Privacy Policy
Cavendish Clinic
Last updated: February 2026
1. Who We Are
Cavendish Clinic is an aesthetic and minor surgical group operating in England and Scotland.
The legal entity responsible for your personal data (the “data controller”) is:
Advanced Beauty Medical Clinics Ltd
Company number: 15609818
Registered office: 65 Margaret Street, Fitzrovia, London, W1W 8SP
Email: welcome@cavendishclinic.co.uk
Telephone: +44 (0)20 7935 4410
We are registered with the Information Commissioner’s Office (ICO) and comply with:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations (PECR)
2. Purpose of This Privacy Notice
This notice explains:
- What personal data we collect
- Why we collect it
- Our lawful basis for processing
- How long we retain it
- Who we share it with
- Your legal rights
By booking an appointment or using our services, you acknowledge this Privacy Notice.
3. What Personal Data We Collect
A. Identity & Contact Data
- Full name
- Address
- Email address
- Telephone number
- Date of birth
- Gender
- Photo identification (where legally required)
B. Health & Medical Information (Special Category Data)
- Medical history
- Current medications
- Allergies
- GP details (where relevant)
- Treatment notes and outcomes
- Clinical photography (with consent)
This is classified as special category data under UK GDPR
C. Transaction & Booking Data
- Appointment history
- Payment information
- Treatment records
- Loyalty/reward points
D. Technical & Website Data
- IP address
- Browser type
- Device information
- Website usage data (via cookies – see separate Cookie Policy)
4. Lawful Basis for Processing
We process your data under the following lawful bases:
Contract (Article 6(1)(b))
To:
- Book and manage appointments
- Provide treatments and services
- Process payments
Legal Obligation (Article 6(1)(c))
To:
- Maintain medical records
- Comply with CQC regulations
- Meet insurance and clinical governance requirements
- Respond to lawful requests from authorities
Legitimate Interests (Article 6(1)(f))
To:
- Improve services
- Respond to enquiries
- Manage complaints
- Prevent fraud
- Conduct internal audits
Explicit Consent (Article 9(2)(a))
For:
- Processing health data
- Clinical photography
- Marketing communications (where required)
You may withdraw consent at any time, though this may impact our ability to provide treatment.
Provision of Health Care (Article 9(2)(h))
Processing health data is necessary for medical diagnosis and provision of health treatment.
5. How We Use Your Information
We use your information to:
- Deliver safe and appropriate treatments
- Assess medical suitability
- Manage appointments and reminders
- Process payments
- Provide post-treatment care
- Respond to complaints
- Comply with regulatory requirements (including CQC Regulation 16)
- Conduct audits and quality assurance
- Send marketing communications (only where lawful)
6. Marketing Communications
We will only send marketing communications by email, SMS or phone where:
- You have provided explicit consent; or
- The “soft opt-in” applies (you are an existing customer and we are marketing similar services, with an option to opt out).
You may unsubscribe at any time via:
- The unsubscribe link in emails
- Replying STOP to SMS
- Emailing: welcome@cavendishclinic.co.uk
Service messages (e.g. appointment confirmations, safety notices) are not marketing and may be sent regardless of marketing preferences.
7. Who We Share Your Data With
We only share your data where necessary and lawful.
Data Processors
- Zenoti – booking and clinic management system
- Payment providers
- IT service providers
- SMS and email communication platforms
- Professional advisers (legal, insurance, accountants)
All processors are contractually required to protect your data.
Regulators
We may share data with:
- Care Quality Commission (CQC)
- HMRC
- Law enforcement
- Courts or government authorities
Where required by law.
8. International Transfers
Where data is transferred outside the UK, we ensure appropriate safeguards are in place, such as:
- UK International Data Transfer Agreement (IDTA)
- Adequacy regulations
- Standard contractual clauses
9. Data Retention
We retain data only as long as necessary.
Typical retention periods:
- Medical records: minimum 8 years (longer for minors in accordance with NHS guidance)
- Financial records: 6 years (HMRC requirement)
- Marketing preferences: until withdrawn
- Complaint records: in accordance with CQC requirements
We securely delete or anonymise data when no longer required.
10. Data Security
We implement appropriate technical and organisational measures including:
- Encrypted systems
- Secure access controls
- Role-based permissions
- Staff confidentiality agreements
- Regular system monitoring
- Secure cloud storage
No system can guarantee 100% security, but we take industry-standard steps to protect your data.
11. Your Rights Under UK GDPR
You have the right to:
- Access your personal data
- Request correction of inaccurate data
- Request erasure (where legally permitted)
- Restrict processing
- Object to processing
- Data portability
- Withdraw consent
- Lodge a complaint with the ICO
To exercise your rights, contact:
We will respond within one month.
You may complain to the Information Commissioner’s Office:
12. Complaints About Our Services
We comply with:
Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 – Regulation 16 (Receiving and Acting on Complaints).
If you wish to make a complaint:
Email: welcome@cavendishclinic.co.uk
Post: Director, Cavendish Clinic, 65 Margaret Street, London, W1W 8SP
Complaint Process
Stage 1 – Acknowledgement within 2 working days.
Stage 2 – Full written response within 20 working days.
Stage 3 – Escalation review within 15 working days.
Where cases are complex, revised timescales will be communicated.
13. Changes to This Notice
We may update this Privacy Notice from time to time. The latest version will always be available on our website.