Skip to content

    National Minimum Wage rates changed on 1 April 2026. Check you're being paid correctly. Use the checker →

    BeautyKiln

    Privacy Notice (GDPR)

    UK GDPR-compliant privacy notice for self-employed beauty workers. Plain English, one page, covers all requirements.

    Client Management
    md
    amber risk

    Use this when

    • GDPR privacy notice
    • Data protection
    • Client privacy
    • ICO compliance

    Free — we only ask for your email on first use.

    BeautyKiln Document Hub - Privacy Notice - Free to use, no attribution required

    Privacy Notice

    This is a GDPR-compliant privacy notice for a self-employed beauty worker. Edit the details in square brackets and display it on your website, in your salon/workspace, or provide it to clients on request.

    Privacy Notice for [Your Name / Trading Name]

    Last updated: [Date]

    Who I am

    I am [your full name], trading as [your trading name]. I am a self-employed [hairdresser / beauty therapist / nail technician / lash technician / barber / describe your specialism] based in [your town/area].

    I am the data controller for the personal information I collect about my clients. This means I decide what data to collect, why, and how it is used.

    Contact details:

    • Email: [your email]
    • Phone: [your phone number]
    • Address: [your business address, or state "available on request" if you work from home and prefer not to publish it]

    What information I collect

    I collect the following personal information about my clients:

    • Your name, date of birth and contact details (phone, email, address)
    • Medical information relevant to your treatment (allergies, skin conditions, medications, pregnancy status, and other health details recorded on your consultation card)
    • Treatment records (what treatments you have had, products used, dates, and practitioner notes)
    • Patch test dates and results
    • Photos (only with your separate written consent)
    • Payment records
    • Booking history
    • Marketing preferences (whether you have opted in to receive messages from me)

    Some of this information - particularly your medical history - is classed as "special category data" under UK GDPR. I only collect this because it is necessary to carry out your treatment safely.

    Why I collect it and what gives me the right

    What I use it forLawful basis
    Carrying out your treatment safely (including medical history and consultation records)Legitimate interest - I need this to provide a safe and professional service
    Keeping treatment recordsLegitimate interest - professional record-keeping and duty of care
    Processing special category health dataExplicit consent (given on your consultation card) and/or necessary for health-related purposes
    Contacting you about your appointments (confirmations, reminders, aftercare)Legitimate interest - necessary to manage your bookings
    Sending you marketing messages (offers, news, new treatments)Consent - you can opt out at any time
    Keeping financial records for tax purposesLegal obligation - required by HMRC
    Responding to a complaint or insurance claimLegitimate interest - necessary to defend or respond to claims

    Who I share your information with

    I do not sell your personal information to anyone.

    I will only share your information in the following circumstances:

    • With your consent - for example, if you ask me to share your treatment records with another practitioner
    • If required by law - for example, if HMRC requests my financial records, or if ordered by a court
    • With my insurer - only if you make a claim or complaint that involves my insurance. I will only share the minimum information necessary
    • With my booking system provider - if I use an online booking system, your name, contact details and appointment information will be stored on that platform. [Name the provider if applicable, e.g. Fresha, Timely, Square]

    I do not share your medical information with anyone unless you give me specific written consent or I am required to do so by law.

    How long I keep your information

    Type of recordHow long I keep it
    Client consultation cards and treatment records7 years after your last appointment
    Records for clients who were under 18 at the time of treatmentUntil the client turns 25, or 7 years after the last appointment, whichever is longer
    Financial records (invoices, payment records)6 years (as required by HMRC)
    Marketing consent recordsUntil you withdraw consent or 3 years after your last appointment, whichever comes first
    PhotosUntil you withdraw consent or 7 years after your last appointment, whichever comes first

    After these periods, I will securely destroy your records (shredding for paper, permanent deletion for digital files).

    How I keep your information safe

    I take the following steps to protect your personal information:

    • Paper records are stored in a locked drawer/cabinet in my workspace
    • Digital records are stored on a password-protected device with up-to-date security software
    • My phone and laptop are password/PIN protected
    • I do not leave client records visible to other clients
    • I do not discuss your personal information with other clients

    Your rights

    Under UK GDPR, you have the right to:

    • Access - Ask me for a copy of the personal information I hold about you
    • Correction - Ask me to correct any information that is inaccurate or incomplete
    • Deletion - Ask me to delete your personal information (subject to my legal and professional obligations to retain certain records)
    • Withdraw consent - If I am processing your data based on consent (e.g. marketing, photos), you can withdraw that consent at any time
    • Restrict processing - Ask me to limit how I use your data in certain circumstances
    • Data portability - Ask me to provide your data in a format that can be transferred to another practitioner
    • Object - Object to my use of your data where I am relying on legitimate interest as the lawful basis

    To exercise any of these rights, contact me using the details above. I will respond within one month.

    Complaints

    If you are unhappy with how I have handled your personal information, please contact me first so I can try to put it right.

    If you are still not satisfied, you have the right to complain to the Information Commissioner's Office (ICO):

    • Website: ico.org.uk
    • Phone: 0303 123 1113
    • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

    Changes to this notice

    I may update this privacy notice from time to time. The date at the top shows when it was last updated. If I make significant changes, I will let you know.

    How to use this template

    This privacy notice meets the requirements of UK GDPR (the UK General Data Protection Regulation) and the Data Protection Act 2018. It is written for a self-employed beauty worker - if you employ staff, you will need additional clauses covering employee data.

    Before you use it:

    • Fill in every detail in square brackets. Delete anything that does not apply to your situation.
    • If you use a digital booking system (Fresha, Timely, Square, etc.), name it in the "who I share with" section. You should also check that your booking system provider is GDPR-compliant - most major ones are.
    • Display this notice where clients can see it. Options include: on your website, printed and displayed in your workspace, linked in your booking confirmation emails, or available as a printed copy on request.
    • You do not need to make clients sign the privacy notice. It is an information document, not a consent form. Consent for specific things (e.g. marketing, photos) is collected separately.
    • If you process client data digitally, check whether you need to register with the ICO. Most beauty workers who keep digital client records need to register - the fee is £40 per year for micro businesses.
    • Review this notice at least once a year and update it if anything changes (e.g. new booking system, new types of treatment, new data you collect).
    • This is not legal advice. If your situation is complex (e.g. you process large volumes of data, you operate across multiple locations, or you handle data for children), consider getting specialist data protection advice.
    Display in your workspace and on your website/booking page. Update if you change how you use client data.

    More templates in Client Management

    Back to all templates

    We use a single essential cookie to remember your choice. If you accept, we also load Plausible — a privacy-friendly, cookieless analytics tool — to count anonymous page views. No tracking pixels, no advertising. Learn more