Privacy policy

1. Who we are

Aureva Aesthetics Limited ("Aureva", "we", "us", "our") is a medical aesthetics clinic based in London. We are committed to protecting your personal data and processing it in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

  • Company name: Aureva Aesthetics Limited

  • Company number: 16565132

  • Registered address: 4 Great Dover Street, London, SE1 4XR

  • ICO registration number: ZC049145

  • Contact email: hello@aurevaesthetics.com

We are the data controller in respect of the personal data we collect via this website and through the provision of our services.

2. What personal data we collect

Data you provide directly

When you use our website, contact us, or book a consultation, we may collect:

  • Full name

  • Email address

  • Phone number

  • Enquiry content submitted via contact or booking forms

Data collected through our booking platform (Pabau)

When you book an appointment, Pabau (our clinic management and booking platform) collects and processes personal data on our behalf, including:

  • Appointment details and treatment history

  • Consultation notes

  • Health and medical information relevant to your treatment (see Section 3 below)

Data collected automatically

When you visit our website, we may automatically collect:

  • IP address

  • Browser type and version

  • Pages visited and time spent on site

  • Referring website

  • Device and operating system information

This data is collected via cookies and analytics tools. Please see our Cookie Policy for full details.

3. Special category data (health information)

Some of the treatments we provide – including skin boosters, polynucleotides, PRP injections, microneedling, exosome therapy, and chemical peels – require us to collect and process information about your health. This constitutes special category data under UK GDPR, which attracts a higher standard of protection.

We collect this data only:

  • With your explicit consent

  • Where it is necessary for the provision of healthcare or medical aesthetics treatment

  • In compliance with applicable professional and regulatory obligations

We do not collect health data via the main website. Any such information is collected at the point of consultation, managed within Pabau, and handled in strict confidence.

4. How we use your personal data

We use your data for the following purposes:

Responding to enquiries and consultations – Lawful basis: Legitimate interests / Contractual necessity

Managing bookings and appointments – Lawful basis: Contractual necessity

Delivering and recording treatment – Lawful basis: Contractual necessity / Legal obligation

Processing health information for treatment – Lawful basis: Explicit consent / Healthcare provision

Sending appointment confirmations and reminders – Lawful basis: Contractual necessity

Sending marketing emails (if you have opted in) – Lawful basis: Consent

Improving our website and services – Lawful basis: Legitimate interests

Complying with legal and regulatory obligations – Lawful basis: Legal obligation

Preventing fraud and ensuring website security – Lawful basis: Legitimate interests

We will never use your data for purposes incompatible with those listed above without first obtaining your consent.

5. Marketing communications

If you opt in to receive marketing communications from us, we may send you emails about our treatments, offers, and news via Mailchimp, our email marketing platform. Mailchimp processes your name and email address on our behalf as a data processor, under contract with us.

You can unsubscribe at any time by clicking the "Unsubscribe" link in any email, or by contacting us at hello@aurevaesthetics.com.

We will never sell your data to third parties or share it for their own marketing purposes.

6. Who we share your data with

We do not sell your personal data. We may share it with the following trusted third parties, who act as data processors on our behalf:

Pabau – Clinic management, booking, and patient records

Google Analytics – Website analytics and performance

Meta (Facebook/Instagram) – Advertising and remarketing (where applicable)

Mailchimp – Marketing email communications

Squarespace – Website hosting and infrastructure

Each of these providers is contractually obligated to process your data only on our instructions and in accordance with applicable data protection law.

We may also disclose your data where required by law, by a court order, or by a regulatory authority.

7. Data retention

We retain personal data only for as long as necessary:

Treatment and medical records – 8 years from last treatment, in line with NHS and professional guidance

Contact and enquiry data – 12 months

Booking data – 3 years

Marketing opt-in records – Until you unsubscribe, plus 1 year

Website analytics data – Up to 26 months (Google Analytics default)

After these periods, data is securely deleted or anonymised.

8. Data security

We take the security of your personal data seriously. Measures in place include:

  • Encrypted data storage and transmission (SSL/HTTPS)

  • Password-protected access to all systems

  • Restricted access to personal data on a need-to-know basis

  • Use of reputable, security-certified third-party platforms

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform you directly where required.

9. International data transfers

Some of our third-party processors (including Google, Meta, and Mailchimp) may transfer data outside the UK. Where this occurs, we ensure that appropriate safeguards are in place – such as UK adequacy decisions or Standard Contractual Clauses – in accordance with UK GDPR requirements.

10. Your rights

Under UK GDPR, you have the following rights in respect of your personal data:

  • Right of access – request a copy of the data we hold about you

  • Right to rectification – ask us to correct inaccurate or incomplete data

  • Right to erasure – ask us to delete your data (subject to legal obligations)

  • Right to restrict processing – ask us to limit how we use your data

  • Right to data portability – request your data in a structured, machine-readable format

  • Right to object – object to processing based on legitimate interests or for direct marketing

  • Right to withdraw consent – where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at hello@aurevaesthetics.com. We will respond within one calendar month. There is no charge for making a request.

11. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

We would welcome the opportunity to address any concerns directly before you contact the ICO. Please reach out to us first at hello@aurevaesthetics.com.

12. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. Where changes are material, we will notify you by email or via a prominent notice on our website.

Last updated: 16 April 2026