Privacy Policy

Who We Are

This Privacy Policy applies to Obsidian Clinics (operating aesthetic clinics in Glasgow and Edinburgh) and the Obsidian Institute of Aesthetics (our professional training academy), collectively referred to as "Obsidian", "we", "us", or "our".

Our clinic locations are:

• Glasgow: Inside Beauty Beehive, 101 St Georges Road, Glasgow
• Edinburgh: Gyle Shopping Centre, Edinburgh, EH12 9JY

We are registered in Scotland. For all data protection enquiries, please contact us at obsidianclinics@gmail.com.

We are committed to protecting your privacy in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data We Collect

Clinic Clients

When you book or enquire about a clinic treatment, we may collect:

• Full name, email address, and telephone number
• Date of birth and relevant health information (for treatment suitability and consent purposes)
• Booking preferences, treatment history, and aftercare notes
• Payment information (processed securely via Stripe — we do not store card details)
• Photographs taken before and after treatment (only with your explicit written consent)
• Patch test results and contraindication declarations
• Communications you send us via email, WhatsApp, or contact forms

Academy Students & Course Enquirers

When you enrol on a course or enquire about training, we may collect:

• Full name, email address, and telephone number
• Professional background and existing qualifications (where relevant to course eligibility)
• Payment information for course fees and deposits (processed via Stripe)
• Assessment submissions, coursework, and progress records
• Photographs or videos taken during training (only with your explicit written consent)
• Communications regarding course enquiries, enrolment, and support

Website Visitors

When you visit our website, we automatically collect:

• Device and browser type
• Pages visited and time spent on site
• Referring website (how you found us)
• IP address (anonymised where technically feasible)

Email Subscribers

If you sign up for our newsletter or promotional updates, we collect your email address and any preferences you provide.

How We Use Your Data

We use your personal data for the following purposes:

Clinic Services

• Processing and confirming your appointment bookings
• Sending appointment reminders and aftercare instructions
• Maintaining your client treatment record and consent documentation
• Processing payments and issuing receipts
• Contacting you regarding treatment follow-up or complications (as required for duty of care)
• Complying with our insurance obligations and any regulatory requirements

Academy Services

• Processing your course enrolment and issuing enrolment confirmations
• Managing payment plans and deposit schedules
• Delivering course content, assessments, and certificates
• Communicating course updates, scheduling changes, and support
• Issuing accredited certificates upon successful completion

Marketing (with your consent)

• Sending newsletters, promotional offers, and updates about new courses or treatments
• Sharing before-and-after imagery or testimonials (only with your explicit written consent)

Website & Analytics

• Improving our website performance and user experience
• Understanding how visitors find and use our website

Legal Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:

• Contract performance: To fulfil your booking, enrolment, or service agreement with us
• Legitimate interests: For website analytics and improving our services, where these do not override your rights
• Consent: For marketing communications, newsletters, and use of photography — you may withdraw consent at any time
• Legal obligation: Where we are required by law to retain records (e.g. medical records for aesthetic treatments, financial records)
• Vital interests: In rare circumstances, to protect your health or safety in a medical context

Where we process special category data (such as health information for treatment suitability), we rely on your explicit consent and our legitimate interests in providing safe aesthetic healthcare.

Cookies & Tracking

Our website uses a small number of tracking technologies to help us understand how it is used:

Essential Cookies

These are necessary for the website to function correctly — for example, maintaining your session during the booking process. These cannot be disabled.

Analytics Tracking

We use a lightweight, cookie-free analytics system to collect anonymised data about page visits, referral sources, and general site usage. This data does not identify you personally and is stored on our own servers.

We do not use Google Analytics, Facebook Pixel, or other third-party advertising trackers on our website.

Managing Cookies

You can control cookie settings through your browser preferences. Please note that disabling cookies may affect the functionality of certain parts of our website (such as the booking system).

Third-Party Services

We work with a small number of trusted third-party services to operate our clinic and academy. These providers only process your data as necessary to deliver their services and are contractually bound to protect it:

Stripe (Payment Processing)

All payments — including course deposits, treatment bookings, and subscriptions — are processed securely by Stripe, Inc. We do not store your card details. Stripe processes payments in accordance with PCI DSS standards. Please review Stripe's Privacy Policy for details of how they handle payment data.

Email Communications

We use email service providers to send booking confirmations, appointment reminders, and course communications. Your email address is used solely for this purpose and is not shared with third parties for marketing.

Google Workspace

We use Gmail for business communications. Emails you send to us may be stored within our Google Workspace account. Please review Google's Privacy Policy for more information.

WhatsApp (Meta)

We provide a WhatsApp contact number for client convenience. Conversations via WhatsApp are subject to WhatsApp's Privacy Policy. We do not use WhatsApp Business API tools that capture data beyond the conversation itself.

Instagram & Facebook (Meta)

We maintain social media pages for marketing purposes. Any interactions on those platforms (comments, direct messages) are subject to Meta's own privacy policies. We do not use social media retargeting pixels on our website.

Data Retention

We retain your personal data only for as long as necessary for the purpose it was collected, or as required by law:

• Client treatment records: Retained for a minimum of 8 years from the date of last treatment, in line with medical record requirements and insurance obligations
• Course enrolment records and certificates: Retained for 7 years from course completion
• Financial and payment records: Retained for 7 years in accordance with HMRC requirements
• Marketing consent records: Retained until you withdraw consent, plus 3 years thereafter as evidence of consent
• Website analytics data: Retained in aggregated, anonymised form indefinitely; raw visitor data is not retained beyond 12 months
• Booking enquiries that did not convert: Deleted after 12 months

When data is no longer required, it is securely deleted or anonymised.

Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access: You may request a copy of the personal data we hold about you (a Subject Access Request)
• Right to rectification: You may ask us to correct inaccurate or incomplete data
• Right to erasure: You may ask us to delete your data, subject to legal obligations to retain certain records
• Right to restrict processing: You may ask us to limit how we use your data in certain circumstances
• Right to data portability: You may request your data in a structured, machine-readable format
• Right to object: You may object to processing based on legitimate interests, including direct marketing
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at obsidianclinics@gmail.com. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Telephone: 0303 123 1113

Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration. These include:

• Encrypted data storage and transmission (HTTPS throughout our website)
• Access controls limiting data access to authorised personnel only
• Secure payment processing via PCI DSS-compliant Stripe infrastructure
• Regular review of our data handling practices

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. We will post any updated version on this page with a revised "Last updated" date at the top.

For significant changes, we will notify existing clients and students directly via email where we hold your contact details.

We encourage you to review this policy periodically.

Contact & Data Enquiries

For all privacy and data protection enquiries — including Subject Access Requests, consent withdrawal, or concerns about how we handle your data — please contact us: