Buff & Bare

Skin Clinic and Hair Removal Specialists in St Albans

Privacy Policy

1. Introduction and Who We Are

At Buff & Bare (comprising both Buff & Bare Ltd and Buff & Bare Hitchin Ltd, collectively referred to as “we”, “us”, or “our”), we know that when you choose our services, you are relying on us to protect your most sensitive information, whether it is financial details or private personal information, including any medical history. The security of customer data is non-negotiable and represents a fundamental professional obligation for all of us. This privacy policy applies to our common website (buffandbare.com) and outlines how we collect, store, and protect your data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Buff & Bare Ltd and Buff & Bare Hitchin Ltd act as joint “Data Controllers” for your personal information. Kristina Snarskiene acts as the Data Protection Officer for Buff & Bare.

2. Information We Collect and Why

To provide you with safe and effective treatments, we collect the following information:

  • Your personal contact details, including your name, email address, and phone number.
  • Sensitive health information, which includes your medical history, consent forms, and notes pertaining to treatments received at Buff and Bare.
  • Payment details to process your transactions. (Note: Payment details are strictly protected and must never be available unredacted ).

Consequences of not providing data: Providing your medical history and contact information is required for us to safely and effectively perform hair removal treatments. If you choose not to provide this information, we will unfortunately be unable to provide our services to you.

3. Our Lawful Basis for Processing Your Data

Under the UK GDPR, we must have a valid legal reason to process your data. We rely on the following bases:

  • Contractual Necessity: We need your contact and payment details to fulfil our contract with you and provide our services.
  • Explicit Consent: Because your medical history and treatment notes are considered “special category data,” we require your explicit written consent to collect and process this information.
  • Legitimate Interests: We use CCTV to maintain the security of our premises.

4. How We Store and Protect Your Data

We take the confidentiality and integrity of your data very seriously.

  • Buff and Bare does not have an IT infrastructure of its own. All data pertaining to employees and customers is stored and processed through trusted Software-as-a-Service (SaaS) providers.
  • Customer Data: We use Timely as our system of record for all customer data.
  • Internal Operations: To manage our internal clinic operations, we use BrightHR. BrightHR is a UK-built platform that stores its data exclusively in the UK on Microsoft Azure servers. It maintains top-tier security accreditations, including ISO 27001 and Cyber Essentials Plus, demonstrating our overarching commitment to digital security across our entire business.
  • All SaaS providers must use TLS 1.2+ for data in transit and AES-256 or equivalent for data at rest.
  • Access to Software-as-a-Service (SaaS) systems will follow the principle of least privilege. This means our staff members are only granted access to the records of customers that they actively provide services to.

5. Confidentiality, Third Parties, and International Transfers

  • All data pertaining to customers and employees is considered CONFIDENTIAL and must be treated as such.
  • Customer data will only be discussed with the relevant customer. Written permission needs to be obtained for treatment notes to be shared with anyone else, including the customer’s family members.
  • We do not sell, rent, or trade your personal information to third parties.
  • International Transfers to Timely: We use Timely as our Data Processor to manage your bookings and records. By booking with us, your customer data is transferred from the UK to Timely’s secure servers located in the US. To ensure your data remains legally protected under UK law, there is a legally binding Data Processing Addendum in place between Buff & Bare and Timely that provides appropriate safeguards for this international transfer.
  • Automated Decision Making: We do not use your personal data to make automated decisions.

6. Marketing Communications

We do not currently conduct outbound marketing campaigns. However, we reserve the right to do so in the future. In the event that your email address is used to send you information about products, services, newsletters and promotions, all such communications will detail the procedure to unsubscribe.

7. Data Retention and Deletion

  • In line with regulatory requirements, customer data will be retained for 7 years.
  • After this 7-year retention period, or upon a valid deletion request (where legally applicable), your data will be securely purged and redacted from our digital systems of record.

8. Physical Security at Our Clinic

  • CCTV cameras are in operation in communal areas of the working environment.
  • The use of CCTV is strictly limited to ensuring safety, security, and compliance with company policies.
  • CCTV footage is stored off-site and accessed only by Management when required.

9. Your Data Protection Rights

Under the UK GDPR, you have the following rights regarding your personal information:

  • The right to be informed: To know what data we collect and how we use it.
  • The right of access: To request a copy of the personal data we hold about you.
  • The right to rectification: To ask us to correct any inaccurate or incomplete data.
  • The right to erasure: To request that we delete your data (subject to our legal requirement to hold medical records for 7 years).
  • The right to restrict processing: To ask us to limit how we use your data.
  • The right to data portability: To request your data in a commonly used electronic format so it can be transferred to another provider.
  • The right to object: To object to certain types of processing, such as direct marketing.
  • The right to withdraw consent: To withdraw your consent for us to process your special category data or send marketing materials at any time.

10. Contact Us and Complaints

If you wish to exercise any of your data rights, or if you have questions about this policy, please contact our Data Protection Officer:

Data Protection Officer: Kristina Snarskiene

Email: kristina@buffandbare.com

Phone: 07909995963

Correspondence Addresses:

  • Buff & Bare Ltd: 2 Merchant House, 160-162 London Rd., St Albans, AL1 1PQ
  • Buff & Bare Hitchin Ltd: 80 Hermitage Rd., Hitchin, SG5 1DB

If you feel that we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). You can contact them at www.ico.org.uk or by calling 0303 123 1113.