Appearance Based Medicine is the data controller (ICO registration number ZA043596) for personal data about patients, prospective patients, associates and newsletter subscribers.

We do not sell your personal data for commercial purposes and will only disclose it if required by law, or with your consent.

To contact Appearance Based Medicine with a data protection query regarding the processing of your personal data, please use the contact us page or email, please address the query to the Data Controller.

Details of our processing

We believe that all these purposes are justified on the basis of our legitimate interests in running and promoting the business, our legal obligations to deliver the agreed services to you, the exception is for sending email marketing which we carry out on the basis of consent.  If you would like to know more, please read below:


As a patient, we will hold the following information about you:

  • Name
  • Date of Birth
  • Country of Birth
  • Gender
  • Residential Address
  • Telephone numbers
  • Email addresses
  • Emergency contacts
  • GP details
  • Health details including current medication and past cosmetic history
  • Patient treatment notes and records
  • Billing and payment information.
  • Before and after treatment photos

We will use the contact details you provide to us to contact you about forthcoming appointments. We will use the health information you provide to assess your suitability for the treatments that we provide.   We will only use the before and after photos for the purpose of demonstrating the treatment that was delivered (e.g. Botox).


We use Paypal and World Pay to process your payment.  When setting up a direct debit this is handled by GoCardless. We need to keep details of financial transactions for 6 years, after the end of the current financial year for tax purposes.

For more information, Click below links to see the payments privacy policies:




Third Party Online Tools

We currently use third-party online tools:

  • Business Dropbox to store patient registration and consent forms. Business Dropbox uses servers that are based in the United Kingdom, personal information is not transferred outside the EEA.  For more information please view Dropbox’s Privacy Policy.
  • Cliniko Practice Management system – is used to manage your patient details and appointments. For more information, please view Cliniko’s Privacy Policy and Cookies. Although Cliniko and its sub-processors are not physically in the EU/EEA, we have signed an additional Data Processing Agreement (DPA), separate from their regular Privacy Policy, that means that we are still allowed to use Cliniko to manage our patient information. The DPA includes Standard Contractual Clauses (also known as “Model Clauses”). These are an approved set of provisions which offer sufficient safeguards and protection for data that’s processed outside of the EU/EEA. Following is a list of requirements related to our use of Cliniko and our compliance: We commit to: – Remove patients from marketing-related communications. – Allow for double opt-in with the Mailchimp integration. – Modify patients’ personal details. – Provide patients with a copy of all their personal information. – Delete all of a patient’s information from Cliniko. – Record whether or not a patient has consented to your clinic’s privacy policy. – Let patients consent to your privacy policy when booking online.
  • Quriobot (Response Robot) – Response Robot provides our chatbot service, which allows us to interact with you (our customer) to request contact information automatically. The chatbot and services are installed on our WordPress website. The chatbot starts a conversation with you (our customer) to automatically obtain contact details such as name, email address, phone number, the service you are interested in and the time you can be contacted. Customer information and contact details captured by the chatbot are emailed to us so that we can follow-up with you.  All Quriobot data is securely stored on servers within the European Union (AWS in Ireland) and complies with the regulations of the GDPR, which monitors the transmission and storage of people’s personal information ( Data storage is ISO 27001, ISO 9001, and PCI DSS certified.  For more information about Quriobot/Response Robot Privacy & Cookies, click Quriobot Privacy Policy & Cookie Notice
  • MailChimp Email Marketing – It is necessary to double-opt in if you wish to receive our email marketing. We use MailChimp to send you relevant and useful offers and newsletters. To be able to do this, we record your name and contact details. You can unsubscribe easily at any time. MailChimp servers are located in the United States. However Mailchimp certifies to the Privacy Shield framework, which means they can lawfully receive EU data. As we are located in the EU and use Mailchimp to market in the EU, we are covered under Section 20 of MailChimp’s Terms of Use and Section 5(E) of our Privacy Policy.  Click here to view MailChimp’s Privacy Policy and Cookie Statement.
  • Google Calendar to manage your appointments. Our G-Suite account uses servers that are based within EEA. For more information please view Google’s Privacy Policy.

Prospective Patients

As a prospective patient, we will hold the following information about you:

  • Your name and contact information.
  • Referral source

If you make an enquiry to us via email, telephone or via Quriobot (Response Robot) or the contact us page on our website, we will use this information to follow-up on this enquiry to see if we can help you.

We will retain information about you for the duration of the enquiry, then two years.


As a subcontractor, we will hold the following information about you:

  • Your name, contact information.
  • Bank details

We will retain information about you for the duration of our relationship with you, then seven years.  We will retain financial records for 6 years, following the end of the current financial year.

Visitors to our Website

When you visit our website, we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns.  We do this to find out things such as the number of visitor to various parts of the website.  The information is only processed in a way which does not identify anyone.

To opt-out of being tracked by Google Analytics across all websites visit


Cookies are small text files that are placed on your computer by websites that you visit.  They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.  Unless you have set your browser to block cookies, this site will place the following cookies on your computer. Your web browser may allow you to change your cookie preferences, including to delete and disable Stripe cookies. Please consult the help section of your web browser to understand your options, or visit or However, please note that if you choose to disable the cookies, some features of our website or services may not operate as intended.





Google Analytics




The Google Universal Analytics javascript library uses first-party cookies to: distinguish unique users and throttle the request rate. To optout click here.













Twitter“Follow Button” Twitter plugin is used to help market the business using Twitter. The plugin detects whether a user is logged in to Twitter when he/she visits a website and uses this information to present either a “Follow” or “You Follow” message with various other details from Twitter. The plugin creates four ThirdParty cookies – pid, _twitter_sess, kdt, guest_id- if a visitor accesses the site when not logged into Twitter, and a further cookie if accessed while logged on to Twitter.
_twitter_sessTwitterUsed by Twitter services, to monitor referral links, and login status.
auth_tokenTwitterThis cookie saves information about the authentication token that a user uses to connect








FacebookAllow you to control the “Follow us on Facebook” and “Like” buttons
c_userFacebookThis cookie contains the user ID of the currently logged in user.
PresenceFacebookThis is a session cookie.
xsFacebookThe values contained within the xs cookie are:  The first portion is an up to 2 digit number representing the session number.  The second portion is a session secret. The third, optional, portion is a secure flag, which is used if the user has enabled the secure browsing feature.
langAB-MedLanguage cookie



DoubleclickThis cookie is used for re-targeting, optimisation, reporting and attribution of online adverts.  To output click here.
spu_boxWordPressUsed for closing and conversion on the popup

Used to show login buttons for accounts that have been recently accessed on this device.

To disable, click here


Used for chat and service improvements

To disable, click here

last-used-checkout-nameStripeCustomizes content for Checkout Users

checkout-test-session, checkoutdashboard-



Associates a device with a “Remember Me”

Checkout account


Sets a country code as determined by IP



Provides a unique session identifier for


qbClosed.<bot path>Quriobot (response robot) 

Stores whether the user has interacted with the bot (expires when the browser session ends)

qbStartCount.<bot path>Quriobot (response robot)

Stores the number of times the widget was loaded (expires when the browser session ends)

qbLang-<bot path>Quriobot (response robot)

Stores the current bot language (if the language switch is used) (expires when the browser session ends)


Used when an end user subscribes to a newsletter mailing list.







These cookies and tracking pixels enable behavioral advertising and analytics by Facebook.


We endeavour to take all reasonable steps to protect your personal information. All the data collected by us is stored on secure servers. The secure server software encrypts all information you input before it is sent to us.

Your Rights

As an individual whose personal data is processed by Appearance Based Medicine you have these rights

  • The right to be informed, which is what this privacy policy is for.
  • The right to access what data we hold about you.
  • The right to object to direct marketing – either use the unsubscribe option or contact us directly.
  • The right to object to processing carried out on the basis of legitimate interests.
  • The right to erasure (in some circumstances).
  • The right to data portability.
  • The right to have your data rectified if it is inaccurate.
  • The right to have your data restricted or blocked from processing.

If, at any time, you want to verify, update or amend your personal data please email    you would like a copy of the information held on you please write to Chilterns House, 49 – 51 Dean Street, Marlow, Buckinghamshire, England, SL7 3AA.

You also have the right to lodge a complaint about our processing with the UK’s Information Commissioner’s Office (ICO).

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 24/04/2020[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]