Book a Consultation

Kirbha Clinic

Privacy Policy

04/06/2026

Introduction and Controller Details

This Privacy Notice sets out how Kirbha Clinic (“the Clinic”, “we”, “us”, or “our”) collects, uses, and protects your personal data. We respect your privacy and are committed to protecting your personal data in strict accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and common law duties of confidentiality in healthcare.

We are the Data Controller responsible for your personal data.

Controller Contact Details:

  • Full Legal Entity: Kirbha Clinic
  • ICO Registration Number: 
  • Email Address: info@kirbhaclinic.com

Categories of Personal Data Collected

Personal data means any information about an individual from which that person can be identified. Due to the clinical nature of our services, we process Special Category Data (health information), which requires a higher level of protection. We collect, use, store, and transfer the following categories of data:

Data Category

Description

Identity Data

First name, maiden name, last name, marital status, title, date of birth, and gender.

Contact Data

Billing address, residential address, email address, and telephone numbers.

Health & Clinical Data (Special Category)

Medical history, current medications, allergies, physical or mental health conditions, GP details, treatment plans, surgical notes, and clinical photographs (before/during/after).

Financial Data

Bank account and payment card details (processed securely via our payment gateway).

Transaction Data

Details about payments to and from you, and records of treatments or products you have purchased.

Technical Data

Internet protocol (IP) address, browser type and version, time zone setting, browser plug-in types, operating system, and platform technologies used to access our website.

Profile Data

Your username/password (if using a patient portal), appointment history, your interests, preferences, feedback, and survey responses.

Marketing & Communications Data

Your preferences in receiving marketing from us and your communication preferences.

Methods of Data Collection

We use different methods to collect data from and about you, including:

  • Direct Interactions: You may give us your Identity, Contact, Health, and Financial Data by filling in medical questionnaires, consent forms, or corresponding with us by post, phone, email, or in person during consultations.
  • Automated Technologies: As you interact with our website, we automatically collect Technical Data about your equipment and browsing actions using cookies and server logs.
  • Third Parties or Publicly Available Sources: We may receive personal data about you from various third parties, such as analytics providers (e.g., Google), payment providers (e.g., Stripe, Square), and referring medical professionals (with your explicit consent).

Cookie Policy and Tracking Technologies

Our website uses cookies, web beacons, pixels, and similar tracking technologies to distinguish you from other users of our website. This helps us provide you with a secure, efficient, and tailored experience when you browse our website and allows us to improve our site and clinical services.

What is a Cookie?

A cookie is a small file of letters and numbers that we securely store on your browser or the hard drive of your computer or mobile device if you agree. Cookies contain information that is transferred to your device’s hard drive.

Categories of Cookies We Use

We use the following types of cookies, which are governed by specific lawful bases under the UK GDPR and PECR:

Cookie Category

Purpose

Legal Requirement for Use

Strictly Necessary Cookies

These are cookies required for the fundamental operation of our website. They include, for example, cookies that enable you to securely log into patient portals, use online booking systems, or make use of e-billing services.

No Consent Required. (Exempt under PECR). These cannot be switched off in our systems.

Analytical / Performance Cookies

These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us improve the way our website works, for example, by ensuring that users are finding what they are looking for easily (e.g., Google Analytics).

Explicit Consent Required. We will only place these on your device if you opt-in via our cookie banner.

Functionality Cookies

These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name, and remember your preferences (e.g., your choice of language or region).

Explicit Consent Required. We will only place these on your device if you opt-in via our cookie banner.

Targeting / Marketing Cookies

These cookies record your visit to our website, the pages you have visited, and the links you have followed. We (and our selected third-party partners, such as Meta or Google) may use this information to make our website and the advertising displayed on it more relevant to your interests.

Explicit Consent Required. We will only place these on your device if you opt-in via our cookie banner.

Third-Party Cookies

Please note that third parties (including, for example, advertising networks, external booking software providers, and providers of external services like web traffic analysis services) may also use cookies over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies. We strongly advise you to review the privacy and cookie policies of these third-party providers.

How to Manage Your Cookie Consent

When you first visit our website, you will be presented with a cookie banner requesting your consent to deploy non-essential cookies. 

  • Active Opt-In: Non-essential cookies (Analytical, Functionality, and Targeting) are strictly disabled by default. They will only be activated if you explicitly click “Accept” or actively manage your preferences to allow them. 
  • Withdrawing Consent: You can change your cookie preferences or withdraw your consent at any time by clicking the [“Cookie Settings” / “Manage Cookies”] link located in the footer of our website.
  • Browser Settings: You can also block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including strictly necessary cookies), you may not be able to access our online booking portal or other secure areas of our site.

Purposes and Lawful Basis for Processing

We will only use your personal data when the law allows us to. Under the UK GDPR, we must establish a lawful basis for processing standard personal data (Article 6) and an additional condition for processing Special Category Data (Article 9).

Standard Personal Data (Article 6 UK GDPR)

Purpose/Activity

Data Category

Lawful Basis for Processing

Registering you as a new patient

Identity, Contact

Performance of a contract with you.

Processing payments & collecting fees

Identity, Contact, Financial, Transaction

Performance of a contract; Necessary for our legitimate interests (to recover debts due to us).

Managing our relationship (notifying changes to terms, asking for reviews)

Identity, Contact, Profile, Marketing

Performance of a contract; Necessary to comply with a legal obligation; Legitimate interests (to keep our records updated).

Administering and protecting our business & website (troubleshooting, data analysis, system maintenance)

Identity, Contact, Technical

Necessary for legitimate interests (running our business, provision of IT services, network security).

Delivering relevant website content & advertisements

Identity, Contact, Profile, Usage, Technical

Necessary for legitimate interests (to study how patients use our services, to grow our business).

Special Category (Health) Data (Article 9 UK GDPR)

Purpose/Activity

Data Category

Lawful Basis (Article 6) & Condition (Article 9)

Medical assessment, performing aesthetics/minor surgery, and providing aftercare

Health & Clinical

Art 6(1)(b): Contract.



Art 9(2)(h): Provision of health or social care or treatment, subject to professional confidentiality.

Maintaining mandatory medical records

Health & Clinical

Art 6(1)(c): Legal obligation.



Art 9(2)(h): Provision of health care / management of health systems.

Publishing clinical photographs (website, social media, marketing)

Health & Clinical

Art 6(1)(a): Consent.



Art 9(2)(a): Explicit consent. (Note: This is strictly opt-in via a separate Media Consent Form).

Defending medical malpractice or legal claims

Health & Clinical

Art 6(1)(f): Legitimate interests.



Art 9(2)(f): Establishment, exercise, or defence of legal claims.

Disclosures of Your Personal Data

We strictly protect patient confidentiality. However, we may share your personal data with the parties set out below for the purposes outlined in Section 4:

  • Healthcare Professionals: Your General Practitioner (GP) or referring specialists, only where medically necessary and typically with your prior consent, unless in the case of a medical emergency.
  • IT and System Administration Providers: Companies providing secure cloud-based practice management .
  • Professional Advisers: Lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services to the Clinic.
  • Regulatory Authorities: The Information Commissioner’s Office (ICO), HM Revenue & Customs (HMRC), the Care Quality Commission (CQC) [if applicable], or other authorities who require reporting of processing activities in certain circumstances.
  • Third-Party Payment Processors: To facilitate secure transaction processing.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our documented instructions.

International Data Transfers

Whenever we transfer your personal data outside the UK (for example, if our practice management software hosts data on servers in the United States or the EEA), we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Government.
  • Where we use certain service providers, we may use specific contracts approved for use in the UK (such as the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses) which give personal data the same protection it has in the UK.

Data Security

We have implemented stringent, appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed.

  • Technical Measures: All electronic patient records are stored on encrypted, secure servers. Website traffic is secured via SSL/TLS encryption. Passwords and two-factor authentication (2FA) are mandated for all staff accessing clinical systems.
  • Organisational Measures: Access to your personal data is limited strictly to those employees, agents, contractors, and other third parties who have a clinical or business need to know. They will only process your personal data on our instructions, and they are subject to strict contractual duties of confidentiality.
  • Breach Protocols: We have put in place procedures to deal with any suspected personal data breach and will notify you and the ICO of a breach where we are legally required to do so within 72 hours.

Data Retention Periods

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements.

Because we provide medical and minor surgical interventions, our retention policies are dictated by healthcare regulations (such as the Records Management Code of Practice) rather than standard commercial guidelines: 

  • Adult Patient Medical Records: Retained for a minimum of 8 years after your last treatment or consultation. 
  • Child Patient Medical Records: If you were under 18 at the time of treatment, records are retained until your 25th birthday (or 26th if you were 17 at the conclusion of treatment). 
  • Financial and Tax Records: Retained for 6 years from the end of the financial year in which the transaction occurred, to comply with HMRC requirements.
  • Consent Withdrawn (Marketing): If you withdraw consent for marketing or social media photography, the specific images/data will be removed from active use immediately, though administrative records of the consent withdrawal itself will be retained to ensure your preferences are respected.

Your Legal Rights

Under the UK GDPR, you possess specific rights in relation to your personal data:

  • Right of Access (Subject Access Request): You may request a copy of the personal data we hold about you to check that we are lawfully processing it.
  • Right to Rectification: You may request correction of any incomplete or inaccurate data we hold about you, though we may need to verify the accuracy of the new data. Note: Clinical opinions documented by a practitioner cannot typically be amended, but an addendum can be added to your file.
  • Right to Erasure (“Right to be Forgotten”): You may ask us to delete personal data where there is no good reason for us continuing to process it. Please note: This right is generally superseded by our legal obligation to retain medical records for the statutory periods outlined in Section 8.
  • Right to Object to Processing: You may object where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object. You also have an absolute right to object to direct marketing.
  • Right to Restriction of Processing: You may ask us to suspend the processing of your personal data (e.g., if you want us to establish its accuracy or the reason for processing it).
  • Right to Data Portability: We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.
  • Right to Withdraw Consent: Where we are relying on consent to process your personal data (e.g., for marketing or publishing photographs), you may withdraw it at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent.

Exercising Your Rights

To exercise any of the rights set out above, please contact our DPO via the details in Section 1. You will not have to pay a fee to access your personal data. However, we may charge a reasonable administration fee if your request is clearly unfounded, repetitive, or excessive. We try to respond to all legitimate requests within one month.

Complaints

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

ICO Contact Details:

  • Website: www.ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

Newsletter Signup

Newsletter Signup

Let's keep in touch

  • This field is for validation purposes and should be left unchanged.

Let's Talk

Get in touch

Phone

07476396825

WhatsApp

07476396825

info@kirbhaclinic.co.uk

Locations