Privacy Policy

Last updated: 20th September 2025
Who we are: Aurela by Dr Victoria Waight (“we”, “us”, “our”).

Contact: drvwaight@gmail.com | 01243 214 043
Postal address: 2 Eagle Rise, Chichester, PO20 2LH

What this policy covers

This policy explains how we collect, use, and protect your personal information, including health information, when you use our website, contact us, or receive care at our clinic.

The data we collect

  • Identity & contact data: name, date of birth, email, phone, address.

  • Health data (special category): medical history, allergies, medications, lifestyle factors, clinician notes, and treatment photos.

  • Booking information: appointments and consultation forms (via Cliniko).

  • Payment information: card payments are processed securely via SumUp. We do not store your card details.

  • Technical information: your IP address, browser type, and pages viewed if you visit our website (cookies/analytics).

Why we use your data

  • To provide consultations, treatments, and aftercare.

  • To keep accurate medical and clinical records (as required by law and professional standards).

  • To manage bookings, cancellations, and payments.

  • To send appointment confirmations and reminders.

  • To comply with legal and regulatory obligations.

  • To run and improve our website and services.

  • With your consent, to send marketing emails (you can withdraw consent any time).

Our lawful bases: We rely on performance of a contract, legal obligation, legitimate interests, and consent (for optional marketing). For health information, we rely on UK GDPR Article 9(2)(h) (provision of health care) and the Data Protection Act 2018.

Where your data comes from

Mostly from you (forms, emails, consultation). If necessary, and only with your consent, we may receive relevant information from your GP or other clinicians, or share limited information with them where necessary for your care. 

Sharing your data

We only share information when necessary to deliver safe care or comply with the law:

  • Cliniko – we use Cliniko to manage bookings, medical records, and consultation forms. Cliniko is GDPR-compliant and stores data securely. You can read their Privacy Policy here: https://www.cliniko.com/policies/privacy/.

  • SumUp – payments are processed securely via SumUp. We do not store card details. SumUp’s Privacy Policy is available here: https://www.sumup.com/en-gb/privacy.

  • Stripe - online payments are processed securely via Stripe. Stripe’s privacy policy is available here: https://stripe.com/gb/privacy

  • Website hosting and email providers – used for online forms and communication.

  • Regulators, insurers, or legal authorities – where required.

  • Your GP or another healthcare professional – but only with your consent or in an emergency.

We never sell your information to third parties.

International transfers

Some of our providers may store data outside the UK/EEA. When this happens, they are required to use legal safeguards approved by the UK ICO to keep your data protected.

How long we keep your data

  • Adult medical records: at least 8 years from last treatment.

  • Financial records: 6 years.

  • Enquiries with no treatment: up to 24 months.

Your rights

You have the right to:

  • Access the data we hold about you.

  • Correct inaccurate information.

  • Request erasure (where legally appropriate).

  • Restrict or object to processing.

  • Request transfer of your data.

  • Withdraw consent for marketing.

You can contact us at drvwaight@gmail.com to exercise these rights.

You also have the right to complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we handle your data:

Keeping your data safe

We use secure systems (Cliniko, SumUp, encrypted email and storage) and restrict access to authorised staff only. We have procedures for data breaches and will notify you and regulators where legally required.

Cookies

We use essential cookies for site functionality and may use analytics cookies (with your consent). We only set non-essential cookies after you opt in via the cookie banner, and you can change that choice any time.

Children

We do not provide injectable treatments to under-18s and do not knowingly collect their data online without parental authority. If you believe a child has provided data, please contact us.

Updates

We may update this Privacy Policy from time to time. The latest version will always be available on our website.