PRIVACY POLICY

Karwal Aesthetics | 2nd Floor, 15 Dover Street, Mayfair, London W1S 4LP | contact@karwalaesthetics.com

ICO Registration Number:

At Karwal Aesthetics, we take the privacy and confidentiality of our patients seriously. This Privacy Policy explains how we collect, use, store and protect your personal information when you visit our website, book an appointment or receive treatment at our clinic. It is written in compliance with UK GDPR and the Data Protection Act 2018.

Please read this policy carefully. If you have any questions, you are welcome to contact us at contact@karwalaesthetics.com.

1. WHO WE ARE

Karwal Aesthetics is a doctor-led medical aesthetics clinic operated by Dr Arun Karwal, Clinical Director. For the purposes of data protection law, Karwal Aesthetics is the data controller in respect of any personal data we hold about you. This means we are responsible for deciding how and why your personal data is used.

2. THE PERSONAL DATA WE COLLECT

We collect and process different types of personal data depending on your interaction with us.

When you contact us or make an enquiry:

We collect your name, email address, telephone number, and the content of your enquiry.

When you book an appointment:

We collect your full name, date of birth, address, telephone number and email address. We also collect payment information where relevant, although we do not store full card details on our systems.

When you attend a consultation or receive treatment:

We collect detailed medical history and health information, including current medications, allergies, previous treatments and relevant medical conditions. This is special category personal data under UK GDPR and is treated with the highest level of care. We may also take clinical photographs before and after treatment as part of your medical record. With your separate written consent, photographs or video may also be used for educational or promotional purposes.

When you use our website:

Our website uses cookies and similar technologies to collect information about how you interact with our site. Please see our Cookie Policy at karwalaesthetics.com/cookie-policy for full details.

3. HOW AND WHY WE USE YOUR DATA

We use your personal data only where we have a lawful basis for doing so. The lawful bases we rely on are as follows.

Contract

We use your contact and booking information to manage your appointment, send you confirmation and reminder communications, and process payment. This is necessary to perform the contract between us when you book a treatment.

Legal obligation

As a healthcare provider, we are required by law to maintain accurate clinical records. We retain your medical history, treatment notes, consent forms and clinical photographs as part of your patient record, which we are obliged to keep for a minimum of eight years in accordance with UK clinical guidelines.

Legitimate interests

We may use your contact information to send you information about services, promotions or updates that we consider relevant to you, where you have a reasonable expectation of receiving such communications based on your relationship with us. You can opt out of these communications at any time by contacting us at contact@karwalaesthetics.com.

Explicit consent (special category data)

Your health data is special category personal data. We collect and process this data only with your explicit consent, which we obtain in writing before your first consultation. You have the right to withdraw this consent at any time, although this will not affect the lawfulness of processing carried out before the withdrawal. If you withdraw consent, we will retain only what we are legally required to keep as part of your clinical record.

Explicit consent (promotional photography)

Where you have given us separate written consent for the use of your photographs or video for educational or promotional purposes, we rely on that consent. You may withdraw this consent at any time by contacting us in writing.

4. WHO WE SHARE YOUR DATA WITH

We do not sell or rent your personal data to any third party. We may share your data in the following limited circumstances.

Service providers

We use a small number of carefully selected third-party service providers who process data on our behalf, including our booking system (Timely), our website platform (Squarespace) and our payment processing providers. All such providers are contractually required to handle your data securely and in accordance with UK GDPR.

Regulatory and legal obligations

We may disclose your information where required to do so by law, or in response to a lawful request from a regulatory body such as the Care Quality Commission or the Information Commissioner’s Office.

Referrals

In the event of a complication or where specialist input is required, we may share relevant clinical information with another healthcare provider. We will inform you when this is necessary.

5. HOW LONG WE KEEP YOUR DATA

We retain clinical records, including medical history, consent forms and treatment notes, for a minimum of eight years from the date of your last appointment, in line with UK clinical record-keeping guidelines.

Contact and enquiry records are retained for a period of three years from the date of the enquiry where no appointment is booked.

Website analytics data is retained in accordance with our cookie settings, as set out in our Cookie Policy.

6. YOUR RIGHTS

Under UK GDPR, you have the following rights in relation to your personal data.

Right of access

You have the right to request a copy of the personal data we hold about you. We will respond to such requests within one month.

Right to rectification

You have the right to ask us to correct any inaccurate or incomplete personal data we hold about you.

Right to erasure

You may ask us to delete your personal data in certain circumstances. Please note that we may be unable to comply fully with such a request where we are required by law to retain your clinical records.

Right to restriction of processing

You have the right to ask us to restrict the processing of your data in certain circumstances, for example where you contest the accuracy of the data.

Right to data portability

Where processing is based on your consent or on a contract, you have the right to receive your personal data in a structured, commonly used and machine-readable format.

Right to object

You have the right to object to processing carried out on the basis of legitimate interests, including for direct marketing purposes. We will stop that processing unless we can demonstrate compelling legitimate grounds to continue.

Rights relating to automated decision-making

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects.

To exercise any of these rights, please contact us at contact@karwalaesthetics.com. We will respond within one month of receiving your request. We may ask you to verify your identity before processing your request.

7. DATA SECURITY

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or disclosure. All clinical records are held securely. Access to patient data is restricted to those staff members who need it in connection with your care.

Where data is transferred to a third-party provider, we ensure that appropriate data processing agreements are in place.

8. COOKIES AND WEBSITE TRACKING

Our website uses cookies. For full details of the cookies we use, why we use them and how to manage your preferences, please see our Cookie Policy at karwalaesthetics.com/cookie-policy.

9. COMPLAINTS

If you have a concern about how we handle your personal data, please contact us in the first instance at contact@karwalaesthetics.com and we will do our best to resolve the matter.

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent supervisory authority for data protection. You can contact the ICO at ico.org.uk or by calling 0303 123 1113.

10. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time in response to changes in law, regulation or our business practices. The current version will always be available on our website at karwalaesthetics.com/privacy-policy. We encourage you to review this policy periodically.

Last updated: May 2026