Important: This privacy policy is provided as a template and should be reviewed by a qualified legal professional before use with real patient data. Your clinic is responsible for ensuring compliance with all applicable data protection regulations.
1. Who We Are
Clinic Insight is a practice management platform designed for UK aesthetic clinics. This system is operated by your clinic to manage client records, treatment plans, consultations, and related clinical data.
Your clinic acts as the Data Controller — they decide what data is collected and why. Clinic Insight acts as the Data Processor — we provide the software that stores and processes the data on your clinic's behalf.
2. What Data We Collect
The system may collect and store the following categories of personal data:
- Identity information: Name, date of birth, gender
- Contact details: Email address, phone number, postal address
- Medical information: Medical history, allergies, medications, skin type (Fitzpatrick), contraindications, GP details
- Treatment records: Consultation notes, treatment plans, clinical notes, treatment logs, pre/post-treatment photographs
- Consent records: Signed consent forms, digital signatures, timestamps, IP addresses for audit purposes
- Communication logs: Appointment notes, practitioner comments
3. Legal Basis for Processing
We process personal data under the following legal bases as defined by UK GDPR:
- Consent (Article 6(1)(a)): Where you have given clear consent for us to process your personal data for specific purposes
- Legitimate interests (Article 6(1)(f)): For the safe and effective delivery of aesthetic treatments
- Legal obligation (Article 6(1)(c)): Where processing is necessary for compliance with legal requirements
For special category data (medical/health data), we rely on:
- Explicit consent (Article 9(2)(a)): Your explicit agreement to process health-related data
- Health or social care purposes (Article 9(2)(h)): Processing necessary for the provision of health care
4. Common Law Duty of Confidentiality
In addition to UK GDPR, your clinic is bound by the Common Law Duty of Confidentiality (CLDC) — a longstanding legal obligation that applies to all healthcare practitioners in the UK, including private aesthetic clinics. This duty exists independently of data protection law and requires that information given in a healthcare context must be kept confidential.
Under CLDC, your information:
- Is held in confidence and will not be disclosed to third parties without your consent, except where required by law or justified in the public interest
- Will only be used for the purposes for which it was collected — primarily the safe delivery of your treatment and the management of your clinical records
- Will only be accessed by staff who have a legitimate need to do so in connection with your care
- Will be protected by appropriate organisational and technical measures to prevent unauthorised access or disclosure
When information may be disclosed without consent: In limited circumstances, information may be disclosed without your consent — for example, where there is a serious risk of harm to you or others, where disclosure is required by a court order, or where there is an overriding public interest. In such cases, only the minimum necessary information will be shared, and a record of the disclosure will be kept.
All staff who access client records are bound by confidentiality obligations. Any breach of confidentiality is taken seriously and may be subject to disciplinary action.
5. How We Use Your Data
Your personal data is used for the following purposes:
- Managing your treatment records and clinical history
- Creating and tracking treatment plans
- Recording consultations and clinical assessments
- Conducting risk assessments and contraindication checks to ensure your safety
- Generating aftercare instructions tailored to your treatment
- Managing appointments and scheduling
- Maintaining audit trails for clinical governance
6. How We Protect Your Data
We take the security of your data seriously and implement appropriate measures including:
- All data is transmitted over encrypted HTTPS connections (SSL/TLS)
- Passwords are stored using industry-standard one-way hashing
- Access to client records is restricted to authorised clinic staff only
- Session-based authentication — sessions end when the browser is closed
- Database access is restricted and protected by access credentials
- Audit trails record key clinical events including consent signing, treatment logging, and data exports/deletions
Data Breach Notification
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, as required by Article 34 of UK GDPR. Notification will describe the nature of the breach, what data was affected, the likely consequences, and the steps being taken to address it.
Where a breach affects data held by your clinic (for example, a clinic-side security incident), the clinic — as data controller — is responsible for notifying the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, and for notifying affected individuals where required.
7. Data Sharing
We do not sell your personal data. Your data may be shared with:
- Authorised clinic practitioners: Staff who are directly involved in your care
- AI services (OpenAI): For clinical safety checks, consultation support, and communication summaries only. Pseudonymised clinical data is sent — specifically age, skin type, medical conditions, medications, allergies, and lifestyle factors. No directly identifying information (name, date of birth, contact details, or photographs) is ever sent to OpenAI
- NHS services: Medication validation queries are made to the NHS Scotland DM+D database using medication names only — no patient-identifiable data is sent
- Hosting provider (Replit): Data is stored on Replit's infrastructure. Replit acts as a sub-processor
8. Data Retention
We retain your data in accordance with the following principles:
- Treatment records: Retained for a minimum period in line with clinical best practice and professional body guidance (typically 7-10 years for aesthetic treatments)
- Consent forms: Retained for the duration of the retention period above
- Photographs: Retained alongside your treatment records for clinical reference
- Account data: Retained while your relationship with the clinic is active, and for the retention period afterwards
If a clinic's account is cancelled, or a free trial ends without converting to a paid subscription: accounts that never held any client or treatment records are locked immediately, receive reminder emails, and are retained for 30 days before being permanently deleted. Accounts that do hold client or treatment records are not deleted on a fixed timer — they are kept securely in a paused state until the clinic requests export or deletion, or the applicable clinical retention period above has passed.
Your clinic's specific retention periods should be confirmed with your practitioner.
9. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access: You can request a copy of the personal data we hold about you
- Right to rectification: You can ask us to correct inaccurate data
- Right to erasure: You can request deletion of your data (subject to legal and clinical retention requirements)
- Right to restrict processing: You can ask us to limit how we use your data
- Right to data portability: You can request your data in a portable format
- Right to object: You can object to certain types of processing
- Right to withdraw consent: You can withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal
To exercise any of these rights, please contact your clinic directly.
10. AI and Automated Decision-Making
Clinic Insight uses AI (powered by OpenAI) to support practitioners with clinical safety checks and administrative tasks. AI is used in the following ways:
- Safety assessments: When the system encounters an unfamiliar medication, allergy, or medical condition, AI may be used to assess potential risks or contraindications
- Consultation assistance: AI may generate suggested questions or areas of focus during consultations, based on the client's clinical profile
- Communication summaries: AI may assist in generating patient communication summaries for practitioner review
Important points:
- AI is used as a clinical support tool only — no treatment decisions are made solely by automated means
- All AI outputs are reviewed by a qualified practitioner before use
- AI requests contain pseudonymised clinical details only (e.g., age, skin type, medical conditions, medications, allergies) — never your name, date of birth, contact details, photographs, or other directly identifying information
- You have the right to request human review of any AI-assisted output
11. International Data Transfers
Some data processing may involve transfers outside the UK:
- OpenAI (USA): Pseudonymised clinical data (age, skin type, medical conditions, medications, allergies, lifestyle factors) for safety assessments and consultation support. No directly identifying information is included in AI requests. OpenAI processes this data under their data processing agreement with Standard Contractual Clauses, and does not use API data for model training
- Hosting infrastructure (Replit, USA): Application data is stored on Replit's servers in the United States. Replit acts as a sub-processor under Standard Contractual Clauses (SCCs) approved for use under UK law, and holds SOC 2 certification
Where data is transferred internationally, appropriate safeguards are in place as required by UK GDPR.
12. Complaints
If you are unhappy with how your data is being handled, you have the right to lodge a complaint with:
13. Changes to This Policy
We may update this privacy policy from time to time. Any changes will be reflected on this page with an updated revision date. We encourage you to review this policy periodically.
Last updated: June 2026 | This policy should be reviewed regularly and updated as your clinic's practices evolve.