Privacy Policy

Last updated: 27 May 2026

This privacy policy explains how Riva 10 Aesthetics collects, uses, stores and protects your personal information. We take your privacy seriously and are committed to handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

Riva 10 Aesthetics is a sole-trader business owned and operated by Tina Auld Williamson, providing aesthetic and skin treatments. Treatments are delivered at Serenity Spa, Meikle Mosside Farm Cottage, Fenwick, Kilmarnock KA3 6AY.

For the purposes of UK GDPR, Tina Auld Williamson is the data controller of your personal information.

2. What information we collect

We collect the following categories of personal data:

Identification & contact data

• Full name
• Email address
• Phone number
• Date of birth (where required for age verification)

Health & medical data (special category data)

• Allergies, medical conditions and medications
• Pregnancy or breastfeeding status (where relevant to treatment)
• Previous aesthetic treatments and outcomes
• Skin assessment notes and treatment plans

Visual data

• Before-and-after treatment photographs (stored only with your explicit written consent)

Payment data

• Booking deposit transactions (processed by our payment provider — we do not store full card numbers)

Booking and communication data

• Appointment history and treatment records
• Email and message correspondence with us
• Aftercare communication

3. Why we collect your data (legal basis)

We process your personal data under the following lawful bases set out in UK GDPR:

• Contract (Article 6(1)(b)) — to provide the treatments and services you book with us, including booking confirmations, payment processing and aftercare.
• Legitimate interests (Article 6(1)(f)) — to maintain accurate treatment records, communicate with you about your care, and protect both you and our practice.
• Legal obligation (Article 6(1)(c)) — to retain clinical records as required by industry, insurance and regulatory requirements.
• Explicit consent (Article 9(2)(a)) — for processing health and medical data, and for any use of treatment photographs.
• Vital interests (Article 9(2)(c)) — in rare emergency situations where your life or health is at risk.

4. Who we share your data with

We do not sell your data. We share it only with the following carefully selected service providers necessary to run our practice:

Cal.eu (booking platform)

Operated by Cal.com, Inc. — handles appointment scheduling, booking confirmations and reminder emails. Data is stored on European servers under Cal's EU data residency. Cal.com privacy policy.

Stripe (payment processor)

Processes your £30 booking deposit and any subsequent treatment payments. We never see or store full card numbers. Stripe is PCI-DSS compliant. Stripe privacy policy.

Microsoft Outlook (email)

Our email correspondence is hosted by Microsoft. Microsoft privacy statement.

Other recipients

Where required by law, we may share data with regulatory bodies, insurers, law enforcement or healthcare professionals involved in your treatment.

5. How long we keep your data

We retain your data for the following periods:

• Clinical and treatment records — minimum of 8 years from your last appointment, in line with UK clinical record retention guidance.
• Records for clients under 18 — until the client's 25th birthday or 8 years after the last appointment, whichever is longer.
• Booking and contact data — for as long as you remain an active client, plus 8 years thereafter.
• Treatment photographs — only with your explicit written consent, and you may withdraw consent and request deletion at any time.
• Financial records — 6 years, in line with HMRC requirements.

After these periods, your data is securely deleted or anonymised.

6. How we protect your data

• All digital records are stored on password-protected devices with encryption enabled.
• Treatment photographs are kept on a single dedicated work device and never shared on personal accounts.
• We never share photographs publicly without explicit, signed consent — and you may withdraw consent at any time.
• Our service providers (Cal.eu, Stripe) all use industry-standard encryption and security measures.
• Access to your records is restricted to Tina Auld Williamson only.

7. Your rights

Under UK GDPR you have the following rights regarding your personal data:

• Right of access — request a copy of the data we hold about you.
• Right to rectification — correct any inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — request deletion of your data, subject to our legal retention obligations.
• Right to restrict processing — limit how we use your data.
• Right to data portability — receive your data in a portable format.
• Right to object — object to processing based on legitimate interests.
• Right to withdraw consent — withdraw any consent you've given, at any time, without affecting prior lawful processing.

To exercise any of these rights, contact us at tinastudio10@outlook.com. We aim to respond within 30 days.

8. Cookies and tracking

Our website uses a small number of cookies to function:

• Cal.eu embed cookies — set when the booking calendar loads, to manage your session if you start a booking.
• Stripe cookies — set if you proceed to payment, used for fraud prevention.

We do not use marketing or advertising cookies, nor any analytics or tracking pixels at this time. If this changes, we will update this policy and provide an appropriate consent banner.

9. Complaints

If you have a concern about how we handle your data, please contact us first at tinastudio10@outlook.com and we will do our best to resolve it.

You also have the right to complain to the Information Commissioner's Office (ICO), the UK's independent supervisory authority for data protection:

10. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. The latest version will always appear on this page, with the "Last updated" date at the top.

If you have any questions about this privacy policy or how we handle your data, please contact tinastudio10@outlook.com.