privacy policy

Updated: 25.03.2026

At A&D Aesthetics, we are committed to protecting and respecting your privacy. This policy explains how we collect, use, and protect your personal data in line with UK GDPR and the Data Protection Act 2018.

1 who we are

A&D Aesthetics is a nurse and GP-run medical aesthetics clinic based in Cardiff.

For the purposes of data protection law, we are registered with the Information Commissioner’s Office (ICO) and act as a Data Controller for the personal data we collect.

2 data we collect

We may collect and process the following information:

  • Personal details (name, date of birth, address, phone number, email)

  • Medical information (medical history, medications, allergies)

  • Treatment records and clinical notes

  • Photographs (with your consent)

  • Payment and transaction details

  • Communication records (messages, emails, consultation notes)

3 how we use your data

We use your information to:

  • Provide safe and appropriate medical aesthetic treatments

  • Assess your suitability for treatment

  • Maintain accurate medical records

  • Communicate with you about appointments and aftercare

  • Comply with legal and regulatory obligations

  • Improve our services

  • We may also use your data for marketing purposes only where you have given explicit consent.

4 lawful basis for processing

We process your data under the following lawful bases:

  • Consent – for treatments, photography, and marketing

  • Contract – to provide the services you have requested

  • Legal obligation – to comply with healthcare and regulatory requirements

  • Legitimate interests – for the safe and effective running of our clinic

  • Special category data (medical information) is processed under Article 9 (h) – provision of health care.

5 sharing your data

We may share your data with:

  • Prescribing professionals (e.g. pharmacist or GP) for treatment approval

  • Regulated authorities if required by law

  • Secure software providers who store our patient records

  • All third parties are required to respect the security of your data and comply with data protection law.

6 how we store your data

Your data is securely stored using password-protected clinical software systems. We take appropriate measures to protect your data, including:

  • Secure digital storage with restricted access

  • Staff confidentiality obligations

7 data retention

We retain your medical records for 7 years from your last treatment, in line with medical and legal guidelines. After this period, your data will be securely deleted.

8 your rights

You have the right to:

  • Access the personal data we hold about you

  • Request correction of inaccurate data

  • Request erasure of your data (where applicable)

  • Withdraw consent at any time

  • Object to processing

  • Lodge a complaint with the Information Commissioner’s Office

9 marketing

We will only send you marketing communications if you have opted in to receive them. You can unsubscribe at any time.

10 data breaches

In the unlikely event of a data breach, we have procedures in place to assess and respond promptly, including notifying the ICO where required.

11 contact us

If you have any questions about this policy or how we handle your data, please contact us using one of the below methods:

a.daesthetics@yahoo.com

07772249409

12 updates to this policy

We may update this policy from time to time. The latest version will always be available on our website.

By providing your personal data, you acknowledge that you have read and understood this Privacy Policy.