Privacy Policy

Last Updated: February 2026

1. Data Controller

Pretty Lovely Aesthetics ("we", "us", "our") is the data controller responsible for your personal data. If you have any questions about this policy or wish to exercise your data protection rights, please contact us at:

  • Email: ornela@prettylovely.uk
  • Phone: +44 7404 317181
  • Location: London, United Kingdom

We are registered and operate under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

We collect and process the following personal data:

  • Contact Details: Full name, email address, phone number, and postcode.
  • Booking Information: Preferred appointment date, time, and selected service.
  • Health-Related Information: Medical history, allergies, and treatment history collected during consultation to ensure treatment safety. This constitutes special category data under Article 9 of UK GDPR.
  • Communication Records: Messages submitted via our booking form.
  • Photographic Records: Before and after photographs taken for clinical record-keeping and insurance purposes (with your explicit consent).

3. Lawful Basis for Processing

We process your personal data on the following legal bases:

  • Consent (Article 6(1)(a)): You provide explicit consent when submitting the booking form and ticking the consent checkbox.
  • Contract Performance (Article 6(1)(b)): Processing is necessary to fulfil your booking request and provide our services.
  • Legitimate Interest (Article 6(1)(f)): We have a legitimate interest in maintaining clinical records for professional standards and insurance purposes.
  • Explicit Consent for Health Data (Article 9(2)(a)): We obtain your explicit consent before processing any health-related information.

4. How We Use Your Information

We use your information to:

  • Process and manage your booking enquiries and appointments.
  • Send booking confirmation emails.
  • Provide safe and effective aesthetic treatments.
  • Maintain accurate clinical records as required by professional standards.
  • Contact you regarding your appointments, aftercare, or follow-up.
  • Comply with legal and regulatory obligations.

We will never sell your personal data to third parties or use it for marketing purposes without your explicit consent.

5. Third-Party Data Processors

We use the following third-party services to operate our platform. Each is bound by data processing agreements:

  • Vercel Inc. — Web hosting and serverless infrastructure. Data may be processed in the EU/US under Standard Contractual Clauses.
  • Upstash / Redis Cloud — Secure database storage for booking records. Data encrypted in transit.
  • Resend — Transactional email delivery for booking confirmations. Only receives data necessary for email delivery.

6. Data Retention

We retain your personal data only for as long as necessary:

  • Booking enquiry data: Retained for up to 12 months after the enquiry, or until you request deletion.
  • Clinical treatment records: Retained for a minimum of 7 years in accordance with professional clinical record-keeping obligations and insurance requirements.
  • Email communications: Retained for up to 12 months.

After the retention period, data is securely deleted.

7. Data Storage and Security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

  • All data transmitted via HTTPS/TLS encryption.
  • Database access restricted and protected by authentication.
  • Admin access protected by session-based authentication with automatic timeout.
  • Security headers implemented (HSTS, CSP, X-Frame-Options).
  • Regular review of access controls and security practices.

Your medical information is only accessible by Ornela for the purpose of your care.

8. Your Rights Under UK GDPR

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

  • Right of Access (Article 15): You can request a copy of all personal data we hold about you.
  • Right to Rectification (Article 16): You can request correction of inaccurate or incomplete data.
  • Right to Erasure (Article 17): You can request deletion of your data, subject to legal clinical record-keeping requirements.
  • Right to Data Portability (Article 20): You can request your data in a structured, commonly used, machine-readable format.
  • Right to Restrict Processing (Article 18): You can request that we limit how we use your data.
  • Right to Object (Article 21): You can object to our processing of your data.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time by contacting us.

To exercise any of these rights, please email ornela@prettylovely.uk. We will respond within one month.

9. Cookies

Our website uses minimal cookies. For full details, please see our Cookie Policy. We do not use tracking or advertising cookies.

10. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

11. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this policy periodically.