We use “cookies” to enable our systems to recognize browsers and help us to track visitors to our site and to see how visitors use our site, so we can better understand what portions of our site are of most relevance to visitors. Cookies are small pieces of information sent by a web server to a web browser, which enables the server to collect information from the browser. You can find out more about the way cookies work on www.allaboutcookies.org. Most browsers allow you to turn off the cookie function. If you want to know how to do this please look at the help menu on your browser.
Because it’s the law – in the UK, the law requires organisations which handle personal data to do so in accordance with data protection principles and to let individuals know what personal information they collect, how it is used, who it is shared with, how it is used, the steps taken to secure and protect the personal data, what their rights are under data protection law and what to do if they have questions or concerns.
2. WHO are We?
BBeM Ltd, trading as Beauty Be Mine, is the data controller (referred to as “We”, “Our”or “Us” in this Policy). This means We decide how your personal data is processed and for what purposes. We are a private limited liability company registered in England & Wales under company number 07536009.
3. WHAT is personal data?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the GDPR). Some personal data falls into the category of Sensitive Personal Data and has more stringent rules governing it’s use; medical information is categorised as sensitive personal data and, as such, We hold a small amount of sensitive personal data. The processing of personal data is governed by the General Data Protection Regulation (GDPR) and covers not only our clients but Our employees and business contacts. GDPR does not differentiate between private individuals and businesses – if the data held enables an individual to be identified, then GDPR applies
4. HOW do WE process your personal data?
We comply with Our obligations under GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. We do not use any form of automated decision making when processing personal data.
5. WHY do WE process your personal data?
We may use your personal data for any of the following purposes (or as otherwise notified to you from time to time):
- to deal with your request or enquiry via any of our platforms (email, booking app, telephone, in person, etc.);
- to keep records of the treatments you have had, the products you have bought, any allergies or medical conditions you may have which may impact on treatments, to record the settings for treatment machines, etc.;
- to process, administer and take deposits/payment for your appointment(s) and/or product purchase(s);
- to send you appointment reminder texts/emails before your appointment;
- to contact you in the rare circumstances of a change to your appointment eg therapist illness;
- to inform you of news, events and activities which We believe may be of interest to you;
- to improve our services and products, including by customer survey, and to ensure that content from the website and apps is presented in the most effective manner for you and for your computer (or other devices);
- for internal record keeping, business administration (including employment of staff), business development and research (including anonymised personal information for future statistical analysis) and for the administration of Our website and app;
- to comply with legal, regulatory and other good governance obligations (including in connection with a court order, government investigation or when otherwise required by law).
This list is not intended to be exhaustive and may be updated from time to time as business needs and legal requirements dictate
6. WHAT is the legal basis for processing your personal data?
We process medical information and keeping you informed about news, events and activities with your consent. We process all other personal data because we have a contractual obligation to or because We are required to do so by law or because it is in Our legitimate interests.6.
7. SHARING your personnel data.
Your personal data will be treated as strictly confidential. We will not individually share your personal data with any third parties without your consent EXCEPT:
- With other service suppliers or self-employed therapists, if you book a treatment through Us which involves them – eg a Pamper Day at The River Club; permanent make-up with Steve Douch.
- With the emergency services in case of an emergency;
- With the NHS Track and Trace Service in connection with Covid-19 in appropriate circumstances; (added 13/07/2020)
- With Our insurers and advisers (and any of our suppliers if relevant) in the event of a claim against Us;
- With any other organisation or entity, if We are required by law to do so.
- However, We use a number of third-party organisations and applications in order to manage Our business, ie Gappt for Our late availability app, Worldpay to process credit and debit card payments, Mailchimp for most of Our bulk e-mails and Box.com for cloud storage of our appointment book, client records accounting records, etc. Technically, this means We are sharing some of your personal data with them. You can find details of their privacy policies at:
Gappt – gappt.com/legal
Worldpay – worldpay.com/uk/privacy-policy
Mailchimp – mailchimp.com/legal/privacy/
Again, technically, this may mean that your personal data is being transferred outside of the European Economic Area (“EEA”) as, for example, the servers used by Mailchimp and Box are physically located in the USA; both Box and Mailchimp participate in and have certified their compliance with the EU-U.S. Privacy Shield Framework
If you choose to interact with Us via social media, your personal data will be processed in accordance with their privacy policies. You may find details at:
Facebook – facebook.com/about/privacy/
Twitter – twitter.com/en/privacy
8. HOW long do We keep your personal data?
This will depend on the reason the personal data is being held.
- Personal data relating to treatments you have had and/or products you bought will be retained for a minimum of 7 years or such longer period as the information may be necessary to defend a claim of latent damage under Our insurance policies (currently a maximum of 15 years).
- Any personal data contained in Our accounting records will be retained for not more than 7 years.
- Personal data used to record attendance at meetings, events and activities organised by Us will be held for not more than 2 years except where We are required to hold it for longer by our insurers.
Depending on the content, a photograph may be considered personal data. We take photos at Our events and activities and may use them on Our website, in social media and in newsletters – those images will be retained indefinitely.
‘Year’ refers to Our accounting year which runs from 1 April to 31 March.
9. YOUR rights.
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: –
- The right to request a copy of your personal data which We hold about you;
- The right to request that We correct any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for Us to retain such data;
- The right to withdraw your consent to the processing at any time;
- The right to request that We provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable);
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, (where applicable);
- The right to lodge a complaint with the Information Commissioners Office.
10. FURTHER processing.
11. HOW to make a complaint.
To exercise all relevant rights, queries or complaints please in the first instance contact our Company Secretary & our Directors at gdpr@BeautyBeMine.co.uk. If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office.