The Thryve Clinic

Privacy Policy – The Thryve Clinic

Last updated: 4th November 2025

Introduction

The Thryve Clinic (“we”, “us”, “our”) is committed to protecting your privacy and handling your personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains what personal data we collect, why we collect it, how we protect it and your rights. By using our website or booking an appointment you agree to this policy.

1. Date controller & contact details

Controller: The Thryve Clinic
Email: hello@thethryveclinic · Phone: 07927963484
For data protection queries or to exercise your rights, please email: hello@thethryveclinic.com.

2. What data we collect

A. Personal & contact data: name, DOB, email, phone, postal address (Concierge bookings).

B. Sensitive medical data (special category): medical history, medications, allergies, pregnancy status, treatment records, photos for clinical documentation.

C. Transactional data: appointment history, payment records (processed via secure third-party payment processors).

D. Technical data: IP, device/browser info, cookies (for analytics).

3. Legal bases for processing

We rely on the following UK GDPR legal bases:

  • Performance of a contract — to provide treatments and appointments.
  • Legal obligation — medical/financial record keeping.
  • Consent — for marketing or photography used for promotional purposes (consent is explicit and withdrawable).
  • Legitimate interests — clinic administration, fraud prevention and safety, balanced against individual rights.
    Medical data is processed under Article 9 exemptions for healthcare provision and with appropriate safeguards.

4. How we use your data

  • To manage bookings, consultations and treatments.
  • To create and maintain clinical records for safe treatment.
  • To communicate appointment reminders, aftercare and medical follow-up.
  • To process payments and meet legal/financial obligations.
  • To provide aggregated, anonymised analytics to improve services (not identifying you).
  • Only with explicit consent: marketing communications and use of photographic images for promotional purposes.

5. Photography and clinical images (consent & use)

Clinical photographs are treated as personal data under UK law. We will only take or use images with explicit, written consent. You can refuse and this will not affect clinical care. Images taken for clinical purposes (documentation, safety) may be retained in records; marketing use requires separate consent. Guidance: photographs are personal data under GDPR.

6. Data sharing & third parties

We share data only with necessary and trusted processors:

  • Clinic management/booking software (e.g., Aesthetic Nurse Software)
  • Payment processors and banks
  • Healthcare providers (only when clinically necessary)
  • Legal or regulatory authorities if required
    Processors operate under contract and must meet UK GDPR security standards.

7. Data retention

We retain patient and clinical records in line with NHS/national guidance and ICO principles — only for as long as necessary for clinical, legal and business reasons. Typical retention periods:

  • Clinical / treatment records: 7 years (or 8 years where recommended for adults; follow NHS guidance).
  • Financial records: 6 years (statutory).
  • Marketing data: until consent withdrawn.
    Retention must respect the storage limitation principle. See NHS Records Retention Schedule and ICO guidance.

8. How we protect your data

We use reasonable technical and organisational measures: encrypted systems, secure cloud storage, staff training, limited access, secure disposals of paper records, and regular backups. Access to sensitive medical data is restricted to clinical staff with a need to know.

9. Your rights

You have the right to:

  • access your data (Subject Access Request)
  • rectification, erasure (in limited circumstances)
  • restriction or objection to processing
  • withdraw consent for marketing/photography at any time
  • data portability where applicable
    To exercise any right contact: hello@thethryveclinic.com. You can also complain to the ICO.

10. Cookies and tracking

We use basic analytics cookies to improve the site. A separate Cookie Policy is available on request and via the website cookie banner.

11. International transfers

We do not transfer your personal data outside the UK except when using third-party processors that provide adequate safeguards; you will be informed if international transfer becomes necessary.

12. Changes to this policy

We will publish changes here with an updated “last updated” date.