Your trust matters to us. This notice explains, in plain terms, what personal information Hair Aesthetics Club collects about you, why we use it, who we share it with, how long we keep it and the rights you have over it — in line with the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR).
Because of the nature of our work — hair restoration, haircuts, skin and aesthetic treatments and training — some of the information we hold is sensitive, including information about your health and photographs of you. We treat that information with particular care, and this notice sets out exactly how.
Hair Aesthetics Club ("HAC", "we", "us", "our") is the data controller responsible for your personal data. Hair Aesthetics Club is a trading name of HAC Ltd, a company registered in England and Wales (company number: [to be confirmed]), with its registered office at A6 Moorfield Road, Blakenhall Business Park, Wolverhampton, WV2 4QT.
We are registered with the UK Information Commissioner's Office (ICO) as a data controller (registration number: [to be confirmed]).
For any question about this notice or your data, or to exercise your rights, contact us:
Depending on how you interact with us, we may collect the following categories of personal data:
We only use your personal data where the law allows us to. The table below sets out what we use your data for and the lawful basis we rely on under Article 6 of the UK GDPR (and, for health and other special category data, the additional condition under Article 9).
| What we use it for | Information used | Our lawful basis |
|---|---|---|
| Answering your enquiries and giving quotes | Identity, contact, what you're interested in | Taking steps at your request before entering a contract; our legitimate interests in responding to you |
| Managing bookings and providing our services | Identity, contact, appointment & service data | Performance of our contract with you |
| Assessing suitability & treating you safely, and keeping treatment records | Health & special category data, consultation/consent records, photographs | Performance of our contract, plus your explicit consent for special category data (Art 9(2)(a)); where a treatment is provided by a registered healthcare professional, the provision of healthcare (Art 9(2)(h)) |
| Using your photographs for marketing or our portfolio | Images | Your explicit consent (separate and freely withdrawable) |
| Taking payment and preventing fraud | Payment & transaction data | Performance of our contract; legal obligation; our legitimate interests in preventing fraud |
| Keeping financial & business records | Identity, transaction data | Compliance with our legal obligations (tax, accounting) |
| Service messages — confirmations, reminders, aftercare | Contact, appointment data | Performance of our contract; our legitimate interests in running our service well |
| Marketing — news, offers and tips by email, SMS or WhatsApp | Contact & marketing preferences | Your consent; or our legitimate interests where you are an existing client and the law permits (the "soft opt-in"). You can opt out at any time |
| Running, securing & improving our website | Technical & usage data, cookies | Our legitimate interests (security and core functionality); your consent for analytics and marketing cookies |
| Administering the Training Academy | Academy data | Performance of our contract with you |
| Meeting our legal duties and establishing, exercising or defending legal claims | Any relevant data | Legal obligation; our legitimate interests; for special category data, the establishment, exercise or defence of legal claims (Art 9(2)(f)) |
Where we rely on legitimate interests, we have balanced those interests against your rights and are happy to explain that assessment on request. Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
To provide hair, scalp, skin and aesthetic treatments safely we sometimes need information about your health — for example your scalp or skin condition, relevant medical history, medications, allergies and your suitability for a particular treatment. This is "special category" data and receives extra protection.
We rely on your explicit consent to process this information for your treatment, which you give when you complete our consultation and consent forms. Where a treatment is carried out by, or under the responsibility of, a suitably qualified healthcare professional, we may also process it as necessary for the provision of healthcare. We collect only what we need, restrict access to the team members involved in your care, and store it securely. You can withdraw your consent at any time, although this may mean we are unable to provide certain treatments safely.
With your agreement, we take photographs as part of your treatment record (for example before/after and progress images) so we can plan your treatment and track results. We will only use your images for our portfolio, website or marketing if you give us separate, specific consent to do so. That consent is entirely optional, will never affect the service you receive, and you can withdraw it at any time — after which we will stop using your images going forward (we may be unable to recall materials already printed or published).
We will only send you marketing where you have asked us to, or where you are an existing client and the law allows us to contact you about similar services, in each case with a simple way to opt out. Every marketing email contains an unsubscribe link, and you can opt out at any time by replying STOP to a text, telling a member of our team, or emailing info@hacltd.net. Opting out of marketing will not stop important service messages (such as appointment confirmations and aftercare).
Some of our providers are based outside the United Kingdom, which may mean your personal data is transferred internationally. Whenever we do this, we make sure an appropriate safeguard recognised under UK data protection law is in place — for example transfer to a country the UK has deemed to provide adequate protection, an International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses), or another lawful transfer mechanism. You can ask us for more detail about the safeguards that apply.
We keep your personal data only for as long as we need it for the purposes set out in this notice, including to meet legal, accounting, insurance and regulatory requirements, and to handle any complaint or claim. Our typical retention periods are:
| Type of information | How long we keep it |
|---|---|
| Client treatment & consultation records, including health data, consent forms and treatment-record photographs | For the duration of your relationship with us and for at least 7 years after your last treatment — or longer where needed to deal with a complaint or claim, or where required by our insurers or by law. Where you were under 18 at the time, until your 25th birthday. |
| Booking & appointment records | In line with your treatment records (up to 7 years). |
| Payment & financial records | 6 years from the end of the relevant financial year (tax & company law). |
| Marketing images (used with your consent) | Until you withdraw your consent. |
| Marketing preferences | Until you opt out or object, plus a minimal record so we can honour your choice. |
| Enquiries that do not lead to a booking | Up to 12 months. |
| Website logs & analytics | Up to 24 months. |
| CCTV footage (if used) | Usually around 30 days, unless retained for a specific incident. |
When we no longer need your data, we securely delete or anonymise it.
We take the security of your data seriously and use appropriate technical and organisational measures to protect it against loss, misuse and unauthorised access — including access controls, encryption of data in transit, secure storage, staff confidentiality obligations and limiting access to those who need it. No method of storage or transmission is completely secure, but we work to protect your data and have procedures to deal with any suspected breach. Where the law requires, we will notify the ICO, and you, of a personal data breach.
Under UK data protection law you have the following rights, which you can exercise free of charge by contacting us (see section 1):
We will respond within one month. We may need to verify your identity, and in limited cases the law allows us to refuse or charge for a manifestly unfounded or excessive request — we will always explain our decision.
We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing. If this ever changes, we will update this notice and tell you about your rights.
Our services and website are intended for adults. Certain treatments are subject to legal age limits — in particular, we do not provide Botox (botulinum toxin) or cosmetic filler treatments to anyone under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
Where our studios operate CCTV, it is used for the safety and security of our clients, staff and premises, on the basis of our legitimate interests. Signage is displayed where CCTV is in use, footage is held securely for a limited period and accessed only where necessary (for example to investigate an incident or where required by law).
We may update this notice from time to time to reflect changes in our services or the law. The current version, with its date, is always available on this page. Where changes are significant, we will take reasonable steps to bring them to your attention.
If you have a concern about how we handle your personal data, please contact us first (section 1) so we can try to put it right. You also have the right to complain to the UK supervisory authority: