Last updated: 9th April 2026

Introduction: Skin Sanctuary Medispa (“we”, “us”, “our”) respects your privacy and is committed to protecting your personal data. This Privacy & Cookies Policy explains how we collect, use, disclose and protect personal information about you when you visit our website or use our services. It is UK‑focused and complies with the UK Data Protection Act 2018 (UK GDPR) and PECR. Please read carefully.

​

1. Controller & Contact

Controller: Skin Sanctuary Medispa (Co Space, 25 Town Square, Stevenage, SG1 1BP).
Contact: Email hello@skinsanctuary.uk; Phone 01707 538 127, 07757 257 240.
For data concerns or to exercise your rights, contact the Data Protection Lead at the details above.

​

2. Changes to This Policy

We may update this policy (e.g. law changes, new practices). We will post revisions on this page with the date. Please review periodically.

​

3. Information We Collect

​

A. Personal Data You Provide

• Identity & Contact: Name, address, email, phone.

• Account & Order Info: Billing/shipping address, payment details (processed securely via our payment gateway; we do not store card numbers), order history.

• Health/Aesthetics: Skin concerns, medical history, treatment records. We treat health data as special category; we process only with your explicit consent and for treatment purposes.

• Communications: Emails or messages you send (e.g. booking, enquiries).

B. Automatically Collected Data

• Usage Data: IP address, browser/OS, pages visited, time/date, referral source.

• Cookies & Tracking: Cookies, pixels and similar tech for site functionality and analytics (see Cookies section). Includes Google Analytics data[1].

C. Third-Party Data

• From our service providers (e.g. Shopify for site, email/newsletter, booking system, analytics).

• From social networks or payment providers if you login or pay via them.

• Public records/databases (e.g. if used for address verification).

​

​

4. Lawful Bases & Uses

We use your data under these lawful bases:

• Contract Performance: To manage bookings, accounts, payments, and provide treatments.

• Legal Obligations: To comply with laws (tax, records, health regulations).

• Legitimate Interests: To operate and improve our business (e.g. security, marketing with opt-in).

• Consent: For marketing emails and non-essential cookies. You can withdraw consent anytime.

Purposes:
- Service Delivery: Process appointments, orders, payments; communicate booking details.
- Customer Support: Respond to your queries and feedback.
- Improvement & Analytics: Use Google Analytics (opt-out available[1]) to understand site usage and improve our services.
- Marketing: Send newsletters or offers (if consented). You may opt-out at any time via unsubscribe links or contact.
- Legal & Security: Fraud prevention, safety, record-keeping.

​

​

5. Cookies Policy

We use cookies and similar technologies to run our website and analyse usage. Upon first visit, a cookie banner will seek your consent for non-essential cookies. You can accept/reject these or manage via browser settings.

Cookie Categories:

Cookie Name/Type

Purpose

Retention

Necessary (essential)

Required for basic site functions (e.g. booking forms, security). Cannot be disabled via cookie banner.

Session or up to 1 year

Functional

Remember choices (e.g. language, login).

1 year

Analytics

Google Analytics (_ga, _gid, etc.) to track site usage and improve our services.

2 years (_ga), 24h (_gid)

Marketing

For advertising and social media (e.g. Facebook Pixel). Collect browsing data for ad targeting.

Varies (e.g. 30 days)

Security

Protect site security (e.g. bot prevention, fraud detection).

Session or persistent

You can disable cookies via browser settings. Note disabling cookies may limit site functionality. For detailed cookie settings, see Cookie Consent Banner Guidelines or your browser help.

We comply with ICO guidance: all non-essential cookies require explicit opt-in. We support Global Privacy Control and “Do Not Track” (though many sites do not respond to it).

​

​

6. Data Sharing & Disclosure

We share data only as needed:
- Service Providers: Analytics (Google Analytics), hosting, email, payment processors (Stripe, etc., PCI/DSS compliant), IT support. All processors are bound by contract to protect your data.
- Legal: If required by law (court order, law enforcement) or to protect our rights.
- Business Transfers: In mergers or acquisitions; any new owners will have this policy.

We never sell your personal data.

​

​

7. International Transfers

Your data may be processed in the UK or by UK/EEA service providers. Any transfer outside the UK/EEA will use approved safeguards (e.g. UK Standard Contractual Clauses) or be to a country with adequate protection. You may request details of transfer mechanisms.

​

​

8. Security & Retention

We implement reasonable technical and organisational measures (encryption, secure access) to protect data. However, no system is 100% secure.

Retention: We keep personal data only as long as necessary (e.g. 7 years for tax/order records). We regularly review what we hold. Data that is no longer needed is securely deleted or anonymised.

​

​

9. Your Rights (UK GDPR)

You have rights over your data (subject to legal limits):
- Access: Request a copy of your data.
- Rectification: Correct inaccurate or incomplete data.
- Erasure: Ask for deletion (if no overriding legal requirement).
- Restriction/Objection: Limit or object to processing (e.g. marketing).
- Portability: Obtain your data in a common format.
- Withdraw Consent: For any processing based on consent (e.g. marketing emails, analytics).
- Opt-Out of Sale/Sharing: We do not sell data. For marketing, follow unsubscribe or GPC/Do Not Sell signals.

To exercise rights, contact us. We will respond within one month. We will not discriminate for exercising rights.

​

​

10. Complaints

If you have concerns about our data use, please contact us first. You also have the right to complain to the UK Information Commissioner’s Office (ICO) (www.ico.org.uk).

​

11. Children

Our services are not aimed at children. We do not knowingly collect data from under-16s. If we discover we have such data, we will delete it immediately.

​

12. Accessibility & Plain Language

This policy uses clear, concise language. It is organized with headings for easy scanning. We use legible fonts and high-contrast text for accessibility. All images on our site will have alt text; this policy contains no images.