Skip to content

    National Minimum Wage rates changed on 1 April 2026. Check you're being paid correctly. Use the checker →

    BeautyKiln
    This is general guidance, not professional advice.

    Client Record-Keeping: What You Must Store

    11 min read
    Reviewed Apr 2026

    If a client sues you three years from now claiming an allergic reaction, your records are your defence. If HMRC investigates your tax return, your financial records are your proof. If the ICO asks how you handle personal data, your processes are your answer.

    Record-keeping is not admin. It is protection. This guide tells you exactly what to keep, how long to keep it, and how to store it safely.

    Quick Rule of Thumb

    Keep treatment records for 7 years (for insurance claims). Keep financial records for 5 years (for HMRC). Keep them locked up or encrypted. When in doubt, keep it.

    Tip for new starters: Buy a lockable filing box or cabinet before you see your first client. It costs under £20 and solves your GDPR storage requirement immediately. Do not start your business with consultation cards loose in a bag or a kitchen drawer.

    What You Must Record

    1. Consultation Cards

    A consultation card (or consultation form) is the foundation of your client records. It should capture:

    Personal details:

    • Full name
    • Date of birth
    • Contact number
    • Email address
    • Address (especially for mobile workers)
    • Emergency contact (optional but recommended)

    Medical and health history:

    • Known allergies (products, ingredients, latex, plasters)
    • Current medications (some affect skin, hair, and nails - e.g., blood thinners, Accutane, antibiotics)
    • Skin conditions (eczema, psoriasis, dermatitis, rosacea)
    • Medical conditions (diabetes, epilepsy, blood disorders, heart conditions, autoimmune conditions)
    • Pregnancy or breastfeeding status
    • Previous treatments and any adverse reactions
    • GP details (optional but useful for complex cases)

    Consent:

    • Consent to treatment
    • Consent to record and store health information (UK GDPR - special category data)
    • Consent for photos (if applicable - separate from treatment consent)
    • Consent for marketing communications (if applicable - separate again)

    Signature and date. The client should sign the consultation card. If digital, a tick box with a timestamp works, but a physical signature is stronger evidence.

    2. Patch Test Records

    For any treatment requiring a patch test (hair colour, lash tinting, certain chemical treatments), you must record:

    • Date of the patch test
    • Product used (brand and shade/type)
    • Where the patch test was applied
    • Result (positive/negative/no reaction)
    • Time period observed (usually 48 hours)
    • Client signature confirming the result
    • Date the actual treatment was performed (to confirm it was within the valid patch test window)

    If a client refuses a patch test: Document the refusal. Record the date, the client's name, and that you explained the risks and they declined. Then do not perform the treatment. Keep this record.

    Patch test validity: Most manufacturers recommend patch tests are valid for a specific period (often 48 hours to 6 weeks depending on the product). Follow the manufacturer's instructions. If a client has not been in for 6 months, you may need a fresh patch test even if the previous one was fine.

    3. Treatment Records

    For every treatment, record:

    • Date of treatment
    • Treatment performed (be specific - "balayage with Wella Blondor 6% 30 vol, 35 minutes" not just "colour")
    • Products used (brand, shade, strength, quantity)
    • Application method and timings
    • Any reactions or issues during the treatment
    • Aftercare advice given
    • Result (including photos if you have consent)
    • The client's response - did they express satisfaction?
    • Any concerns raised by the client at the time

    Why be specific about products? If a client has an allergic reaction two weeks later and claims it was your product, you need to know exactly what you used. "I used some colour" is not going to help you. "Wella Koleston Perfect 7/0 with 6% Welloxon, applied for 35 minutes, rinsed and conditioned with Wella SP" is what your insurer needs.

    4. Financial Records

    HMRC requires you to keep financial records for at least 5 years after the 31 January submission deadline of the relevant tax year.

    What to keep:

    • All invoices (issued and received)
    • Receipts for business expenses (products, equipment, rent, training, insurance)
    • Bank statements
    • Payment records (card payments, cash received, online payments)
    • Mileage logs (if you claim vehicle expenses)
    • Till records or booking system reports
    • Any other documents supporting your Self Assessment tax return

    Digital is fine. HMRC accepts digital records. Photos of receipts are acceptable as long as they are legible and stored securely. Making Tax Digital requires digital records for VAT-registered businesses, and will expand to income tax self-assessment - get ahead of this by going digital now.

    5. Insurance Records

    Keep copies of:

    • Your current and all previous insurance policies
    • Certificates of insurance
    • Any correspondence with your insurer
    • Any claims or near-misses
    • Any incident reports

    You need these if a claim is made against you years later. Your insurer at the time of the incident is the one that handles the claim, not your current insurer. If you cannot prove who insured you three years ago, you have a problem.

    If you send marketing messages (emails, texts, WhatsApp broadcasts), you need to record:

    • When consent was given
    • How consent was given (signed form, online opt-in, verbal - though verbal is hard to prove)
    • What the client consented to (emails? texts? both?)
    • Whether the client has opted out (and when)

    Keep these records for as long as you are processing the person's data for marketing, and for a reasonable period after (in case of a complaint or ICO investigation).

    Retention Periods

    How long should you keep each type of record?

    Record typeMinimum retention periodWhy
    Consultation cards7 years after last treatmentInsurance claims - the limitation period for personal injury is 3 years, but it can be extended in some circumstances. 7 years gives you a safety margin.
    Patch test records7 years after last treatmentSame as above - linked to potential injury claims.
    Treatment records7 years after last treatmentInsurance claims and professional defence.
    Financial records (invoices, receipts)5 years after the 31 January tax deadlineHMRC requirement. For the 2025-26 tax year, keep records until at least 31 January 2032.
    Insurance policiesIndefinitely (or at least 7 years after policy expiry)You need to know who insured you at the time of any incident.
    Marketing consent recordsAs long as processing continues + 2 years afterTo demonstrate compliance with PECR and UK GDPR if challenged.
    Photos of treatments7 years after last treatment (or until consent is withdrawn)Defence against complaints; marketing (only with consent).
    Complaints and incident records7 years after resolutionInsurance and legal defence.
    Children's records (clients under 18)7 years from their 18th birthdayThe limitation period for minors does not start until they turn 18.

    Special case: children

    If you treat clients under 18 (e.g., ear piercing, teen facials), keep their records for 7 years from their 18th birthday, not from the treatment date. A 15-year-old treated in 2026 means keeping records until 2036.

    Storage: How to Keep Records Safe

    UK GDPR requires you to protect personal data with "appropriate technical and organisational measures." In practical terms:

    Paper Records

    • Store in a locked filing cabinet or drawer - not in an open shelf or box under your bed
    • Keep them away from public areas - clients should not be able to see other clients' records
    • Do not leave consultation cards lying around between appointments
    • If you work mobile, carry records in a lockable case, not loose in your bag

    Digital Records

    • Use a password-protected device (phone, tablet, laptop)
    • Enable full-disk encryption (most modern phones have this by default)
    • Use strong passwords or biometric lock (fingerprint, face ID)
    • Enable remote wipe on your phone (Find My iPhone, Google Find My Device)
    • Back up regularly to an encrypted cloud service or external drive
    • If using a booking system (Fresha, Booksy, Timely, etc.), check their GDPR compliance - they should have a Data Processing Agreement available

    Disposing of Records

    When records have passed their retention period:

    • Paper: Shred them. Do not just put them in the bin. A cross-cut shredder is best.
    • Digital: Delete them properly. For files on your computer, empty the recycle bin. For booking system records, check how to permanently delete (not just archive). For phone data, factory reset the phone before selling or recycling it.

    "What If a Client Sues Me 3 Years Later?"

    This is exactly why records matter. Here is a real-world scenario:

    A client had a hair colour treatment in January 2024. In March 2027 (3 years later), they contact a solicitor claiming the treatment caused an allergic reaction that led to hair loss. They send you a Letter Before Action.

    If you have good records:

    • You can show the consultation card: no allergies disclosed
    • You can show the patch test record: negative result, done 48 hours before
    • You can show the treatment record: products used, timings, no reaction noted
    • You can show they signed off on the result and left happy
    • Your insurer has everything they need to defend you

    If you have poor records:

    • You cannot remember the client
    • You have no patch test record
    • You cannot say what products you used
    • It is your word against theirs
    • Your insurer is in a much weaker position to defend you

    Records are your evidence. Without them, you are exposed.

    Digital Tools for Record-Keeping

    You do not need expensive software. But you do need something systematic.

    ToolCostGood for
    Paper consultation cardsPennies per cardSimple, no tech needed, but harder to search and less secure
    Google Sheets/ExcelFreeBasic digital record-keeping, password-protect the file
    FreshaFree (basic)Booking + client records in one system
    BooksyFrom ~£30/moClient records, booking, payment
    TimelyFrom ~£20/moClient records with consultation forms
    PhorestFrom ~£40/moFull salon management with detailed client records
    SumUpFreePayment records + basic booking

    Whatever you use, make sure it is backed up and secure.

    What To Do Next

    1. Audit your current records. Do you have consultation cards for every client? Patch test records? Treatment notes? If not, start now.
    2. Set up a proper storage system. Locked cabinet for paper. Password-protected and backed up for digital.
    3. Update your consultation cards to include consent statements for health data processing (UK GDPR).
    4. Create a retention schedule. Know what you are keeping and for how long. Put a reminder in your calendar to review and dispose of expired records annually.
    5. Tell your insurer what records you keep. They may have specific requirements or recommendations.

    Tip for new starters: When you record a treatment, be specific about every product you used. "Colour applied" will not help you if a client claims a reaction three years later. "Wella Koleston 7/0 with 6% developer, 35 minutes" is what your insurer needs to defend you.

    Who To Contact

    • ICO - 0303 123 1113 (Free) - ico.org.uk - data protection guidance
    • HMRC Self Assessment - 0300 200 3310 (Free) - gov.uk/self-assessment-tax-returns - financial record-keeping requirements
    • Your insurer - check your policy for record-keeping requirements
    • NHBF - nhbf.co.uk - industry templates and guidance (Paid, members only)
    • BABTAC - babtac.com - consultation card templates for members (Paid, members only)

    Sources

    • UK General Data Protection Regulation (UK GDPR)
    • Data Protection Act 2018
    • Limitation Act 1980 (limitation periods for personal injury claims)
    • HMRC guidance on record-keeping for Self Assessment
    • ICO guidance on data retention
    • NHBF guidance on client records
    • GDPR for Self-Employed Beauty Workers
    • Handling Client Complaints Professionally
    • What To Do When Clients Threaten Legal Action
    • Insurance for Chair Renters
    • Making Tax Digital for Beauty Workers
    Share:WhatsApp

    📢 Sponsorship available — Learn more

    Was this useful?

    Key Contacts

    ICO

    0303 123 1113 - ico.org.uk - data protection guidanceFree

    HMRC Self Assessment

    0300 200 3310 - gov.uk/self-assessment-tax-returns - financial record-keeping requirementsFree

    Your insurer

    check your policy for record-keeping requirements

    NHBF

    nhbf.co.uk - industry templates and guidance (Paid, members only)

    BABTAC

    babtac.com - consultation card templates for members (Paid, members only)

    Didn't find what you were looking for?

    We use a single essential cookie to remember your choice. If you accept, we also load Plausible — a privacy-friendly, cookieless analytics tool — to count anonymous page views. No tracking pixels, no advertising. Learn more