Privacy policy


The Centre for Aesthetics and Innovative Cosmetology Ltd is a provider of non-medical services. This privacy policy explains how we use any personal information we collect about you when you use our website and when we interact with you.

The protection of your privacy and personal information is extremely important to us and any information that you have provided to us will be collected and used in accordance with the General Data Protection Regulation, the Data Protection Act 2018 and the Privacy & Electronic communications Regulations 2003. We will not share your data with any third party except for administrative purposes relating to the services we provide and where we may be required to do so by law.

Holding information

For our records we record and keep only the essential information relating to each guest and the service they receive or products they receive. This includes full name, phone number,(landline and or mobile), and email addresses which are kept within our secure online booking app Timely.

We only ever use this information to enable us to have contact regarding any appointments made with us on our premises, over the phone or online and to personalise your repeat visits to our salon. This will be name, date of patch test and result as well as information regarding medical suitability for the treatment recorded in consultation forms. For the services we supply in our salon, this is the only information we require, and we will endeavour to keep the information only for an appropriate timeframe. All information is kept following data protection and privacy laws, which all staff have been trained on.

Providing information

If requested we will provide our employees or guests with the information we hold about them free of charge, and they will have the right to correct any information that is wrong. We will endeavour to provide this information as soon as possible and well within the legal one-month time period of receiving the request. Information will never be passed on to third parties without clear written permission from all parties involved.

Right to be forgotten

We will oblige to the right for anyone who asks, to delete the data that we collect ofnthem unless there is a good reason not to.


We will utilise the email addresses to notify guests of any appointment change/cancellation. As well as provide appointment confirmations at the time of booking and a reminder 48 hours before. We will also send out a “how was our service?” email 24 hours after the appointment to provide the opportunity to give us feedback on your experiences with us. None of these require a response. We will also never pass information to any outside third party for marketing purposes. Contact will be kept to an absolute necessity level only.

Data breaches

A data breach is the loss, or unauthorised alteration or sharing of any personal data we hold about individuals. This can be deliberate or accidental. We shall keep a record of any data breaches and report serious breaches to the ICO within 72 hours of becoming aware of any breaches and without undue delay.

Sub-processors and Timely

A sub-processor is an external service or provider that is enlisted by Timely to deliver our service to you. As part of that service delivery, we may be required to share personal information we have collected about you with these providers.

How do we protect your information?

Timely take the privacy and security of your personal data very seriously and have strict processes in place to ensure this information is shared securely and only when necessary.

Personal information: Timely employ Secure Sockets Layer (SSL) technology on the collection, storage and processing of all data. All accounts are accessed via secure login with one-way hashing of all passwords. Timely do not access or share any data unless required to by law or, with your permission to help resolve system problems.

Payments: All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into the payment gateway providers database only to be accessible by those authorised with special access rights to such systems. They are required to keep the information confidential. Timely do not store this information themselves, instead keeping this data with their payment providers, who have the highest level of PCI compliance.

Timely also requires that any third-party services or sub-processors that they use as part of delivering this service to you, meet the requirements and obligations under GDPR, as well as those requirements of the local authority (NZ).

Timely have established Data Processing Agreements (DPA's) with all of their providers, to ensure your personal information is collected, stored and processed in a legal/lawful manner.

iZettle payment engine

We use the iZettle payment engine to process all due payments for our salon.

iZettle transaction information

We may access information generated in connection with transactions accounted for through the use of the services by logging into our iZettle Account. We will also be able to access downloadable reports. The way in which we provide the transaction information will allow storage and reproduction of the information unchanged, for example by printing copies. Your privacy and the protection of your data are very important to us. We acknowledge that we have received, read in full and agree with the terms of iZettle’s Privacy Policy incorporated into these General Terms and Conditions by reference, which contains inter alia our acceptance to the collection, use, retention and disclosure of personal information and which explains how and for what purposes we collect, use, retain, disclose and safeguard the information we provide to iZettle.

iZettle are responsible for protecting the security of personal information in their possession. They have implemented administrative, technical and organizational procedures to protect personal information that is stored in their servers from unauthorized access and accidental loss, modification or disclosure. However, they cannot guarantee that unauthorized third parties will never be able to defeat those measures or use such information for improper purposes. We acknowledge that you provide your personal information at your own risk.

We confirm and agree that we will protect and, save where required by law, not disclose, register or otherwise process any information that we may receive about our customers or other third parties while using the Services of iZettle. We must notify iZettle through the website or by contacting their customer services team at without undue delay if we become aware of or suspect any unauthorized access to or disclosure of such information.

We may not disclose or distribute any information about our customers or other third parties or use such information for marketing or other purposes unless we receive the express consent of such customer or third party. We are solely responsible for compliance with any applicable privacy laws and regulations of our specific jurisdiction.

Last updated: 4th February 2019

We use cookies to give you the best experience we can. If you continue, we’ll assume you’re happy to receive all cookies from the website. More about our cookies