Beautay

Beautay — Privacy Policy

Version: v17-05-2026   UK-only
Last updated: 17 May 2026
Data controller for this Privacy Policy: Bodewell Holdings Ltd (Company No. 16994362)
Registered office: 128 City Road, London, United Kingdom, EC1V 2NX
Contact: [email protected] (please write “Privacy” in the subject)
Summary: Beautay is a business-to-business software platform for aesthetic businesses. We are the controller of personal data we use to run Beautay, manage accounts, billing, security, support, analytics and our own business. Where a business uses Beautay to manage its own customers or patients, that business is normally the controller of that End-Client data and Beautay acts as its processor.

Contents

1) Scope

This Privacy Policy explains how Bodewell Holdings Ltd (“Beautay”, “we”, “us”) handles personal data when:

  • you visit beautay.co.uk or communicate with us;
  • you create or use a Beautay account as a business customer, owner, staff member or authorised user;
  • you use the Beautay Platform, including account, billing, support, security and administrative features; or
  • you are an End-Client using a booking page, customer account, form, payment flow, gift-card flow or other page powered by Beautay for one of our customers.

This Privacy Policy describes Beautay’s own privacy practices. A Beautay customer should provide its own privacy notice to its End-Clients explaining how that business uses their data.

2) Controller and processor roles

2.1 Where Beautay is a controller

We are a controller for personal data we decide to use for our own business purposes, including:

  • business account and authorised-user administration;
  • subscriptions, billing, payment status, invoicing and account management;
  • support, sales and service communications;
  • security, authentication, fraud prevention, abuse prevention, audit logging and service integrity;
  • product analytics, diagnostics, monitoring and service improvement; and
  • legal, accounting, tax and dispute-management purposes.

2.2 Where Beautay is a processor

Where a business customer uses Beautay to manage End-Client information, that customer is normally the controller and Beautay is its processor. In that role, we process End-Client data only to provide, secure, support and improve the Platform in accordance with our agreement with the customer and applicable law.

Beautay may provide tools that help a customer publish a privacy policy, collect acknowledgements, manage preferences, export records, delete or anonymise records, and maintain audit trails. Those tools do not make Beautay responsible for the customer’s own legal notices, lawful bases, consents, retention periods, marketing permissions, professional obligations, or the accuracy of the content the customer publishes.

End-Clients should normally contact the relevant aesthetic business directly about how that business uses their data or to exercise data protection rights in relation to that business’s records.

3) Personal data we process

3.1 Business customers and authorised users

Depending on how you interact with Beautay, we may process:

  • Identity and contact data: name, email address, phone number, business name, role, staff details and business contact details.
  • Account and authentication data: login credentials, email verification, multi-factor authentication, session data, device/browser information, IP address and security events.
  • Billing data: plan, subscription, invoices, payment status, connected payment account status and limited payment references. Card and bank details are generally handled by payment providers.
  • Support and communications data: messages, enquiries, troubleshooting information and service notices.
  • Usage, analytics and diagnostics data: product usage, settings, technical logs, performance data, errors and security telemetry.

3.2 End-Client data processed for customers

The categories of End-Client data depend on how the customer configures Beautay and what the End-Client provides. They may include:

  • Identity and contact data: name, email address, phone number, date of birth and account details.
  • Booking and customer-management data: appointments, services, staff/location preferences, cancellations, reschedules, waitlists, packages, gift cards, loyalty, promotions and referrals.
  • Payment-related data: payment status, receipts, refund records, checkout identifiers and payment-provider references.
  • Communications and preferences: service reminders, confirmations, marketing preferences, opt-ins, opt-outs and communication logs.
  • Forms, records and files: form responses, signatures, consultation or treatment notes, uploaded documents, images or other files, if the customer chooses to collect them.
  • Legal and audit records: privacy/terms acknowledgements, document version hashes, IP address, user agent and related evidence records.

Some customer-configured forms, notes, files or treatment records may include special category data, such as health-related information. The customer is responsible for deciding what to collect and for having an appropriate lawful basis and special category condition.

4) How we use personal data

4.1 As controller

We use personal data to:

  • create, administer and secure Beautay accounts;
  • provide access to the Platform and manage subscriptions, billing and support;
  • send service, security, billing and administrative communications;
  • monitor, troubleshoot, maintain and improve the Platform;
  • detect, prevent and respond to misuse, fraud, unauthorised access and security incidents;
  • manage legal claims, enforce our terms and comply with legal obligations.

4.2 As processor

We process customer-controlled End-Client data to provide the Platform features the customer uses, such as bookings, customer accounts, forms, communications, payments, records, files, integrations, reporting, exports, deletion/anonymisation tools and audit logs. The customer controls the purposes of that processing and the data it chooses to collect, upload, publish or send.

5) Lawful bases

Where Beautay acts as controller, we rely on lawful bases such as:

  • Contract: to provide the Platform, administer accounts and manage subscriptions.
  • Legitimate interests: to operate, secure, support and improve Beautay; prevent fraud and abuse; and protect our rights and users.
  • Legal obligation: to comply with accounting, tax, regulatory, security and legal requirements.
  • Consent: where we ask for consent for a specific optional activity.

Where Beautay acts as processor, the customer is responsible for identifying and documenting its lawful basis and, where applicable, any special category condition.

6) Suppliers, integrations and disclosures

6.1 Service providers and subprocessors

We use third-party service providers to host, secure, monitor and operate the Platform, store data, deliver email/SMS, process payments, support analytics and diagnostics, run background jobs, and provide optional integrations. Where a provider processes Customer Personal Data on our behalf, it is treated as a subprocessor.

We use established providers to support delivery of the Platform, but this Privacy Policy does not provide separate assurances about each provider beyond the roles described here and on our subprocessor page. Our current subprocessor list is available at: /subprocessors.

6.2 Payment providers and connected services

Payments and connected payment accounts are handled by third-party payment providers. Those providers may act as independent controllers for some payment, fraud, compliance and regulatory processing. Beautay receives limited payment-related data needed to operate the Platform.

If a customer or staff member connects optional third-party services, such as calendar or video meeting integrations, relevant appointment, account or technical data may be shared with those providers as needed to provide the integration.

6.3 Legal, safety and business disclosures

We may disclose personal data where reasonably necessary to comply with law, respond to lawful requests, enforce our agreements, protect rights or safety, investigate misuse or security incidents, or in connection with a business transaction affecting Beautay.

7) International transfers

Some providers may process personal data outside the UK. Where applicable data protection law requires transfer safeguards, we rely on appropriate safeguards available for the relevant transfer, such as contractual terms or other recognised mechanisms. This Privacy Policy does not include vendor-specific regional or assurance statements beyond the information we have chosen to publish.

8) Retention

  • Beautay account and business records: retained for the customer relationship and afterwards as reasonably needed for legal, accounting, tax, security, support and dispute purposes.
  • End-Client data: retained according to the customer’s instructions, configuration and use of the Platform, subject to backup cycles, technical constraints and legal obligations.
  • Deletion and anonymisation: some tools may anonymise identity fields while preserving records needed for audit, booking, clinical, financial, fraud-prevention or legal purposes.
  • Backups and logs: data may remain in backups, logs or security records for a limited period until overwritten or no longer needed.

9) Security

We use technical and organisational measures designed to protect personal data, including access controls, authentication controls, encryption in transit, encryption for certain sensitive records, logging, monitoring, rate limiting, backups, and operational security practices.

No platform can guarantee absolute security. Customers are responsible for configuring their accounts appropriately, controlling staff access, using strong credentials, reviewing their own published content, and ensuring they collect and use End-Client data lawfully.

10) Rights requests

10.1 Business customers and authorised users

You may have rights under UK data protection law, including rights of access, correction, deletion, restriction, objection and portability where applicable. To exercise rights in relation to personal data Beautay controls, contact [email protected].

10.2 End-Clients of Beautay customers

The aesthetic business you booked with or interacted with is normally the controller of your End-Client data. Please contact that business first. Where appropriate, Beautay will assist the customer as processor, but we may not be able to respond directly to a request about customer-controlled records without the customer’s involvement.

11) Cookies, analytics and similar technologies

We use cookies and similar technologies that are necessary to provide the website and Platform, keep users signed in, protect accounts, remember security state, and support customer-facing booking or account flows.

We may also use privacy-conscious analytics, diagnostics and monitoring tools to understand usage, detect errors, maintain security and improve the service. We aim to avoid sending sensitive personal data, authentication tokens, health information, form responses or payment details to analytics and monitoring tools.

12) Children

Beautay is provided to business customers. Customers are responsible for setting and communicating any age, consent, safeguarding or treatment eligibility rules for their own services. If you believe a child has provided personal data through Beautay, contact the relevant business and/or us.

13) Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The “Version” and “Last updated” date at the top show when it was last changed. If changes are material, we may provide additional notice.

14) Complaints

If you have concerns, please contact us first at [email protected]. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO).

ICO contact details: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.