provider for the purpose of providing analytics and statistics based our website users. This service is accessed via a secure online portal that is password protected and only accessed by members of staff or our partners.

Hotjar (https://www.hotjar.com/privacy) -Usage data is shared with this service provider for the purpose of behaviour analysis based on our website users. This service is accessed via a secure online portal that is password protected and only accessed by members of staff or our partners.

Tawk.to (https://www.tawk.to/legal/) – Account Data and Usage data is shared with this service provider for the purpose of answering online sales and customer support enquiries via our website. This service is accessed via a secure online portal that is password protected and only accessed by members of staff or our partners.

YouTube (https://policies.google.com/privacy) – Usage data is shared with this service provider for the purpose of providing analytics based on video interactions hosted on YouTube. This service is accessed via a secure online portal that is password protected and only accessed by members of staff or our partners.

SendGrid (https://sendgrid.com/policies/privacy) Elements of Account data (Email Address) and Transaction data (Service History) are shared with this service provider for the purpose of marketing and autonomous email sending in direct reply to a online customer enquiry (i.e website form submission). This service is accessed via a secure online portal that is password protected and only accessed by members of staff or our partners.

WordFence (https://www.wordfence.com/terms-of-use-and-privacy-policy) Elements of Usage data (IP Address) are shared with this service provider for the purpose of protecting our website against known malicious IP addresses. This service is automated and accessed via a secure online portal that is password protected and only accessed by members of staff or our partners.

Zenoti Manage My Spa (https://www.zenoti.com/privacy.html) Account data, Usage data and Transaction data are shared with this service provider for the purpose of clinic and client management, tracking, reporting, appointment booking and management. This service is accessed via a secure online portal that is password protected and only accessed by members of staff or our partners.

Payments

We use Payment Service Providers to process your payments for our products and services and refunds where applicable. Elements of Transaction Data and Account Data are shared with Payment Service Providers for the purpose of processing payments and transactions.

Our Payment Service Providers privacy policies can be found here:

Payzone (https://www.payzone.co.uk/privacy-policy/)
EziPay (https://www.certegyezipay.com.au/PrivacyPolicy)
Paypal (https://www.paypal.com/uk/webapps/mpp/ua/privacy-prev)

Financial transactions made in our clinic, or over the phone, for our products and services are processed by payment services providers. We may share your Transaction Data and/or elements of Account Data with our Payment Service Providers for the purposes of processing your payments for our goods and services, the processing of refunds where applicable and in processing complaints or queries related to any payments and refunds processed.

Retaining and Deleting Personal Data

We will only retain your data for as long as is necessary, reasonable or where we have a legal obligation to store it. The specific time frames are determined by our ongoing relationship with you, our legitimate interests and our legal obligations. Our data retention periods will be based on the need to perform or maintain a contract between You and Us, and our Legitimate Interests in the proper administration of our business and website. We may also retain your data for a specific period of time, where we have a legal obligation to do so, or to protect the vital interests of You or another individual.

This section details our policies on the retention of Your data, to ensure that we are compliant with our legal obligations for the retention and deletion of personal data.

Personal data that we process as detailed in this Privacy Policy will not be kept or stored for longer than is necessary for its purpose or purposes. The period of data retention will be determined based on the following legal basis:

Usage Data retention periods will be determined based on our continued legitimate interest in the proper administration of our website and business and monitoring and improving our website and services.

Account Data retention periods will be determined based on the continued performance of a contract between you and us, our legal obligations in retaining such data or our legitimate interests in proper administration of our website and business.

Transaction Data retention periods will be determined based on the continued performance of a contract between you and us, our legal obligations in retaining such data or our legitimate interests in proper administration of our website and business.

We may retain personal data where it is necessary to comply with a legal obligation to which we are subject, or to protect the vital interests of you or another natural individual.

Any amendments or updates to this Privacy Policy will be published on this page (https://www.epilightnewskin.co.uk/privacy-policy-3), we may also notify you via messages on our website or electronic mail.

We may update this Privacy Policy by publishing a new version on our website (https://www.epilightnewskin.co.uk/privacy-policy-3). You should check this Privacy Policy occasionally to ensure you understand the contents of this Privacy Policy and are happy with any changes to this Privacy Policy.

We may notify you of updates and changes to this Privacy Policy via messages on our website or electronic mail but we reserve the right to update or amend this Privacy Policy at any time without notification.

Your Rights and Interests

You have certain rights under the GDPR, which we will summarise in this section. For more detailed information on Your rights, please read the GDPR guidance issued by the ICO (https://ico.org.uk/for-the-public/) or seek legal advice.

The Right to Access

You have the right to know what, if any, of your personal data we hold or process and any additional information relating that data or processing. The additional information may include details of the processing purposes, which personal data that we process and any recipients your personal data may have been shared with. As long as the rights and freedoms of others are not impacted, we will provide a copy of your personal data to you, if requested. Requests for this information can be made via email to GDPR@epilightnewskin.pixus.co.uk or in writing to GDPR, Epilight New Skin Clinic, 54 Rodney Street, Liverpool, L1 9AD. The first request of this information will be free of charge, a reasonable fee may be charged for further requests. These requests will be processed in a timely manner and in accordance with GDPR guidelines.

The Right to Rectification

This provides the right to have any inaccurate personal data about you rectified and, subject to the consideration of the purposes of processing, to have any incomplete personal data we hold about you completed.

Any incorrect, inaccurate or incomplete data that We hold can be requested to be rectified either via email to GDPR@epilightnewskin.pixus.co.uk or in writing to GDPR, Epilight New Skin Clinic, 54 Rodney Street, Liverpool, L1 9AD. These requests will be processed in a timely manner and in accordance with GDPR guidelines.

The Right to Erasure

Under the GDPR you have the right to request that Your data that we hold be erased, in such cases, for example:

  • We no longer need to data for the reason we collected it
  • You withdraw consent
  • You don’t want us to process Your data (in certain cases)
  • We are using your data for direct marketing
  • We have unlawfully processed Your personal data

(This list in not exhaustive, for more details please read the GDPR guidance issued by the ICO (https://ico.org.uk/for-the-public/) or seek legal advice.)

Exclusions to your right of erasure are also detailed in the GDPR. This means that we may not be obligated to erase your data if:

  • The processing of such data is necessary for protecting and exercising rights of freedom, of expression and information
  • In order for us to comply with a legal obligation that we are bound by
  • To establish, exercise or in defence of all aspects of any type of legal claim

The Right to Restrict Processing

Under GDPR, You have the right to restrict the processing of your personal data under certain circumstances:

  • You dispute that your data that we hold is inaccurate
  • Processing Your data is unlawful but you do not want us to erase it
  • We no longer need the personal data for the purpose it was collected, but you require it for any aspect of a legal claims
  • If You have objected to processing and we are in the process of verifying Your objection

(This list in not exhaustive, for more details please read the GDPR guidance issued by the ICO (https://ico.org.uk/for-the-public/) or seek legal advice.)

Where you have requested that processing of your data be restricted, we may continue to store your data but we may only otherwise process it under certain circumstances:

  • With your consent
  • To establish, exercise or in defence of all aspects of any type of legal claim
  • To protect the rights and freedoms of another legal person
  • For any reasons of important public interest

(This list in not exhaustive, for more details please read the GDPR guidance issued by the ICO (https://ico.org.uk/for-the-public/) or seek legal advice.)

The Right to Object to Processing

Under GDPR, you have the right to object to us processing your data on grounds related to your own personal circumstances, but only if the legal basis for the processing is:

  • To perform a task which is carried out in public interest
  • For the purpose of Our or Your legitimate interests or the legitimate interest of a third party

(This list in not exhaustive, for more details please read the GDPR guidance issued by the ICO (https://ico.org.uk/for-the-public/) or seek legal advice.)

If you do exercise your right to object to processing, we will stop our processing of your data, unless we are able to demonstrate compelling legitimate reasons for the processing which are deemed sufficient to override your interests, freedoms and rights, or if the processing of your data is for any aspect of a legal claim. You can object to us processing your personal data for direct marketing purposes. You can also unsubscribe from direct marketing via the unsubscribe link in our marketing emails, by following the unsubscribe instructions in other types of electronic mail or by emailing GDPR@epilightnewskin.pixus.co.uk or in writing to GDPR, Epilight New Skin Clinic, 54 Rodney Street, Liverpool, L1 9AD.

The Right to Data Portability

If the legal basis on which we process your data is either consent or the performance of a contract between us and you, including actively taking steps at your request to enter into a contract between us and you and where this processing is automated, you have the right to receive a copy of your personal data from us in commonly used format, that is machine readable and structured. This right does not apply if it may adversely impact on the rights and freedoms of others.

The Right to Complain to a Supervisory Authority

If you have a formal complaint regarding the way in which we have processed your data, you may contact the relevant Data Protection Authority in EU member state of your residence, or the country where the alleged data processing infringement has taken place.

Lamphall Ltd t/a Epilight New Skin Clinic is based in and processes your data in the United Kingdom (UK), the relevant UK data protection authority is the Information Commissioner’s Office (ICO) and can be found online at www.ico.org.uk.

Or by phone, fax or in person at:

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113
Fax: 01625 524 510

The Right to Withdraw Consent

Where the lawful basis for us processing Your data is Consent, you may withdraw your consent at any time. In this case, processing carried out before withdrawal of consent will remain to be lawful. You can withdraw consent to processing of your data or make any request related to your rights by emailing GDPR@epilightnewskin.pixus.co.uk or in writing to GDPR, Epilight New Skin Clinic, 54 Rodney Street, Liverpool, L1 9AD.

Data Protection Officer

We have appointed a dedicated GDPR Compliance Team who will handle any Data Protection related issues relating to our business. We do not meet the criteria needed for a specially appointed Data Protection Officer (DPO). This position will be reviewed periodically and any change of circumstance that may impact on our requirement to appoint a DPO will be assessed at that time.

If you require any further information relating to this Privacy Policy please contact us via email at GDPR@epilightnewskin.pixus.co.uk or in writing to GDPR, Epilight New Skin Clinic, 54 Rodney Street, Liverpool, L1 9AD.