Privacy Policy
Last updated: 22 May 2025
1. Information About Us
Our platform is owned and operated by Aesori, aesthetic clinic management software designed for medical aesthetic practitioners, nurses, doctors and cosmetic clinics operating in the United Kingdom.
For data protection enquiries, please contact us at support@aesori.co.uk.
2. What Does This Policy Cover?
This Privacy Policy applies to your use of the Aesori platform and website. Our platform may contain links to other websites. Please note that we have no control over how your data is collected, stored, or used by other websites and we advise you to check the privacy policies of any such websites before providing any data to them.
This policy covers personal data relating to Aesori subscribers (practitioners and clinic owners) and the data you upload regarding your patients. Where patient data is concerned, you as the practitioner are the Data Controller and Aesori acts as a Data Processor — please see our Terms and Conditions for the Data Processing Agreement that forms part of your subscription.
3. What Is Personal Data?
Personal data is defined by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 as any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier such as a name, identification number, location data, or online identifier.
Personal data covers obvious information such as your name and contact details, but also covers less obvious information such as IP addresses, electronic location data, and other online identifiers.
4. Your Rights Under UK GDPR
Under the Data Protection Legislation you have the following rights, which we will always work to uphold:
- •The right to be informed: You have the right to be informed about our collection and use of your personal data. This Privacy Policy sets out that information. You can also contact us at any time to ask questions.
- •The right of access: You have the right to access the personal data we hold about you. See Part 12 for how to make a subject access request.
- •The right to rectification: You have the right to have your personal data rectified if it is inaccurate or incomplete.
- •The right to erasure: You have the right to ask us to delete or otherwise dispose of any of your personal data that we hold ("the right to be forgotten").
- •The right to restrict processing: You have the right to ask us to restrict the processing of your personal data in certain circumstances.
- •The right to object: You have the right to object to us using your personal data for a particular purpose or purposes.
- •The right to withdraw consent: Where we rely on consent as our legal basis for processing, you are free to withdraw that consent at any time.
- •The right to data portability: Where we process your personal data by automated means and with your consent or under a contract, you may ask us for a copy in a portable format.
- •Rights relating to automated decision-making: We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
Further information about your rights can be obtained from the Information Commissioner's Office (ICO) at ico.org.uk, or from your local Citizens Advice Bureau.
If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the ICO. We would welcome the opportunity to resolve your concerns ourselves first — please contact us using the details in Part 14.
5. What Data Do We Collect and How?
Depending upon your use of our platform, we may collect and hold some or all of the personal data set out below. We do not collect any special category data or data relating to criminal convictions for our own purposes — any sensitive clinical data you store on behalf of your patients is held under your instructions as Data Controller.
| Category | Examples | How Collected |
|---|---|---|
| Identity Data | First name, last name, title, date of birth | Account registration; profile settings |
| Contact Data | Email address, telephone number, billing address | Account registration; checkout |
| Financial Data | Payment card details (tokenised via Stripe) | Subscription checkout |
| Transaction Data | Subscription payments, renewal dates | Automated on payment |
| Technical Data | IP address, browser type and version, device identifiers, login timestamps | Automatically on platform access |
| Profile Data | Username, preferences, subscription tier, feature usage | Platform use |
| Usage Data | Pages visited, features used, session duration | Automatically via analytics |
| Communications Data | Support tickets, emails, in-app messages | When you contact us |
6. How Do We Use Your Personal Data?
Under UK GDPR, we must always have a lawful basis for using personal data. The table below describes how we use your personal data and our lawful basis for doing so:
| What We Do | Data Used | Lawful Basis |
|---|---|---|
| Create and manage your account | Identity, Contact | Performance of a contract |
| Process subscription payments | Identity, Contact, Financial, Transaction | Performance of a contract; legitimate interests |
| Provide and operate the platform | Identity, Contact, Profile, Usage, Technical | Performance of a contract |
| Send service communications (updates, receipts, policy changes) | Identity, Contact | Performance of a contract; legal obligation |
| Respond to support requests | Identity, Contact, Communications | Legitimate interests |
| Improve and develop the platform | Technical, Usage | Legitimate interests |
| Prevent fraud and ensure security | Identity, Technical | Legitimate interests; legal obligation |
| Send marketing communications (with your consent) | Identity, Contact, Communications | Consent (opt-in only) |
| Comply with legal or regulatory requirements | Any relevant data | Legal obligation |
We will only use your personal data for the purpose for which it was originally collected unless we reasonably believe another purpose is compatible with the original. If we need to use your personal data for an unrelated purpose, we will inform you and explain our legal basis for doing so.
We will not send you any unsolicited marketing or spam. Marketing communications will only be sent where you have explicitly opted in, and you can withdraw consent at any time by contacting us or using the unsubscribe link in any email.
7. How Long Do We Keep Your Personal Data?
We will not keep your personal data for any longer than is necessary for the purpose for which it was collected.
| Type of Data | Retention Period |
|---|---|
| Identity and Contact Data | For the duration of your subscription and 4 years after termination |
| Financial and Transaction Data | 6 years (in compliance with UK tax and accounting law) |
| Technical and Usage Data | Up to 2 years, or as set out in our cookie policy |
| Profile Data | For the duration of your subscription and 4 years after termination |
| Marketing and Communications Data | Until you withdraw consent or 4 years of inactivity |
| User Content (patient data) | 30 days after account closure, then permanently deleted unless legal retention applies |
| Support and correspondence records | 3 years from last contact |
8. How and Where Do We Store or Transfer Your Data?
We store and process all personal data within the United Kingdom and/or European Economic Area (EEA). Our infrastructure is hosted on Supabase, which uses EU-based servers. Your data is fully protected under UK Data Protection Legislation.
We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, accidental loss, destruction or damage, including:
- Encryption of data in transit (TLS) and at rest
- Row-level security and access controls on the database
- Secure, hashed password storage
- Regular security reviews
If we ever need to transfer personal data outside of the UK or EEA, we will ensure that suitable safeguards are in place in accordance with UK GDPR requirements.
9. Do We Share Your Personal Data?
We will not share your personal data with any third parties for their own marketing or commercial purposes. We may share data in the following limited circumstances:
- Service providers: We use trusted third-party processors (such as Stripe for payment processing and email delivery providers for transactional emails) who are contractually required to handle your data securely and in accordance with UK GDPR.
- Legal requirements: We may disclose personal data where required by law, court order, or the instructions of a UK government authority.
- Business transfers: If we sell or merge our business, personal data may be transferred to the new owner, who will be bound by this Privacy Policy.
| Recipient | Activity | Location |
|---|---|---|
| Stripe | Payment processing and subscription management | UK / USA (Standard Contractual Clauses apply) |
| Supabase | Database hosting and infrastructure | EU |
| Email delivery provider | Transactional emails (booking confirmations, reminders) | EU |
| SMS provider | Appointment reminder SMS messages | UK / EU |
10. Cookies
Our platform uses cookies and similar tracking technologies to operate and improve the service. Cookies are small files placed on your device. We use the following types:
- Strictly necessary cookies: Required for authentication, session management and security. These cannot be disabled.
- Functional cookies: Remember your preferences and settings.
- Analytics cookies: Help us understand how the platform is used so we can improve it. These are used only with your consent.
You can control cookies through your browser settings. Please note that disabling strictly necessary cookies may affect your ability to use the platform. For more information about managing cookies, visit allaboutcookies.org.
11. Can You Withhold Information?
You may access certain areas of our platform without providing all personal data. However, to use all features and functions — including creating an account and subscribing — you will need to provide certain data. We will make clear what information is required and what is optional.
12. How Can You Access Your Personal Data?
If you want to know what personal data we hold about you, you can make a subject access request (SAR). All subject access requests should be made in writing to the contact details in Part 14.
There is normally no charge for a subject access request. If your request is manifestly unfounded or excessive, a reasonable fee may be charged to cover our administrative costs.
We will respond to your request within one month of receiving it. In complex cases, this may be extended to a maximum of three months, and we will keep you informed of our progress.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time, for example if the law changes or we change our business in a way that affects personal data protection.
Any changes will be posted on this page with a revised "Last updated" date. Where changes are material, we will notify you by email. Your continued use of the platform after notification constitutes acceptance of the updated policy.
14. Contact Us
To contact us about anything to do with your personal data and data protection, including to make a subject access request or to exercise any of your rights, please use the following details:
Aesori — Data Protection Enquiries
United Kingdom
Email: support@aesori.co.uk
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.