Privacy Policy (UK GDPR)

Effective date: 29 October 2025

Controller: Royal Tunbridge Wells Skin Clinic Ltd (“rtwskin”, “we”, “our”, “us”)

Registered office: Cobden House Medical Centre, 25 London Road, Tunbridge Wells, Kent, TN1 1DA, United Kingdom

Company number: 05839138

Website: https://rtwskin.co.uk

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (together, “Data Protection Legislation”). This Privacy Policy explains how we collect, use, share, and safeguard your personal data when you use our website and related services.

1. Who we are and how to contact us

Data controller: Royal Tunbridge Wells Skin Clinic Ltd

Data Protection Manager: John Sheffield – john@rtwskin.co.uk

We have appointed an internal Data Protection Manager responsible for overseeing data protection compliance.

2. What data we collect, why we collect it, and the lawful basis

We process personal data to deliver our services, comply with legal obligations, and improve user experience. Our lawful bases include Consent, Contract, Legitimate Interests, Legal Obligation, and for clinical data, health care purposes under Article 9(2)(h) UK GDPR.

3. Data we collect

• Enquiries & bookings (via forms, phone, email, WhatsApp, Tawk.to chat)
• Patient information (identification, contact details, medical history, treatment records)
• Payments and billing information (excluding full card data)
• Newsletter subscriptions (email, preferences)
• Website analytics (IP address, device, browser type, pages viewed)

4. Retention

We retain personal data only as long as necessary:
• General enquiries: 12 months after resolution
• Patient records: 10 years after the last treatment, or longer if required by healthcare regulations
• Financial records: 7 years (statutory requirement)
• Marketing subscriptions: until you unsubscribe or withdraw consent
• Chat logs (WhatsApp, Tawk.to): deleted within 12 months

5. Processors and Third Parties

We use trusted processors to deliver our services. Each acts under a written data processing agreement ensuring compliance with UK GDPR:

• Clinic Software (UK): booking management, EMR storage, and patient communication
• Complianz B.V. (Netherlands): consent management system
• Google Ireland/LLC: Analytics, Workspace, reCAPTCHA
• Meta Platforms Ireland Ltd: WhatsApp Business and Meta Pixel (marketing attribution)
• Tawk.to Inc. (USA): website live chat functionality
• Mailchimp (USA): newsletter subscriptions and email campaigns (only for subscribers)

6. International Transfers

Where personal data is transferred outside the UK, we rely on adequacy regulations or Standard Contractual Clauses with the UK Addendum to safeguard transfers (e.g., Tawk.to, Google, Meta, Mailchimp).

7. Security

We implement appropriate technical and organisational measures, including TLS/SSL encryption, password protection, access controls, SPF/DKIM/DMARC email authentication, and regular security audits. All staff handling personal data receive training in data protection best practices.

8. Cookies

Our website uses cookies and similar technologies to provide essential functionality and measure usage. Details of each cookie’s purpose and duration are listed in our Cookie Policy. Consent for non-essential cookies is obtained via Complianz.

9. Your Rights

Under the UK GDPR, you have the right to:
• Be informed about how your data is processed
• Access your personal data
• Rectify inaccurate or incomplete data
• Request erasure (‘right to be forgotten’)
• Restrict or object to processing
• Request data portability
• Withdraw consent at any time (where applicable)

To exercise your rights, please contact support@rtwskin.co.uk. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

10. Children

Our website is not intended for children under 16. We do not knowingly collect or process data relating to children through our website.

11. Third-Party Websites and Messaging

Our website links to third-party services such as WhatsApp Business and Tawk.to. When you initiate a chat or message, your data is processed under their privacy policies:
• WhatsApp Business: https://www.whatsapp.com/legal/privacy-policy
• Tawk.to: https://www.tawk.to/privacy-policy/

We advise against sending sensitive medical information through these channels. For confidential matters, please contact us directly via email or phone.

12. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or significant effects concerning you.

13. Contact & Data Requests

Email: support@rtwskin.co.uk
Phone: 01892 222222
Address: Cobden House Medical Centre, 25 London Road, Tunbridge Wells, Kent, TN1 1DA
Data Request Form: https://rtwskin.co.uk/data-request

Supervisory authority: Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: https://ico.org.uk
Phone: 0303 123 1113

14. Updates

We may update this policy periodically. The latest version will always be available at https://rtwskin.co.uk/privacy-policy. We will notify users of significant changes where appropriate.