Privacy Policy

Last updated: 19 February 2026

Highbrow London is a sole trader business operated by Amanda Millan in Shepperton, Surrey, United Kingdom.

We are committed to protecting your personal data and respecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Highbrow London

3 Station Approach, Shepperton, Surrey, TW17 8AR

hello@highbrowlondon.co.uk

Highbrow London is the data controller responsible for your personal data.

2. What Information We Collect

We may collect and process the following information:

  • Name

  • Contact details (email, telephone number, address)

  • Date of birth

  • Medical history and health information relevant to treatment

  • Appointment history

  • Payment information (processed securely via third-party providers)

  • Website usage data (via cookies and analytics tools)

Health information is collected only where necessary for treatment suitability and safety.

3. How We Use Your Information

We use your data to:

  • Book and manage appointments

  • Assess suitability for treatments

  • Maintain medical records

  • Process payments

  • Comply with legal and regulatory obligations

  • Respond to enquiries

  • Send service-related communications

We will only send marketing communications where you have opted in. You may withdraw consent at any time.

4. Lawful Basis for Processing

We rely on the following lawful bases:

  • Performance of a contract (providing booked treatments)

  • Legal obligation (record keeping and regulatory compliance)

  • Legitimate interests (business administration and service improvement)

  • Explicit consent (processing health data and marketing communications)

5. Payment Processing

Payments are processed securely through Timely and Stripe. Highbrow London does not store or have access to full card details.

6. Data Storage & Retention

Medical and treatment records are retained in accordance with professional and legal requirements applicable in England and Wales.

Data is retained only for as long as necessary to fulfil legal, regulatory, insurance, and clinical obligations.

7. Data Sharing

We may share data with:

  • Payment processors (Stripe)

  • Booking software providers (Timely)

  • Consent forms in some cases (Faces Business)

  • Professional advisers or insurers

  • Regulatory or legal authorities where required

We do not sell personal data.

8. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data

  • Request correction

  • Request erasure (subject to legal obligations)

  • Restrict processing

  • Object to processing

  • Withdraw consent

You may contact us to exercise these rights.

You also have the right to complain to the Information Commissioner’s Office (ICO).

9. Data Security

We take appropriate technical and organisational measures to protect personal data from loss, misuse, or unauthorised access.

10. Updates

This Privacy Policy may be updated periodically. The latest version will always appear on our website.