Privacy Policy | wax-and-massage

Effective date: March 19th 2018

1. Who We Are

This Privacy Policy explains how Georgios Kyriakou, trading as Wax & Massage (“we”, “us”, “our”), collects, uses, and protects your personal data.

Data Controller: Georgios Kyriakou t/a Wax & Massage
ICO Registration Number: ZB993690
Data Protection Lead (DPL): Georgios (George) Kyriakou
Contact: george@waxandmassage.co.uk
Website: https://www.waxandmassage.co.uk

We are committed to complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all other applicable data protection laws.

2. Personal Data We Collect

We collect and process the following information in order to provide our services:

Booking & Communication

First Name
Last Name
Email Address
Contact Number

Consent & Treatment Records

When you visit for treatment, we ask you to complete a consent form, which may include:

Date of Birth
Age
Address
Phone Number
Email Address
GP Details
Allergy information
Relevant medical or health information (e.g. conditions, medication, product use to assess for potential contraindications)

3. How We Use Your Personal Data

We use your data for the following purposes:

To manage bookings and appointments
To respond to enquiries
To provide treatments and related services
To maintain treatment records as required by law and industry standards
To send reminders, updates, or necessary information about your appointment or treatment
To comply with legal obligations

We do not sell your data or share it with third parties for marketing.

4. Lawful Basis for Processing

We rely on the following lawful bases under the UK GDPR:

Contractual necessity: to deliver the services you have booked.
Consent: where you provide explicit consent for processing special category health data.
Legal obligation: to maintain records in line with tax, insurance, or regulatory requirements.
Legitimate interests: to manage bookings, respond to queries, and operate securely.

5. How We Store and Protect Your Data

All personal data is encrypted at rest using the AES-256-CBC standard.
Data in transit is protected using SSL/TLS encryption.
Access to records is restricted and monitored.
Physical consent forms (if collected) are securely stored and destroyed according to retention policy.

6. Data Retention

We retain records for 6 years from your last appointment or point of contact. If you continue using our services, your records will be held indefinitely until 6 years have passed since your last booking or communication.

After this period, your records are securely destroyed.

7. Sharing of Personal Data

We only share your personal data where necessary to provide our services. This may include:

Email and SMS providers for appointment confirmations or reminders
Payment processors to handle secure transactions
Website hosting and IT infrastructure providers

We do not share your data with any other third parties unless required by law.

8. Your Rights

Under the UK GDPR, you have the following rights:

The right to access the personal data we hold about you
The right to rectification of inaccurate data
The right to erasure (“to be forgotten”) where applicable
The right to restrict processing
The right to data portability
The right to object to processing
The right to withdraw consent (where processing is based on consent)
The right to lodge a complaint with the Information Commissioner’s Office (ICO) at https://ico.org.uk

9. Cookies & Website Usage

Our website may use cookies and similar technologies to ensure functionality and improve user experience. For more information, please refer to our Cookie Policy.

10. Updates to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on our website with a revised effective date.

11. Contact

If you have any questions about this Privacy Policy or how your data is processed, please contact:

George Kyriakou

Email: george@waxandmassage.co.uk

Website: https://www.waxandmassage.co.uk

Last updated 19th September 2025