Exthetics Ltd
Last updated: January 2026

1. Introduction

Exthetics Ltd is committed to protecting patient confidentiality and personal data. This Privacy Policy explains how we collect, use, store, and protect personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Exthetics Ltd acts as the Data Controller for all personal data processed in connection with consultations, treatments, and services provided by the clinic.

This policy should be read alongside our Terms & Conditions and Complaints Policy.

2. Information We Collect

We may collect and process the following categories of personal data:

• Personal details, including name, date of birth, address, and contact information
• Health and medical information, including medical history, allergies, medications, consultation notes, and treatment records
• Appointment history and clinical correspondence
• Clinical photographs, where clinically necessary and with appropriate consent
• Consultation audio recordings (see section 3.1)
• Payment and billing information
• Marketing preferences, where a patient has actively opted in

3. How We Use Personal Data

Personal data is processed only where lawful, necessary, and proportionate, for the following purposes:

• To provide safe, effective, and personalised medical aesthetic care
• To assess clinical suitability and maintain accurate medical records
• To manage appointments, reminders, follow-up care, and continuity of treatment
• To process payments and maintain financial records
• To respond to enquiries, concerns, or complaints
• To meet legal, regulatory, professional, and insurance obligations

Lawful Bases for Processing

Under Articles 6 and 9 of UK GDPR, we rely on the following lawful bases:

• Provision of healthcare (special category data under Article 9)
• Contract, where processing is necessary to deliver services requested by the patient
• Legal obligation, including record-keeping, safeguarding, and regulatory requirements
• Legitimate interests, such as clinical audit, governance, quality assurance, and service improvement
• Consent, where required, including marketing communications or non-clinical use of images

Patients may withdraw consent at any time where processing is based on consent.

3.1 Consultation Recording (Heidi Health)

Exthetics Ltd uses Heidi Health, a secure and UK GDPR-compliant clinical documentation system, to support accurate medical record-keeping.

• Consultations may be audio recorded only
• Recordings are used solely to support clinical documentation
• Recordings are stored securely with restricted access
• Recordings are not used for marketing or shared externally
• Exthetics Ltd remains the Data Controller at all times

Patients may request access to their consultation data. Requests for deletion are assessed in line with legal and professional medical record-retention requirements.

4. Storage and Security of Data

Personal data is stored securely using password-protected systems, including:

• Heidi Health (clinical records)
• Timely (appointments and scheduling)

Appropriate technical and organisational safeguards are in place. Access is limited to authorised members of the clinical team only.

Medical records are retained in accordance with legal, regulatory, and professional guidance.

5. Sharing of Information

Exthetics Ltd does not sell personal data or share it for third-party marketing purposes.

Information may be shared lawfully and proportionately where necessary, including:

• With healthcare professionals directly involved in a patient’s care
• With pharmacies or laboratories where clinically required
• With insurers, professional bodies, or regulators where legally required

Only the minimum necessary information is shared.

6. Patient Rights Under UK GDPR

Patients have the right to:

• Access personal data held about them
• Request correction of inaccurate or incomplete information
• Request erasure of data, where legally appropriate
• Withdraw consent where processing relies on consent
• Request restriction of processing or object in certain circumstances
• Request data portability, where applicable

Please note that some medical records must be retained to comply with legal and professional obligations.

Patients also have the right to raise concerns with the Information Commissioner’s Office (ICO).

7. Contact Details

For questions about this Privacy Policy or how personal data is handled, please contact:

Exthetics Ltd
74 Cowick Hill
Exeter
EX2 9NJ

Email: info@exthetics.co.uk