Legal Document

Privacy Policy & Data Protection Notice

Effective Date: 14 May 2026  ·  Last Reviewed: 14 May 2026  ·  Version: 1.0
Applies to: J Artistry Body & Wellness Clinic — Coventry, England

This Privacy Policy explains how J Artistry Body & Wellness Clinic (“we”, “us”, “our”) collects, uses, stores, and protects your personal data. It has been prepared in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025, and all applicable UK data protection legislation. Please read this notice carefully.
1. Who We Are

Data Controller Identity

The data controller responsible for your personal data is:

  • Trading Name: J Artistry Body & Wellness Clinic
  • Founder & Practitioner: Joanna Karto
  • Address: Arches Estate, Spon End, Coventry, CV1 3JQ, United Kingdom
  • Email: info@jartistryclinic.com
  • Telephone: +44 7591 092255

We provide private clinical body and wellness services including body transformation treatments, recovery therapy, personal care and cosmetics, IV vitamin therapy, preventative health screening, and occupational wellness programmes.

As a healthcare and wellness service provider, we process health-related information, which is classified as Special Category personal data under Article 9 of the UK GDPR. This type of data receives the highest level of legal protection and we treat it with the utmost care and confidentiality.

2. What Personal Data We Collect

Categories of Personal Data

We collect and process the following categories of personal data:

2.1 Identity & Contact Data

  • Full name, date of birth, and gender
  • Postal address, email address, and telephone number
  • Emergency contact details (where relevant to treatment)

2.2 Health & Clinical Data (Special Category)

Because we provide clinical wellness and body treatments, we collect and process health-related information, including:

  • Medical history, existing health conditions, and relevant surgical history
  • Current medications, supplements, and known allergies
  • Pre- and post-operative recovery status
  • Postpartum status and birth method (where relevant to recovery treatment)
  • Body measurements, skin condition assessments, and biometric indicators
  • Biomarker and blood test results (for health screening clients)
  • Clinical notes from consultations and treatment sessions
  • Photographs taken for clinical progress assessment (where consent is given)
  • IV therapy administration records including dosage and formula details

2.3 Booking & Transaction Data

  • Appointment bookings, treatment history, and cancellation records
  • Payment information (processed via third-party payment processors; we do not store full card details)
  • Acuity Scheduling account data (our online booking platform)

2.4 Communications Data

  • Enquiries, messages, and correspondence sent to us by email, phone, WhatsApp, or social media
  • Feedback, reviews, and complaints

2.5 Technical & Website Data

  • IP address, browser type, and device information when you visit our website
  • Cookie data (see Section 9)
  • Website usage patterns (via analytics tools)
3. How We Collect Your Data

Sources of Personal Data

We collect personal data directly from you in the following ways:

  • When you book an appointment via our online booking system (Acuity Scheduling) or by telephone
  • During your initial clinical consultation and at subsequent appointments
  • When you complete health intake or consent forms
  • When you contact us by email, telephone, WhatsApp, or social media
  • When you use our website (technical data only)
  • When you submit a corporate wellness enquiry or referral

We do not purchase personal data from third parties or obtain it from public sources without your knowledge.

4. Legal Basis for Processing

Why We Are Lawfully Permitted to Process Your Data

We are required by UK GDPR to identify a lawful basis for each type of data processing we carry out. For health and special category data, we must also meet an additional condition under Article 9.

Purpose Lawful Basis (Article 6) Special Category Condition (Article 9)
Delivering clinical treatments and consultations Performance of a contract Provision of health or social care (Art. 9(2)(h))
Maintaining clinical records and treatment history Legal obligation + Legitimate interests Provision of health or social care (Art. 9(2)(h))
Processing bookings and payments Performance of a contract N/A (non-health data only)
Communicating appointment reminders and follow-ups Performance of a contract + Legitimate interests Provision of health or social care (Art. 9(2)(h))
Sending marketing communications (where opted in) Consent Explicit consent (Art. 9(2)(a))
Responding to enquiries and complaints Legitimate interests N/A (non-health data typically)
Complying with legal obligations (e.g. tax, HMRC) Legal obligation N/A
Health and safety compliance Legal obligation + Vital interests Vital interests (Art. 9(2)(c))
Important note on consent: The ICO guidance on health and social care data (April 2024) confirms that consent is rarely the most appropriate legal basis for processing health information in the context of direct care. We primarily rely on the “provision of health or social care” condition under Article 9(2)(h) for clinical data processing. Consent remains our lawful basis for optional marketing communications only.
5. How We Use Your Personal Data

Purposes of Processing

We use your personal data for the following purposes:

  • To provide and deliver the clinical treatments and wellness services you have booked
  • To conduct pre-treatment health consultations and assess your suitability for specific treatments
  • To create, maintain, and update your individual clinical records
  • To monitor your treatment progress and tailor treatment plans accordingly
  • To communicate with you regarding appointments, cancellations, and treatment follow-up
  • To process payments and manage your account
  • To comply with our legal and regulatory obligations
  • To respond to your enquiries, complaints, and feedback
  • To send you relevant health, wellness, and promotional information, where you have opted in
  • To ensure the health, safety, and security of clients and staff on our premises
  • To carry out internal administration, business planning, and service improvement

We will never sell, rent, or trade your personal data to any third party for their marketing purposes.

6. Who We Share Your Data With

Data Sharing & Third-Party Disclosure

We may share your personal data with the following categories of recipients, strictly on a need-to-know basis:

  • Laboratory and diagnostic services: For processing blood tests, biomarker panels, or DNA samples as part of health screening services. These providers are bound by strict clinical confidentiality and data protection obligations.
  • Technology service providers: Including our online booking platform (Acuity Scheduling), payment processors, and website hosting services. These providers act as data processors under formal data processing agreements.
  • Professional advisors: Including our accountants, insurers, and legal advisors, only where strictly necessary and subject to professional confidentiality obligations.
  • Regulatory and statutory bodies: Including HMRC, the Information Commissioner’s Office (ICO), and law enforcement agencies, where we are legally required to disclose information.
  • Referring practitioners or surgeons: Only with your explicit prior consent, for example where we provide post-operative recovery therapy following a procedure carried out by another practitioner.
  • Emergency services: In the event of a medical emergency during or following your treatment, where disclosure is necessary to protect your vital interests.

We do not transfer your personal data outside of the United Kingdom or European Economic Area without appropriate safeguards in place. Where any of our service providers are based outside the UK, we ensure that adequate data transfer mechanisms (such as Standard Contractual Clauses or UK adequacy decisions) are in place.

7. How Long We Keep Your Data

Data Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, and to comply with our legal obligations. Our standard retention periods are:

Data TypeRetention PeriodReason
Clinical records and health data8 years from last treatment (or until age 25 for clients under 18 at time of treatment, whichever is later)NHS/clinical records guidance; potential professional liability period
Booking and transaction records6 yearsHMRC requirements; Limitation Act 1980
Health screening and biomarker results8 yearsClinical records guidance
Consent forms8 yearsLegal liability and professional accountability
Marketing consent recordsUntil consent is withdrawn or 3 years from last interactionICO guidance on consent records
CCTV footage (if applicable to premises)31 daysICO code of practice
Website analytics dataUp to 26 monthsGoogle Analytics standard retention

At the end of the applicable retention period, personal data is securely deleted or anonymised in accordance with our internal data disposal procedure.

8. Your Data Protection Rights

Rights Under UK GDPR

Under UK data protection law, you have the following rights in relation to your personal data:

Right of Access (Subject Access Request)
You have the right to request a copy of the personal data we hold about you. We will respond within one calendar month of receiving your request.
Right to Rectification
You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
Right to Erasure (‘Right to be Forgotten’)
You may request that we delete your personal data in certain circumstances. Note that this right may be limited where we have a legal obligation to retain records (e.g. clinical records during the mandatory retention period).
Right to Restriction of Processing
You have the right to ask us to pause or limit our use of your data in certain circumstances, for example while we investigate a dispute about its accuracy.
Right to Data Portability
Where processing is based on your consent or on a contract, you may request that we provide your personal data in a structured, machine-readable format so you can transfer it to another provider.
Right to Object
You have the right to object to our processing of your personal data where we rely on legitimate interests as our legal basis, or where data is processed for direct marketing purposes.
Right to Withdraw Consent
Where processing is based on your consent (e.g. marketing), you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
Rights in Automated Decision-Making
You have the right not to be subject to decisions made solely by automated means that significantly affect you. We do not use automated decision-making in our clinical practice.

To exercise any of these rights, please contact us using the details in Section 11. We will respond within one calendar month. Where requests are complex or numerous, we may extend this period by a further two months and will notify you accordingly. We will not charge a fee for handling your rights request unless it is manifestly unfounded or excessive.

9. Cookies & Website Tracking

Our Use of Cookies

Our website uses cookies — small text files placed on your device — to improve your browsing experience and help us understand how visitors use our site.

We use the following types of cookies:

  • Strictly necessary cookies: Essential for the website to function. These cannot be disabled.
  • Analytics cookies: We may use Google Analytics or similar tools to collect anonymised data about how our website is used. You may opt out of analytics tracking via your browser settings or by using the Google Analytics Opt-out Browser Add-on.
  • Functional cookies: These remember your preferences and improve functionality.

By continuing to use our website, you consent to our use of cookies in accordance with this policy. You can manage or disable cookies at any time through your browser settings. Note that disabling certain cookies may affect your ability to use all features of the website.

Our website may use pixels or tracking technologies provided by our booking platform (Acuity Scheduling) or social media platforms (such as Instagram). Please refer to the privacy policies of those platforms for further information.

10. Data Security

How We Protect Your Information

We take the security of your personal data extremely seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, disclosure, alteration, or destruction. These measures include:

  • Restricted access to clinical records on a strict need-to-know basis
  • Password-protected and encrypted digital storage systems
  • Secure disposal of paper records containing personal information
  • Use of reputable, GDPR-compliant third-party platforms for booking and payment processing
  • Regular review of our data protection practices

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, in accordance with our obligations under UK GDPR Article 33. Where there is a high risk to your rights, we will also notify you directly without undue delay.

11. Contact Us & Complaints

How to Reach Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or wish to raise a concern about how we handle your personal data, please contact us:

J Artistry Body & Wellness Clinic
Arches Estate, Spon End, Coventry, CV1 3JQ
Email: info@jartistryclinic.com
Phone: +44 7591 092255

Right to Complain to the ICO

If you are not satisfied with our response, or believe that we are processing your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters:

  • Website: www.ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

We would, however, appreciate the opportunity to address your concern before you approach the ICO, and ask that you contact us in the first instance.

12. Changes to This Privacy Policy

Policy Updates

We review this Privacy Policy regularly and will update it to reflect any changes in our data processing practices, legal requirements, or regulatory guidance. When we make material changes to this policy, we will update the “Last Reviewed” date at the top of this page and, where appropriate, notify you directly.

We encourage you to review this policy periodically. Your continued use of our services after any changes constitutes your acknowledgement of the updated policy.

This policy was last reviewed in accordance with the ICO’s updated guidance on Transparency in Health and Social Care (April 2024) and the provisions of the Data (Use and Access) Act 2025.

© 2026 J Artistry Body & Wellness Clinic. All rights reserved.
Arches Estate, Spon End, Coventry, CV1 3JQ  ·  info@jartistryclinic.com  ·  +44 7591 092255
Governed by the laws of England and Wales.