Beautay — Privacy Policy

1) Scope

This Privacy Policy explains how Bodewell Holdings Ltd (“Beautay”, “we”, “us”) handles personal data when:

• you visit beautay.co.uk or interact with our marketing or support; and
• you (as an aesthetics business or authorised staff member) use the Beautay Platform; and
• End-Clients use a booking page / mini-website powered by Beautay.

2) Data protection roles (controller vs processor)

2.1 When we are a controller

We act as a controller for personal data we process to run our business and provide the Platform to our customers, such as:

• Customer admin user accounts (names, emails, login/security data)
• Account setup and billing information
• Support communications
• Security logs and abuse prevention data
• Website analytics/cookies (where used)

2.2 When we are a processor

When an aesthetics business (“Customer”) uses Beautay to manage their End-Clients (their customers/patients), the Customer is usually the controller of that End-Client data. We act as the Customer’s processor, processing that data to provide the Platform features (bookings, forms, reminders, customer records, notes, etc.).

End-Clients should normally contact the relevant aesthetics business directly for questions about how their data is used.

3) Personal data we collect

3.1 Platform customers and authorised users (B2B)

When you create and use a Beautay account, we may collect:

• Identity & contact: name, email address, phone number, business/practice details you enter
• Account & security: email verification status, authentication/session data, IP address, device/browser info, audit logs
• Billing: plan, invoices, payment status (payment card details are typically handled by our payment provider)
• Support: messages and information you share with support (e.g., troubleshooting details)
• Usage data: feature usage, settings, configuration and performance metrics (to operate and improve the service)

3.2 End-Clients (processed on behalf of our Customers)

Depending on how a Customer configures Beautay, the Platform may process End-Client data such as:

• Account details: full name, email, phone number, email verification status
• Bookings: appointments, cancellations, reschedules, waitlists
• Payments: payment references, receipts, refunds, gift cards, loyalty and promo codes (payment details handled by payment provider)
• Messaging preferences: opt-in/opt-out status for reminders and marketing (as configured by the Customer)
• Forms and notes: questionnaire responses, consultation/SOAP notes, treatment records, products used and mapping features (if enabled)
• Files/media: uploads and attachments (if enabled)

Some form responses or notes may include special category data (e.g., health-related information) if the Customer chooses to collect it. We process this only on the Customer’s instructions.

4) How we use personal data

4.1 As controller (our own business and account data)

We use personal data to:

• create and administer Customer accounts and Authorised Users
• provide access to, operate, maintain and secure the Platform
• process subscriptions, billing, and payments
• provide customer support and respond to requests
• monitor performance, prevent abuse/fraud, and protect the Platform and users
• comply with legal obligations (e.g., accounting and tax)
• send important service communications (e.g., security notices, service updates)

4.2 As processor (Customer’s End-Client data)

We process End-Client data only to provide the Platform features the Customer enables, such as managing bookings, sending confirmations/reminders, collecting form responses, storing notes/records, and providing exports and reporting. The Customer controls what they collect and how they use it.

5) Lawful bases

Where we act as controller, we rely on lawful bases such as:

• Contract: to provide the Platform to Customers and manage subscriptions
• Legitimate interests: operating, securing and improving the Platform; preventing abuse and fraud (balanced against your rights)
• Legal obligation: compliance with applicable laws (e.g., accounting/tax requirements)

Where we act as processor for End-Client data, the Customer is responsible for selecting the lawful basis (and any special category condition where applicable).

6) Sharing & suppliers

6.1 Subprocessors and service providers

We use third-party suppliers to provide the Platform (e.g., hosting, databases, authentication, email/SMS delivery, security tooling). Where those suppliers process Customer Personal Data on our behalf, they act as subprocessors.

Our current list of subprocessors is available at: https://beautay.co.uk/subprocessors.

6.2 Payment providers

Payments are processed by third-party payment providers (e.g., Stripe). Payment providers may act as independent controllers for certain payment data. We receive limited payment-related information (such as payment status and references) to operate the Platform.

6.3 Legal and safety

We may disclose personal data if required to do so by law, to respond to lawful requests from public authorities, or to protect our rights, users, and the security of the Platform.

7) International transfers

Some suppliers may process data outside the UK. Where personal data is transferred internationally, we take steps designed to ensure an appropriate level of protection, such as using recognised transfer safeguards where required.

8) Data retention

• Platform account data: retained for the duration of the Customer relationship and afterwards as needed for legal, accounting, and dispute purposes.
• End-Client data: retained according to the Customer’s configuration and instructions. Customers can export and delete data using Platform tools (subject to backups).
• Backups: data may persist in backups for a limited period until overwritten as part of routine backup rotation.

9) Security

We implement technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures may include access controls, encryption in transit, logging, backups, and operational security practices.

No method of transmission or storage is 100% secure. Customers should also take steps to protect their accounts (e.g., strong passwords, restricting staff access).

10) Your rights

10.1 If you are a Platform customer/admin user

You may have rights under UK data protection law, such as access, correction, deletion, restriction, objection, and portability (where applicable). To exercise your rights regarding data we control, contact support@beautay.co.uk.

10.2 If you are an End-Client of a Beautay Customer

The aesthetics business you booked with is usually the controller of your personal data. Please contact that business directly to exercise your rights or ask questions about your data. If they need assistance, we will support them as processor where appropriate.

11) Cookies

We may use cookies and similar technologies on our website and/or the Platform to enable essential functionality and help keep accounts secure. Where we use non-essential cookies (e.g., analytics), we will provide appropriate choices/controls.

12) Children

The Platform is intended for business users. End-Clients should follow the relevant Customer’s eligibility policies. If you believe a child has provided personal data through Beautay, please contact the relevant business and/or us.

13) Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The “Version” and “Last updated” date at the top show when it was last changed. If changes are material, we may provide additional notice.

14) Complaints

If you have concerns, please contact us first at support@beautay.co.uk. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO).

ICO contact details (for convenience): Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.