PRIVACY POLICY — PHP Aesthetic-Wellness Last updated: 21 June 2026
1. Who we are
PHP Aesthetic-Wellness is committed to protecting your personal data and respecting your privacy. This policy explains how we collect, use, store and protect your personal information when you visit our website or use our services.
The data controller is PHP Health First Limited, trading as PHP Aesthetic-Wellness (company registered in England & Wales, company number 07008563).
- Registered office: Lodge Park, Lodge Lane, Langham, Colchester, Essex, CO4 5NE
- Clinic address: 22 Harley Street, Suite 8, London W1G 9PL
- ICO registration number: ZA767961
Contact for data/privacy questions: contact@phpaesthetic.com · +44 (0) 7917 785 695 · 22 Harley Street, Suite 8, London W1G 9PL.
As a single, independent clinic we are not required to appoint a statutory Data Protection Officer under UK GDPR. The person responsible for data protection at the clinic is Dr Philippe Hamida-Pisal, who can be contacted at contact@phpaesthetic.com.
2. The legal framework
We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
3. The information we collect
Website visitors: name, email, phone and message content when you use our contact or enquiry forms; and technical data such as IP address, browser type and cookie data (see Cookies below).
Patients and clients (special-category data): as a healthcare provider we collect and process health information, which is special-category data requiring extra protection. This may include:
- Contact and identity details (name, date of birth, address, contact details);
- Medical and family history, medications, allergies and lifestyle information;
- Consultation notes, treatment records, clinical photographs and 3D imaging;
- For the Healthy Ageing programme: biomarker / blood test results, body composition and functional measurements, and related health data.
- Consent records; and payment information.
4. How we use your information, and our lawful basis
Under UK GDPR we must have a lawful basis for processing. For general personal data we rely on legitimate interests, contract, consent, or legal obligation as appropriate. For special-category (health) data we additionally rely on the conditions in Article 9 UK GDPR — typically:
- Article 9(2)(h) — provision of health or social care / treatment, by or under the responsibility of a health professional; and/or
- Explicit consent where appropriate (for example, use of clinical images in marketing or case studies).
We use your information to: provide and manage your care and treatment; communicate with you and respond to enquiries; manage appointments and payments; meet our clinical, legal and regulatory obligations (including CQC requirements); and, only with your separate explicit consent, for marketing or case studies.
Healthy Ageing & Longevity programme. Where you take part in this programme, we additionally process: blood and biomarker results received from our laboratory (TDL); body-composition and functional measurements; and, where clinically relevant, hormonal results and any once-in-a-lifetime genetic-risk markers (such as Lp(a)). A central feature of the programme is longitudinal tracking — we retain and compare your results over time to monitor change. Any prescribing arising from the programme is clinician-led and recorded in your clinical notes. Participation is always voluntary and fully informed, and is processed under Article 9(2)(h) (provision of healthcare) with your explicit consent where appropriate.
5. Clinical photography and 3D imaging
We may take clinical photographs and 3D facial images to document and plan your treatment and track results over time. These are part of your clinical record. Consent for clinical imaging — and any withdrawal of it — is recorded in your patient notes (written and verbal). We will only use any image for marketing, teaching or case studies with your separate, explicit, written consent, which you may withdraw at any time.
6. Who we share your data with
We do not sell your data. We may share it with trusted parties who help us provide care, under appropriate agreements, including:
- Laboratories that process tests on our behalf (for example, TDL – The Doctors Laboratory);
- Our practice-management / booking system providers (for example, Pabau);
- Other healthcare professionals, such as your GP or another clinic, where appropriate for your care;
Consent before sharing. Before sharing your information with your GP or another clinic, we ask you to confirm your agreement in writing (by email or WhatsApp message). We do not act on verbal consent alone for sharing your information with third parties. [Your adviser can confirm the lawful basis for direct-care sharing; documented consent is recorded as a matter of clinic policy.]
- Regulators, or where we are required to share by law;
- Payment processing is handled securely by WorldPay. Our website is hosted by OVH (on WordPress). We also use email and SMS/messaging services to communicate with you.
Our processors store data within the UK; we do not transfer your personal data outside the UK.
7. How long we keep your data
We keep personal data only as long as necessary. Medical records are retained in line with professional and legal guidance. We retain records for as long as is necessary to provide your care and to meet our legal and professional obligations. Paper records are retained for a minimum of 7 years. Electronic records held in Pabau are retained for a minimum of 10 years; for patients in the Healthy Ageing & Longevity programme, records may be kept longer, as ongoing comparison of results over time is essential to that programme.
8. How we protect your data
We use appropriate technical and organisational measures to keep your data secure, including access controls, secure storage and staff confidentiality obligations. Our clinical records are held in the Pabau practice-management system, which requires two-step password authentication to access. Email communications are sent securely and access is protected; access to our SMS/messaging service is controlled by a code that is changed monthly. Paper documents are securely shredded when no longer needed. All staff sign a confidentiality agreement, as do any external visitors who may come into contact with patient information.
9. Your rights
You have the right to: be informed; access your data; have inaccurate data corrected; request erasure (subject to our legal duty to retain medical records); restrict or object to processing; and data portability. To exercise any right, contact us using the details above. You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.
10. Cookies
Our website uses cookies.
11. Changes to this policy
We may update this policy from time to time. The current version is dated below. Last updated: [21/06/2026]
12. Contact Us
PHP Aesthetic-Wellness 22 Harley Street, Suite 8 London W1G 9PL contact@phpaesthetic.com +44 (0) 7917 785 695 www.phpaesthetic.com