Feonix Aesthetics

Privacy Policy

How we collect, use, and protect your personal information.

Last updated: 30 April 2026

Who We Are

Feonix Aesthetics Ltd is the data controller for the personal information collected through this website and in clinic. Our registered office is 15 Little Park Street, Coventry, CV1 2RN, United Kingdom.

Companies House registration: 12891173.

ICO data protection registration: pending. Our application is being processed. Please contact us if you require our registration number for any specific purpose.

Data We Collect

We collect personal information in five categories:

  • Booking and contact data — name, email address, telephone number, date of birth and postal address. Provided by you when you book a treatment, request a consultation, or contact us.
  • Health data — medical history, current medications, allergies, treatment outcomes and clinical photographs. This is special category data under Article 9 of the UK GDPR. We collect it only when you choose to receive a treatment from us, and only what is clinically necessary.
  • Payment data — handled directly by Stripe, our payment processor. We do not see or store your full card details. We retain a Stripe transaction reference for our records.
  • Technical data — IP address, browser type, device type, pages visited and visit timing. Collected via cookies and server logs.
  • Marketing data — UTM parameters, advertising click identifiers (gclid, fbclid) and campaign attribution where you have arrived from a marketing link, plus your responses to any communications you have opted into.

Lawful Basis for Processing

  • Booking and contact data — Contract performance (Art 6(1)(b) UK GDPR). We need this information to deliver the treatment you have booked.
  • Health data — Explicit consent (Art 9(2)(a) UK GDPR). You give this consent on the medical history form before treatment. You can withdraw it at any time, although doing so may mean we cannot continue to treat you safely.
  • Marketing communications — Consent (Art 6(1)(a) UK GDPR). We only send marketing emails or SMS to people who have opted in. You can opt out at any time using the unsubscribe link in any message or by contacting us.
  • Technical data — Legitimate interest (Art 6(1)(f) UK GDPR) for site security, fraud prevention and basic functionality; consent for non-essential analytics and advertising cookies.

How Long We Keep It

  • Booking and clinical records — 8 years from your most recent appointment, in line with medical record retention standards. Records relating to treatment of a person under 18 are retained until that person's 25th birthday or 8 years after the last appointment, whichever is later.
  • Marketing data — 2 years from your last engagement, then deleted automatically.
  • Cookie consent records — 12 months. Stored by Cookiebot with an audit log so we can demonstrate consent if required.
  • Payment records — retained by Stripe in line with their own retention schedule. We hold only the transaction reference, retained for the same 8-year period as the booking.
  • Technical and server logs — 90 days, after which they are anonymised or deleted.

Who We Share With

We use a small number of carefully chosen processors to operate our clinic and website. Each has a written Data Processing Agreement with us under Article 28 of the UK GDPR.

  • Pabau Ltd — clinical management system. Stores booking details, medical history and clinical notes. EU-based.
  • Stripe Payments Europe Ltd — payment processing. We pass them only the booking amount; they collect and store your card details directly. Group is US-headquartered with UK/EU subsidiaries.
  • Hetzner Online GmbH — website and server hosting. EU-based (Germany).
  • Brevo (formerly Sendinblue) — transactional email delivery (booking confirmations and operational notifications). EU-based (France).
  • Cookiebot (Cybot A/S) — cookie consent management and audit logging. EU-based (Denmark).

We do not sell your data, and we do not share it with any party other than those listed above, except where we are legally required to do so (for example, in response to a valid court order or regulatory request).

International Transfers

Most of your data stays in the UK or EU. The exception is payment processing, where Stripe may transfer data to servers in the United States. Where data is transferred outside the UK or EU, the transfer is protected by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, which provide enforceable data protection rights for individuals.

Your Rights

Under the UK GDPR you have the following rights in relation to your personal data:

  • Access — request a copy of the personal data we hold about you (a "Subject Access Request").
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data, subject to limited exceptions for clinical record-keeping obligations.
  • Restriction — ask us to limit how we use your data while a query is resolved.
  • Portability — ask us to provide a copy of certain data in a portable, machine-readable format.
  • Objection — object to processing carried out under our legitimate interest, including direct marketing.
  • Withdraw consent — withdraw any consent you have given for marketing communications or non-essential cookies at any time. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, contact us at info@feonixaesthetics.co.uk. We will respond within one calendar month.

If you are unhappy with how we have handled your data, you also have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk/concerns.

Cookies

We use cookies to operate the website, understand how it is used, and (only with your consent) to measure marketing performance. Strictly necessary cookies are always on; everything else is opt-in via the consent banner.

You can change or withdraw your consent at any time using the cookie settings link in the footer. The full list of cookies in use, including their purpose and lifetime, is shown below and updated automatically as our site changes:

Changes to This Policy

We may update this Privacy Policy from time to time. The date at the top of this page shows when it was last revised. Material changes will be communicated by email to anyone we hold a current contact address for.

Contact Us

For data protection enquiries, subject access requests or any questions about this policy:

Customer Experience
Resources