Back to Login

Privacy Policy

How Clinic Insight handles and protects your data

1. Who We Are

Clinic Insight is a practice management platform designed for UK aesthetic clinics. This system is operated by your clinic to manage client records, treatment plans, consultations, and related clinical data.

Your clinic acts as the Data Controller — they decide what data is collected and why. Clinic Insight acts as the Data Processor — we provide the software that stores and processes the data on your clinic's behalf.

2. What Data We Collect

The system may collect and store the following categories of personal data:

3. Legal Basis for Processing

We process personal data under the following legal bases as defined by UK GDPR:

For special category data (medical/health data), we rely on:

4. Common Law Duty of Confidentiality

In addition to UK GDPR, your clinic is bound by the Common Law Duty of Confidentiality (CLDC) — a longstanding legal obligation that applies to all healthcare practitioners in the UK, including private aesthetic clinics. This duty exists independently of data protection law and requires that information given in a healthcare context must be kept confidential.

Under CLDC, your information:

When information may be disclosed without consent: In limited circumstances, information may be disclosed without your consent — for example, where there is a serious risk of harm to you or others, where disclosure is required by a court order, or where there is an overriding public interest. In such cases, only the minimum necessary information will be shared, and a record of the disclosure will be kept.

All staff who access client records are bound by confidentiality obligations. Any breach of confidentiality is taken seriously and may be subject to disciplinary action.

5. How We Use Your Data

Your personal data is used for the following purposes:

6. How We Protect Your Data

We take the security of your data seriously and implement appropriate measures including:

Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, as required by Article 34 of UK GDPR. Notification will describe the nature of the breach, what data was affected, the likely consequences, and the steps being taken to address it.

Where a breach affects data held by your clinic (for example, a clinic-side security incident), the clinic — as data controller — is responsible for notifying the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, and for notifying affected individuals where required.

7. Data Sharing

We do not sell your personal data. Your data may be shared with:

8. Data Retention

We retain your data in accordance with the following principles:

If a clinic's account is cancelled, or a free trial ends without converting to a paid subscription: accounts that never held any client or treatment records are locked immediately, receive reminder emails, and are retained for 30 days before being permanently deleted. Accounts that do hold client or treatment records are not deleted on a fixed timer — they are kept securely in a paused state until the clinic requests export or deletion, or the applicable clinical retention period above has passed.

Your clinic's specific retention periods should be confirmed with your practitioner.

9. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

To exercise any of these rights, please contact your clinic directly.

10. AI and Automated Decision-Making

Clinic Insight uses AI (powered by OpenAI) to support practitioners with clinical safety checks and administrative tasks. AI is used in the following ways:

Important points:

11. International Data Transfers

Some data processing may involve transfers outside the UK:

Where data is transferred internationally, appropriate safeguards are in place as required by UK GDPR.

12. Complaints

If you are unhappy with how your data is being handled, you have the right to lodge a complaint with:

Information Commissioner's Office (ICO)

ico.org.uk

0303 123 1113

13. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be reflected on this page with an updated revision date. We encourage you to review this policy periodically.

Last updated: June 2026 | This policy should be reviewed regularly and updated as your clinic's practices evolve.