Last updated: 24 May 2018
For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), the company responsible for your personal data is (“The Retreat” “us”, “we”, or “our”).
Who We Are
The Retreat operates the www.theretreats.com website and social media channels branded “The retreat” (the “Service”). The Retreat is a skin clinic based in London. We specialise in anti-aging and advanced skincare. We provide treatments and products (the “Clinical Services”) to our customers in the clinic and share knowledge on our website and social media channels.
Information Collection and Use
We generally use any data we collected in three ways:
Diagnosis and Provision of Clinical Services
To help us to establish, exercise or defend legal claims
The exact type and quantity of data required for each use will be determined on a case by case basis.
Where it is deemed necessary, we may seek your consent for some of the activities.
In order to provide the best possible diagnosis and service to you, we need to process certain information about you. We only ask for details that will genuinely help us to help you.
Depending on each individual case and applicable local laws and requirements, we may collect some or all of the information listed below to enable us to offer you skin treatments, products and advice which is relevant to you. In some jurisdictions, we are restricted from processing some of the data outlined below. In such cases, we will not process the data in those jurisdictions:
- Age/date of birth;
- Contact details;
- Diversity information including racial or ethnic origin and physical or mental health, including disability-related information;
- Extra information that you choose to tell us;
- The dates, times and frequency with which you access our Clinical Services; and
- Medical Conditions
- Skin Problem Diagnosis, Treatments and case notes for each client
- Prior medical and skin history
*Please note that the above list of categories of personal data we may collect is not exhaustive.
We hold client data on paper records. We check the details for a client on each visit, or when a client informs us of any changes. The records are updated at least once a year. We hold the client records for 24 months, after which, the record is destroyed if the client has not visited in that 24 month period.
We process credit and debit cards for client payments but we do not store the card details anywhere on our or third-party systems.
Usually all we require is company name and contact details of relevant individuals who have expressed an interest in the services that we provide and that the supplier has obtained appropriate consent for their details to be shared with us.
Embedded content from other websites
Our Contact page contains an embedded map from Google Maps. Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
Website & Social Media Users
We do not collect browser information whenever you visit our Service (“Log Data”). This Log Data usually includes information such as your computer’s Internet Protocol (“IP”) address, browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages and other statistics.
In addition, we do not use third party services such as Google Analytics that collect, monitor and analyse this type of information in order to increase our Service’s functionality. These third-party service providers have their own privacy policies addressing how they use such information.
We may employ third party companies and individuals to facilitate our Service, to provide the Service on our behalf, to perform Service-related services or to assist us in analysing how our Service is used.
These third parties have access to your Supplier Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
Compliance with Laws
We will disclose your Personal Information where required to do so by law or in accordance with an order of a court of competent jurisdiction, or if we believe that such action is necessary to comply with the law and the reasonable requests of law enforcement or to protect the security or integrity of our Service.
The security of your Personal Information is important to us but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security. As such we make no warranties as to the level of security afforded to your data, except that we will always act in accordance with the relevant UK and EU legislation.
We use secure electronic point-of-sale devices to process card payment. Therefore, we do not retain card information after the transaction has been completed, other than the partial information on the receipt.
We hold client data on paper records at the clinic site, The Retreat, 1 Fromows Corner, London, W4. We dispose of these records 24 months after a client has ceased being a client for that period or until requested by the customer. These records are contained in a locked filing cabinet on secure business premises.
Our electronically held data may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.
If you are located outside United Kingdom and choose to provide information to us, please note that we transfer the information to United Kingdom and process it there.
In the event that a dispute arises with regards to the international transfer of data, you agree that the courts of England and Wales shall have exclusive jurisdiction over the matter.
Links to Other Sites
We have no control over, and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.
Our Service does not address anyone under the age of 13 (“Children”).
We do not knowingly collect personally identifiable information from children under 13. If you are a parent or guardian and you are aware that your Children have provided us with Personal Information, please contact us. If we become aware that we have collected Personal Information from children under age 13 without verification of parental consent, we take steps to remove that information from our servers.
You have the right to be informed of our use of your data. We make this policy available on our website and in our clinic. Should you wish to have access to your Personal data, please contact us at firstname.lastname@example.org and we will arrange to show you the data in the clinic.
You can request access to all your data at any time and to request a portable format of your data so that you may use it for other purposes.
You can, at any time ask us to perform the following activities to correct, change, complete or delete your records.
If we receive a request for rectification we will take reasonable steps to ensure that the data is accurate and will rectify the data if necessary. We will take into account the arguments and evidence provided by you, the data subject.
You may at any time ask us to stop certain processes that are performed on your data.
Unless we must perform certain processes to comply with existing laws, we will respond to each of these requests within 1 month and there will be no charge for these provisions
We can only provide appropriate and relevant Clinical services and services if the data provided to us is accurate and up-to-date. We take extra steps, such as confirmation and regular updates to verify the accuracy of the data prior to a challenge by a data subject.
This Policy shall be governed and construed in accordance with the laws of England and Wales, without regard to its conflict of law provisions.