Last revised: JUNE 2018
Whenever you visit us at one of our clinics or treatment centres, or our website at www.hcmedspa.com (Website), we will collect a range of your personal data in order to provide our products and services to you. Our centres, and our Website, are owned and operated by HENA GROUP LIMITED (we/us/our) who act as the data controller for the purposes of this policy and your personal data.
Personal data we take belongs to you and we recognise that we have a duty to protect it. Unless otherwise required by law, the Information Commissioner’s Office (ICO) guidance or best practice, or in order to provide our products, treatments and services to you, we will only process your personal data in the way we tell you or in the way you ask us to, and we will give it back to you at any time.
1. This policy
1.1 This policy sets out how we will process your personal data. You are therefore advised to read it carefully. Terms used within it shall have the meaning(s) given in the Data Protection Act 1998 (as amended by the Data Protection Act 2018) (Act) and/or the General Data Protection Regulation (Regulation), as applicable.
1.2 By visiting our Website, and providing your personal data to us, you understand, accept and consent to the practices described in this policy.
1.3 Any changes we make to this policy will be posted on this page. You are advised to check back frequently as, unless your consent is required, any changes will be binding on you when you continue to use the Website or work with us after the date of the relevant change.
1.4 For more information relating to your rights under this policy, please see section 8.
1.5 If you have any queries relating to this policy, please contact us at [email protected]
2. Who we are
2.1 For the purposes of the Act, the data controller is Hena Group Limited. We are a UK registered company (number 05338082) and our registered office is at 843 Finchley Road, London NW11 8NA. HC MedSpa is a brand and trading name of Hena Group Limited.
2.2 We are registered with the ICO to process your personal data and our registration number is ZA433213 .
2.3 All customer data is held on our database, which is operated using Phorest salon software and hosted through Amazon Web Servers based in Dublin, Ireland.
2.4 Our Website is hosted and operated by Social Media Limited.
3. Your consent
3.1 We process your personal data solely for the purposes of providing our services to you. We only take the personal data which we ask for when making a reservation, or visiting or paying for our services at one of our salons.
3.2 We consider that all personal data we obtain from you in relation to your reservation(s) and payment for our services are reasonable and necessary. However, we review this intermittently and remove any inaccurate or obsolete data.
3.3 We only rely on your consent where we wish to use your personal data to contact you for marketing purposes.
4. What we collect
4.1 We will collect the following personal data from you, to:
4.2 We use CCTV at our salons for the protection of our staff and property, and for the prevention and detection of crime, and we are registered with the ICO to process your data in this way. If you visit us at these premises, your biometric data will be taken during your time on site and this will be stored and retained by us in accordance with our internal data retention policy.
4.3 Occasionally, we may retain specified images relating to your treatment, so that we know what treatment to administer and to monitor progress or developments.
4.4 When you complete our consultation forms, we will collect special category personal data relating to your medical and treatment history and current medical health. This is to enable us to administer the correct treatments, or to ensure that we do not administer our treatments to you against medical advice.
5. How we collect your data
The personal data listed in section 4 is collected in the following ways:
5.1 When you provide it to us This is done when you book a treatment with us, either online, over the phone or at one of our salons. Any personal data you provide on our consultation forms is also retained by us.
5.2 When we collect it from you
When you use our Website, we will automatically collect technical information about the device you use to visit, including your IP address, browser type/version and related settings; and
We also monitor your use of our Website through log files, web beacons, tags and pixels. This includes the full URLs, your clickstreams through our Website, the pages you view and how you interact with them and how you leave the Website.
5.3 Phorest have access to your customer data only to the extent necessary to provide technical and troubleshooting support. More information is detailed in their privacy statement available at https://s3-eu-west-1.amazonaws.com/phorest-website/wp-content/uploads/2018/05/24164420/phorest_privacy_notice.pdf.
6. What we use it for and how long we keep it
6.1 We primarily retain your personal data to monitor the progress of any treatment we provide and keep records where you return for treatment with us so that we know what is most appropriate to administer. Where you do not engage our services, receive any treatment or visit our centres for 24 months, we will delete your records from Phorest.
6.2 We also need your data to take payment for our treatments and products, allow you to reserve a treatment with us, or to market our products and services to you.
6.3 We only contact you for marketing purposes where you have given us permission to do so, and you can opt-out at any time. Where you opt out, we will no longer contact you until you ask us to, and we will not prompt you to do so.
6.4 Technical information we collect about your visit to our Website is used to enable us to:
6.5 Any websites which are linked from the Website are outside of our control and not covered by this policy. If you access those websites using the links provided, the website operators may collect information from you which will be used by them in accordance with their own privacy policies (if any). These policies may differ from ours, and we cannot accept any responsibility or liability in respect of these.
7. How secure is your data
7.2 Any personal data you provide to us on consultation forms is stored in paper based files, all of which are stored in locked cabinets on site. Access to cabinets is limited to staff at manager level, or above.
7.3 Staff access to our databases is restricted and secured through unique login details, which all staff are required to keep confidential. More senior staff members within our team have greater access to the data held within our systems.
8. Your rights
8.1 In relation to all of your personal data, you have the following rights (in addition to any rights you may have under the Act or the Regulation) to ask us:
8.1.1 not to process your personal data for marketing purposes;
8.1.2 to clarify what data we hold about you, how it was obtained, to whom it has been disclosed and for how long it will be stored;
8.1.3 to amend any inaccurate data we hold about you;
8.1.4 to delete any of your data (where you no longer think we need to hold it, or you think we have obtained or processed it without your consent at any time); and
8.1.5 to only process your personal data in limited circumstances, for limited purposes.
8.2 We have the capacity to extract your personal data from our databases and provide it to you in a structured, commonly-used way (typically by .csv file).
8.3 If you wish to exercise any of your rights at any time, please contact us on the details contained at the beginning of this policy in the first instance. We will require you to verify your identity to us before we provide any personal data, and reserve the right to ask you to specify the types of personal data to which your request relates.
8.4 Where you wish to exercise any of your rights, they may be subject to payment of a nominal administration fee (to cover our costs incurred in processing your request) and any clarification we may reasonably require in relation to your request. Such fees may be charged where we consider (acting reasonably) that your request is excessive, unfounded or repetitive.