PB Beauty Time logo
Legal

Privacy notice

Last updated: 27 April 2026

PB Beauty Time ("we", "us", "our") is committed to protecting the personal data of every client who walks through our door, books online, or simply gets in touch with a question. This notice explains what data we collect, why we collect it, how long we keep it, and the rights you have under the UK GDPR and the Data Protection Act 2018.

1. Who we are

The data controller for the information described in this notice is PB Beauty Time, with its clinic at 1 Edlington Lane, New Edlington, Doncaster DN12 1BS, United Kingdom. We are registered as a data controller with the UK Information Commissioner's Office (ICO) — registration number to be displayed here once issued.

For any privacy-related question or to exercise your rights, contact us at info@pbbeautytime.pl or call +44 780 8072 712.

2. What data we collect

Depending on how you interact with us, we collect:

  • Identity & contact data — full name, date of birth, email address, phone number, postal address.
  • Health data (special category, Art. 9 UK GDPR) — medical history, allergies, current medications, prior aesthetic treatments, contraindications such as pregnancy or breastfeeding, photographs of treated areas where clinically relevant.
  • Booking & transaction data — appointments, deposits, gift cards, refunds. Card payments are processed by Stripe; we never see or store your full card number.
  • Marketing preferences — your opt-in status for email, SMS or post.
  • Technical data — IP address, device type, browser, anonymous usage analytics from our website. We do not run advertising trackers.

3. Why we use your data and on what legal basis

  • To deliver treatments and manage your booking — Art. 6(1)(b) performance of a contract.
  • To assess your suitability for a treatment safely — Art. 9(2)(a) your explicit consent at consultation, captured on a signed medical history form. You can withdraw this consent at any time, in which case we may be unable to proceed with treatment.
  • To meet our legal and regulatory duties — Art. 6(1)(c) (e.g. retaining treatment records to defend against negligence claims, HMRC tax records).
  • To send marketing — Art. 6(1)(a) your opt-in consent under PECR. You can unsubscribe from any email or reply STOP to any SMS.
  • For legitimate interests — Art. 6(1)(f) such as preventing fraud, securing our website, and contacting you about a no-show or aftercare concern. We balance these interests against your rights.

4. Photographs & before/after images

We may take clinical photographs to document your treatment. We will only use any photograph publicly (website, social media, marketing) with a separate written consent that you can withdraw at any time. Withdrawing consent does not affect the lawfulness of past use, but we will remove the image from active use as soon as reasonably practicable.

5. Who we share your data with

We share data only with carefully selected processors acting on our instructions:

  • Booking & client records — Supabase (EU region) for our internal client database, Twilio for SMS reminders, our email provider for booking confirmations.
  • AI skin analysis (optional) — Google (Gemini API) processes your photo only when you give explicit in-app consent. We do not store your photo; we keep the structured analysis result for 90 days. You can request erasure at any time. This feature is disabled until our Google data-processing agreement is in place.
  • Payments — Stripe Payments UK Ltd.
  • Accounting — our bookkeeper and HMRC for invoicing and tax compliance.
  • Insurers and regulators — only where required, e.g. in the unlikely event of a clinical incident.

We never sell your data. Where a processor is outside the UK, we use Standard Contractual Clauses or the UK Addendum to ensure equivalent protection.

6. How long we keep your data

  • Treatment records — kept for a minimum of 8 years from the date of the last treatment (in line with industry guidance for adult clinical records). Records relating to clients under 18 are kept until the client's 25th birthday.
  • Financial records — kept for 7 years (HMRC requirement).
  • Marketing data — kept until you unsubscribe or after 24 months of inactivity, whichever is sooner.
  • Photographs used in marketing — removed within 30 days of you withdrawing consent.
  • AI skin analysis results — kept for 90 days, then deleted automatically; removed immediately when you exercise your right to erasure.

7. Your rights

Under the UK GDPR you have the right to:

  • request a copy of the data we hold about you (Subject Access Request);
  • ask us to correct inaccurate or incomplete data;
  • ask us to erase data we no longer have a lawful basis to hold;
  • restrict or object to certain processing;
  • withdraw consent for marketing or for use of your photographs at any time;
  • request portability of data you provided under contract or consent.

We respond to all requests within one calendar month. If we decline a request we will explain why and remind you of your right to complain to the ICO.

8. Security & data breaches

Client records are stored in encrypted databases with role-based access — only Paulina and explicitly authorised staff can read your treatment notes. Paper consent forms are kept in a locked cabinet inside the clinic and digitised within 7 days. In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and you, the affected client, without undue delay.

9. Cookies

Our website uses only the cookies and local storage necessary to remember your language preference and to keep you signed in if you log in. We do not run advertising or cross-site tracking cookies. We are evaluating privacy-friendly analytics (Plausible / Fathom) and will publish a dedicated cookie banner before any non-essential analytics goes live.

10. Complaints

We hope you'll bring any concern to us first — please email info@pbbeautytime.pl and we will respond within one calendar month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint or by calling 0303 123 1113.

11. Changes to this notice

We may update this notice as our processes change or to reflect new guidance. The "Last updated" date at the top will always show the current version. Material changes will be communicated by email to clients with active accounts.

This notice is provided for transparency and will be updated following solicitor review and ICO registration. For any questions please email info@pbbeautytime.pl.

Terms · FAQ · Contact