LCA is committed to protecting the privacy and security of personal data. This policy outlines how we collect, use, store, and disclose personal information in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

This policy applies to all personal data processed by LCA, including information collected from clients, staff, and third parties.

LCA (London Cheltenham Aesthetics) is the data controller responsible for determining the purposes and means of processing personal and sensitive data.

Personal & sensitive data collected

We may collect the following personal information via Glowday and our own means:

• Basic information: Name, address, contact details (email, phone number).

• Medical information: Medical history, allergies, current medications, treatment history.

• Images: Before and after treatment photos (with consent).

• Financial information: Payment details for treatments.

• Marketing information: Preferences for receiving marketing communications.

Lawful basis for collecting

We will only process personal data where we have a lawful basis to do so, including:

• Consent: For specific treatments, for sharing of before and after photos/videos or marketing communications.

• Contract: To provide treatment and services.

• Legitimate interests: To improve our services and protect our business.

• Legal obligation: To comply with medico-legal and insurance requirements.

Data sharing

We may share personal data with:

• Healthcare professionals: Including, but not limited to, your GP. For treatment purposes, consultations or in the event of a complication or emergency situation.

• Insurance providers: For claims or verification purposes.

• Third-party service providers: For data processing or marketing services (with appropriate data protection agreements).

• Law enforcement agencies: If required by law.

Data security

We use Glowday to collect and protect your personal and sensitive data. You can find out more about how Glowday stores and protects your data.

GlowdayPRO is web-based software which combines diary, forms, online booking, reminders, payments, patient records, verified review collection and marketing for medical aesthetic practitioners. Glowda is a platform where patients can book appointments with their preferred practitioner.

Glowery Ltd is the registered company for both Glowday and GlowdayPRO.

Glowery Ltd conforms to the General Data Protection Regulations 2016, the Data Protection Act 2018 and any other legislation or regulations that relate to the processing of Personal Data.

Patients provide their personal information, sensitive health information and payment information when they book/confirm treatments via Glowday. Patients can create a verified secure Patient Account Area in order to provide personal, sensitive and payment information. Personal and sensitive data (Patient Data) remains the exclusive property of The Patient. The Clinic is considered a data processor for the purposes of conducting the aesthetic treatment.

Where the Patient doesn’t wish to create a secure digital Patient Account Area, the practitioner can create an Offline Account for the patient and collect the patient's personal and sensitive information. This information will only be available to view within the Patient Record within the Practitioners account. Should the patient wish, they can retrospectively create an online account, so that they are able to have full visibility and control of their data.

The Clinic should not remove any Patient Data from The Platform where it has been digitally provided by the patient. Any Patient Data removed from GlowdayPRO by a Practitioner at The Clinic will become solely responsible for that data. Glowday will not under any circumstances be responsible for Patient Data that has been taken off Platform by The Clinic.

Clinics acting as a data recipient and processor of Patient Data (through GlowdayPRO), must treat the data responsibly and in full accordance with the latest legislation.

Patient Data will be held by Glowery Ltd in order for The Clinic to continue to perform treatments and maintain a historical record. Glowery Ltd will maintain access to historic Patient Data where matters of insurance require its use for up to a period of ten years. The Clinic can access Patient Data for this period of time.

The Clinic should not remove any Patient Data from The Platform where it has been digitally provided by the patient. Any Patient Data removed from GlowdayPRO by a Practitioner at The Clinic will become solely responsible for that data. Glowday will not under any circumstances be responsible for Patient Data that has been taken off Platform by The Clinic.

Clinics acting as a data recipient and processor of Patient Data (through GlowdayPRO), must treat the data responsibly and in full accordance with the latest legislation.

Patient Data will be held by Glowery Ltd in order for The Clinic to continue to perform treatments and maintain a historical record. Glowery Ltd will maintain access to historic Patient Data where matters of insurance require its use for up to a period of ten years. The Clinic can access Patient Data for this period of time.

Patients can request that their Personal Data be removed from The Platform and can request to archive their Glowday Account. This will remove all data from The Platform, other than that held in Patient Records for medico-legal purposes.

Data storage & protection

Patient Data held by Glowery Ltd can only be accessed by the patient via their verified, password- protected secure account and by the practitioner via their verified, password-protected secure account.

Log in is handled by Microsoft Azure B2C. Glowery Ltd doesn’t have access to practitioner or patient login credentials.

Data “in transit” between the patient account and the practitioner account is encrypted during transit to ensure secure transfer. Sensitive Patient Data is not sent via email or other non-secure methods.

Data “at rest”, i.e. once forms/patient notes/file uploads/photos have been completed, is stored anonymised and encrypted in FIPS 140-2 Level 2 compliant HSMs. Data is stored in EU Microsoft Cloud Servers. No data is held on local servers.

When a Practitioner hands a device to a Patient to digitally sign forms, the platform must be locked by the Practitioner, preventing the Patient accessing any data that isn’t their own.

Payments are handled solely by Stripe (https://stripe.com/gb). No patients payment/card data is held by Glowery Ltd. Any concerns relating to the processing of Patient Data should be sent to support@glowday.com.

Data retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected. Historic Patient Data will be stored for up to ten years for insurance purposes.

Individual rights

Individuals have the following rights:

• Right to access personal data

• Right to rectification

• Right to erasure

• Right to restrict processing

• Right to data portability

• Right to object to processing

• Rights related to automated decision-making and profiling

Complaints

If you have any concerns about how we handle your personal data, please contact us. We are registered with the Information Commissioner’s Office. You also have the right to lodge a complaint with the ICO.