Privacy Policy
1. Introduction
Canova Medical (“we”, “us”, “our”) is committed to protecting and respecting your privacy. This policy explains how we collect, use, store, and protect your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
For the purpose of data protection law, the data controller is Canova Medical Limited, registered at 36A Alderley Road, Wilmslow, Cheshire SK9 1JX.
2. Information We Collect About You
We may collect and process the following data about you:
- Identity Data: Includes first name, last name, title, date of birth.
- Contact Data: Includes billing address, delivery address, email address, and telephone numbers.
- Medical Data (Special Category Data): Includes information about your health, medical history, treatment details, photographs related to your treatment, and other sensitive information necessary for providing medical and cosmetic services. We treat this data with the highest level of confidentiality and security.
- Financial Data: Includes bank account and payment card details (processed securely via third-party payment providers).
- Transaction Data: Includes details about payments to and from you and other details of products and services you have purchased from us.
- Technical Data: Includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
- Usage Data: Includes information about how you use our website, products, and services (e.g., pages visited, time spent on site).
- Marketing and Communications Data: Includes your preferences in receiving marketing from us and our third parties and your communication preferences.
We collect this information directly from you (e.g., when you book an appointment, fill in forms, correspond with us), automatically via our website (Technical and Usage Data, often via cookies), and sometimes from third parties (e.g., referring clinicians, with your consent).
3. How We Use Your Personal Data and Lawful Basis for Processing
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- To provide our medical and cosmetic services to you: Processing Identity, Contact, Medical, and Transaction Data is necessary for the performance of a contract with you and for our legitimate interests in providing healthcare. Processing Special Category Medical Data requires your explicit consent or is necessary for the purposes of preventative or occupational medicine, medical diagnosis, the provision of health or social care or treatment.
- To manage payments, fees and charges: Processing Identity, Contact, Financial, and Transaction Data is necessary for the performance of a contract and for our legitimate interests (to recover debts).
- To manage our relationship with you: This includes notifying you about changes to our terms or privacy policy, responding to enquiries. Lawful basis: Performance of a contract, Legal obligation, Legitimate interests (to keep records updated, study service usage).
- To administer and protect our business and this website: (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). Lawful basis: Legitimate interests (for running our business, provision of administration and IT services, network security), Legal obligation.
- To use data analytics to improve our website, services, marketing, customer relationships and experiences: Lawful basis: Legitimate interests (to define types of customers, keep website updated, develop business, inform marketing strategy). We will obtain your consent for non-essential cookies used for this purpose.
- To make suggestions and recommendations to you about services that may be of interest to you: Lawful basis: Legitimate interests (to develop our services and grow our business) or Consent (where required by law, e.g., for email marketing to new prospects).
- To comply with legal or regulatory obligations: Processing may be necessary to comply with applicable laws (e.g., maintaining medical records according to healthcare regulations).
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. We will get your explicit consent before using Special Category Medical Data for any purpose other than providing healthcare or as required by law.
4. Data Sharing and Disclosures
We treat your information with strict confidentiality. We may have to share your personal data with the parties set out below for the purposes outlined in section 3:
- Service providers acting as processors who provide IT, system administration, payment processing, and marketing services.
- Professional advisers including lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services.
- HM Revenue & Customs, regulators (like the Care Quality Commission – CQC), and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.
- Other medical professionals (e.g., your GP, specialists) but only where necessary for your treatment and typically with your explicit consent, or if required for your vital interests or by law.
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. We do not sell your personal data to third parties.
5. Data Security
We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator (like the ICO) of a breach where we are legally required to do so.
6. Data Retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. Medical records are subject to specific retention periods required by law and professional guidelines.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process your data and whether we can achieve those purposes through other means, and the applicable legal requirements.
7. Your Data Protection Rights
Under data protection law, you have rights including:
- Your right of access – You have the right to ask us for copies of your personal information.
- Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate or incomplete.
- Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances (‘right to be forgotten’). Please note medical records may be subject to legal retention requirements.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances (e.g., processing based on legitimate interests, direct marketing).
- Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
- Rights related to automated decision making including profiling – We do not currently conduct automated decision-making or profiling.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. Please contact us using the details below if you wish to make a request.
8. Cookies
Our website uses cookies to distinguish you from other users. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them, please see our separate Cookie Policy.
9. Third-Party Links
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.
10. Changes to This Privacy Policy
We keep our privacy policy under regular review. Any changes we make will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes.
11. How to Complain
If you have any concerns about our use of your personal information, you can make a complaint to us using the contact details below.
You also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Contact Details for Data Protection Matters
If you have any questions about this privacy policy or our privacy practices, or wish to exercise any of your rights, please contact us: