Last updated: 1 May 2026
1. Who we are
MC Skin Clinic is a skin and aesthetics clinic based in Cowbridge, Vale of Glamorgan. This notice explains how we collect, use, and protect your personal information when you book a treatment, complete a consultation form, visit our website, or otherwise interact with us.
Our services are intended for clients aged 18 and over.
For the purposes of UK data protection law, the data controller is:
MC Skin Clinic
1 Westgate, Cowbridge, CF71 7AQ
Email: info@mcskinclinic.co.uk
Phone: 07999 678814
2. The information we collect about you
We collect different types of information depending on how you interact with us.
Identity and contact information:
Full name, date of birth, address, phone number, email address
Emergency contact details
Your GP's name and practice address
Health information (special category data under Article 9 UK GDPR):
Medical history, current and past health conditions
Medications, supplements, and known allergies
Pregnancy and hormonal status where relevant to treatment
Skin type, concerns, and previous aesthetic treatments
Clinical photographs of your skin before, during, and after treatment
Treatment records including products used, settings, and any reactions
Lifestyle information:
Skincare routine, sun exposure, smoking and alcohol consumption, sleep and stress levels (used only to inform treatment planning)
Booking and payment information:
Appointment history, treatment preferences, and booking notes
Payment details (we don't see or store full card numbers; these are handled directly by our payment processors)
Marketing information:
Your consent preferences for email, SMS, and photography use
Website information:
Standard analytics data such as pages visited and approximate location, collected via Google Analytics where you accept cookies
3. Where we get your information
Directly from you, through consultation forms, in conversation, and via our website
From your bookings made through Fresha
From your GP, with your written consent, if a medical referral is needed before treatment
4. How we use your information and our legal basis
Under UK GDPR we must have a lawful basis for processing your personal data. For health information we must also meet a condition under Article 9.
Providing your treatment safely:
We use your contact details, medical history, and consultation responses to assess your suitability for treatment, plan your care, and keep records of what was done. Without this information we can't treat you safely.
Lawful basis: performance of a contract (your booking)
Article 9 condition: provision of health or social care (Article 9(2)(h))
Keeping clinical records:
We're required to keep detailed records of treatments delivered, including before-and-after photographs, for insurance and clinical governance purposes.
Lawful basis: legitimate interests (defending against claims, demonstrating safe practice)
Article 9 condition: establishment, exercise or defence of legal claims (Article 9(2)(f))
Managing bookings and payments:
We use Fresha to manage appointments, and Stripe and GoCardless to process payments and membership direct debits.
Lawful basis: performance of a contract
Communicating with you:
We send appointment confirmations, reminders, aftercare instructions, and other essential communications about your treatment.
Lawful basis: performance of a contract
Marketing (only with your consent):
If you opt in, we may send you occasional emails or SMS messages about offers, new treatments, or skincare tips. You can withdraw consent at any time by clicking unsubscribe or replying STOP.
Lawful basis: consent
Using photographs for marketing (only with separate consent):
With your explicit written consent, we may use anonymised or identifiable photographs of your treatment results on our website, social media, or other marketing. Consent is granular, you can agree to anonymised use without agreeing to identifiable use, and you can withdraw consent at any time.
Lawful basis: consent
Article 9 condition: explicit consent (Article 9(2)(a))
Meeting legal and regulatory obligations:
We keep financial records for HMRC tax purposes and clinical records as required by our insurer.
Lawful basis: legal obligation
5. Who we share your information with
We never sell your personal information. We share it only with carefully selected service providers and only where strictly necessary:
Fresha: booking management, consultation forms, payments and client records (United Kingdom)
Stripe: card payment processing (Ireland, with EU/UK safeguards)
GoCardless: Direct Debit processing for memberships (United Kingdom)
Xero: accounting and bookkeeping, limited financial data only, no health data (United Kingdom / EU)
Starling Bank: business banking (United Kingdom)
Google (Workspace, Sites, Analytics): email hosting, website hosting and website analytics (United Kingdom / EU / US, with UK GDPR safeguards)
Our insurer: contacted only if a claim or complaint is made (United Kingdom)
Your GP or specialist: contacted only with your written consent, where a medical referral or report is needed (United Kingdom)
HMRC: for tax compliance (United Kingdom)
6. International transfers
Most of our service providers store data in the UK or EU. Where data is transferred outside the UK (for example, some Google or Stripe processing may involve servers in the US), we rely on appropriate safeguards including the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or UK adequacy decisions, as required by UK GDPR.
7. How long we keep your information
We keep your information only as long as we need it:
Clinical records (consultation forms, treatment notes, photographs): 7 years from the date of your last treatment, in line with our insurer's requirements and clinical best practice
Financial records (invoices, payment records): 7 years from the end of the tax year, as required by HMRC
Marketing consent and preferences: until you withdraw consent or until your account becomes inactive (no booking for 3 years), whichever is sooner
Website analytics data: typically 26 months or as set by our analytics provider
After these periods, your information is securely deleted or anonymised.
8. Your rights
Under UK GDPR you have the following rights:
Right of access, request a copy of the information we hold about you
Right to rectification, ask us to correct anything inaccurate
Right to erasure, ask us to delete your data, though we may need to keep clinical records for our retention period
Right to restriction, ask us to limit how we use your data
Right to data portability, receive your data in a structured, machine-readable format
Right to object, particularly to marketing or processing based on legitimate interests
Right to withdraw consent, at any time, for anything we do based on consent
To exercise any of these rights, contact us at info@mcskinclinic.co.uk. We'll respond within one month.
9. How we protect your information
We take security seriously. Measures include:
All client data stored in Fresha (encrypted, password-protected, with role-based access)
Devices used to access client data protected by strong passwords and screen locks
Paper records (where used) kept in a locked cabinet within the clinic
Photographs stored securely and never shared outside the clinic without your consent
Service providers selected on the basis of their security and UK GDPR compliance
10. Cookies
Our website is built on Google Sites and uses cookies to function properly and to help us understand how the site is used through Google Analytics. You can manage cookie preferences via the cookie banner displayed on first visit.
11. Complaints
If you're unhappy with how we've handled your information, please contact us first at info@mcskinclinic.co.uk so we can try to put it right.
You also have the right to complain to the Information Commissioner's Office:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk
12. Changes to this notice
We may update this notice from time to time. The latest version will always be available at mcskinclinic.co.uk/privacy. If we make significant changes that affect how we use your information, we'll let you know directly.
13. Contact us
For any questions about this notice or how we handle your information:
MC Skin Clinic
1 Westgate, Cowbridge, CF71 7AQ
Email: info@mcskinclinic.co.uk
Phone: 07999 678814