Privacy Policy

Last updated: 1 February 2026

Introduction

Dr SNA Clinic respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, store, share and protect your personal data when you visit our website, contact us, book an appointment, attend a consultation, receive treatment, or otherwise interact with us.

This policy is intended to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

Because we provide healthcare and aesthetic medical services, some of the information we process may include health information and other special category personal data. We treat this information with particular care and in accordance with our legal and professional obligations of confidentiality.

Who We Are

Dr SNA Clinic is a private healthcare and aesthetic medicine clinic operated by Dr Syed Nadeem Abbas, a GMC-registered consultant surgeon.

Clinic name: Dr SNA Clinic
Address: 48 Wimpole Street, Marylebone, London, W1G 8SF
General enquiries: info@drsnaclinic.com
Privacy and data protection contact: privacy@drsnaclinic.com
Phone: +44 (0)20 3846 7111

We are registered with the Care Quality Commission (CQC) and are registered as a data controller with the Information Commissioner's Office (ICO).

For the purposes of data protection law, Dr SNA Clinic is the data controller for the personal data described in this policy, unless we tell you otherwise.

Personal Data We Collect

We may collect and process the following categories of personal data:

Identity and contact information

  • Full name
  • Date of birth
  • Postal address
  • Email address
  • Telephone number
  • Emergency contact details, where relevant

Appointment and communication information

  • Enquiries submitted through our website, WhatsApp, email, phone, social media or booking systems
  • Appointment details and history
  • Consultation notes and records
  • Correspondence with you
  • Call, message or email records where relevant to your care or enquiry

Health and medical information

  • Medical history and current health conditions
  • Current medications and known allergies
  • Relevant lifestyle information
  • Treatment suitability assessments
  • Clinical findings, treatment plans and consent forms
  • Treatment notes and follow-up records
  • Adverse reaction or complication records
  • Referral letters or specialist reports, where applicable

Medical photography and images

  • Before and after photographs
  • Treatment-area photographs
  • Images used for clinical records, assessment, treatment planning, monitoring and documentation

We will only use identifiable clinical images for marketing, website, social media or promotional purposes where you have given separate explicit written consent. You may withdraw this consent at any time.

Payment and transaction information

  • Payment status and invoice records
  • Treatment purchased
  • Partial card or transaction references, where provided by payment processors

We do not store full card details. Card payments are processed by regulated third-party payment providers.

Website and technical information

  • IP address
  • Browser type and version
  • Device information
  • Pages visited and time of visit
  • Referring website
  • Cookie identifiers and consent preferences

Please see our Cookie Policy for full details.

Marketing information

  • Marketing preferences and consent records
  • Advertising interaction data, where applicable and consented to

How We Collect Your Personal Data

We may collect personal data when you:

  • Visit our website
  • Submit an enquiry or contact form
  • Book a consultation or treatment (online, by phone, by email or via WhatsApp)
  • Attend the clinic in person
  • Complete medical history, consent or assessment forms
  • Make a payment
  • Subscribe to marketing communications
  • Interact with our advertisements or social media pages
  • Provide feedback, reviews or testimonials

We may also receive information from third parties where relevant and lawful, such as referring healthcare professionals, laboratories, pharmacies, payment providers, booking platforms, insurers or regulatory and legal advisers.

Why We Use Your Personal Data

We use your personal data for the following purposes:

  • To respond to your enquiries and communications
  • To book, manage and confirm appointments
  • To assess your suitability for treatment
  • To provide clinical consultations, treatment and follow-up care
  • To maintain accurate clinical and administrative records
  • To obtain and record informed consent
  • To communicate with you about your care, appointments and treatment
  • To process payments and issue invoices or receipts
  • To manage refunds, complaints, clinical incidents or disputes
  • To comply with our legal, professional, regulatory and safeguarding obligations
  • To improve our services and website
  • To send marketing communications where permitted by law and your preferences
  • To measure the performance of our advertising, where you have consented to relevant tracking cookies
  • To protect our legal rights and defend or bring legal claims where necessary

Lawful Bases for Processing

We only process personal data where we have a valid lawful basis under UK GDPR Article 6.

Contract

Where processing is necessary to provide a service you have requested, such as booking a consultation, providing treatment, managing your appointment, or processing payment.

Legal obligation

Where we must process your information to comply with legal, tax, accounting, healthcare, safeguarding, regulatory or professional obligations.

Legitimate interests

Where processing is necessary for our legitimate business or clinical interests, provided your rights and interests do not override them. This may include responding to general enquiries, improving our services, managing clinic security, handling complaints, and preventing fraud.

Consent

Where we rely on your consent, for example for certain marketing communications, non-essential cookies, or the use of identifiable clinical photographs for marketing purposes. You can withdraw consent at any time. Withdrawal will not affect the lawfulness of any processing carried out before consent was withdrawn.

Special Category Data (Health Information)

Health information is special category personal data and receives extra protection under UK GDPR Article 9 and the Data Protection Act 2018.

Where we process your health data, we must have both a lawful basis under Article 6 and a separate condition under Article 9. Depending on the circumstances, we rely on conditions including:

  • Processing necessary for the purposes of medical diagnosis, the provision of healthcare treatment, or the management of healthcare systems and services, carried out by or under the responsibility of a healthcare professional subject to a duty of confidentiality (Article 9(2)(h) and Schedule 3, DPA 2018)
  • Your explicit consent, where appropriate (Article 9(2)(a)), for example where health data is used in identifiable marketing materials
  • Establishing, exercising or defending legal claims (Article 9(2)(f))

Where we use identifiable clinical photographs, testimonials, or before-and-after images for marketing, website, social media or advertising purposes, we will only do so with your separate explicit written consent.

Marketing Communications

We may send you marketing communications where you have given consent or where the law otherwise permits us to do so. Marketing may include information about treatments, clinic updates, promotions, events or educational content.

You can opt out of marketing at any time by:

  • Clicking the unsubscribe link in any marketing email
  • Contacting us at privacy@drsnaclinic.com
  • Replying to any marketing message with a request to unsubscribe

We will never sell your personal data to third parties.

Cookies, Analytics and Advertising Tracking

Our website uses cookies and similar technologies. Strictly necessary cookies are used to make the website function. Analytics, marketing and other non-essential cookies will only be placed on your device where you have given prior, informed consent via our cookie consent banner.

Non-essential cookies are not set by default. You can accept, reject or manage your cookie preferences at any time by clicking 'Manage Cookie Preferences' in the footer of our website.

Please see our Cookie Policy for a full list of cookies used, their purpose, duration and third-party providers.

Sharing Your Personal Data

We do not sell your personal data. We may share it only where necessary and lawful, including with:

  • Clinicians and healthcare professionals directly involved in your care
  • Administrative staff involved in booking, billing and patient support
  • Laboratories, pharmacies, imaging providers or other clinical service providers, where relevant to your care
  • Healthcare professionals to whom we refer you or from whom we receive referrals, where applicable
  • Payment providers and regulated finance providers, where relevant to your transaction
  • CRM, booking, email marketing, IT, website hosting and cloud service providers acting as data processors under written agreements
  • Professional advisers, including accountants, insurers, lawyers and indemnity providers
  • Regulators, professional bodies, safeguarding authorities, courts or law enforcement, where required by law
  • Advertising and analytics providers, where you have consented to the relevant tracking cookies

Payment processors: We use Stripe and/or other regulated payment providers to process payments securely. These providers may process payment data as our processor or as an independent controller for certain purposes, such as fraud prevention, security, regulatory compliance and payment processing, in accordance with their own privacy terms and applicable law.

Advertising platforms: Where you have consented to marketing cookies, data may be shared with Meta Platforms (Facebook and Instagram) and Google LLC for advertising measurement and campaign optimisation. This is subject to your cookie consent choices and may be withdrawn at any time.

International Transfers

Some of our service providers, including Meta Platforms and Google LLC, are based outside the United Kingdom. Where personal data is transferred outside the UK, we take steps to ensure appropriate protection is in place, such as:

  • UK adequacy regulations, where applicable
  • The UK International Data Transfer Agreement (IDTA)
  • The UK Addendum to the EU Standard Contractual Clauses
  • Other lawful transfer mechanisms approved by the ICO

For further information about the safeguards in place for any specific transfer, please contact us at privacy@drsnaclinic.com.

How We Protect Your Data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration or destruction. These measures include:

  • Access controls and role-based authentication
  • Encrypted storage and secure transmission (HTTPS/TLS)
  • Staff confidentiality obligations and training
  • Secure disposal of physical and digital records
  • Supplier due diligence
  • Incident detection and management processes

No transmission over the internet or electronic storage system is completely secure. We take reasonable and proportionate steps to manage these risks. In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours and will notify you without undue delay where the risk is high.

How Long We Keep Your Data

We keep personal data only for as long as necessary for the purpose for which it was collected, taking into account legal, regulatory, professional, clinical, insurance and accounting requirements.

Clinical records (adults)

Generally retained for at least 8 years from the date of your last treatment or consultation, or longer where required for clinical, legal, regulatory, insurance, safeguarding, complaint-handling or dispute-resolution purposes.

Clinical records (children and young people)

Where records relate to children or young people, they will generally be retained until at least the patient's 25th birthday, or longer where legally or clinically required.

Financial and accounting records

Generally at least 6 years, in accordance with HMRC requirements.

Enquiry records

Typically up to 12 months from the date of enquiry, unless you become a patient or the information is required for legal, regulatory or other legitimate business purposes.

Marketing data

Until you unsubscribe, withdraw consent, or we determine the data is no longer needed.

Cookie consent records

Retained to demonstrate compliance for a reasonable period.

Retention periods may be extended where required by ongoing complaints, disputes, safeguarding matters, regulatory investigations or potential legal claims.

Your Data Protection Rights

Subject to applicable conditions and exemptions under UK data protection law, you have the following rights:

Right of access

Request a copy of the personal data we hold about you.

Right to rectification

Request correction of inaccurate or incomplete personal data.

Right to erasure

Request deletion of your personal data, subject to legal and clinical record-keeping obligations.

Right to restrict processing

Request that we limit how we use your data in certain circumstances.

Right to data portability

Where processing is based on consent or contract and carried out by automated means, request your data in a portable format.

Right to object

Object to processing based on legitimate interests, or to direct marketing at any time.

Rights relating to automated decision-making

We do not use automated decision-making or profiling in relation to your clinical care or access to our services.

Right to withdraw consent

Where we rely on consent, you can withdraw it at any time without affecting prior processing.

Some rights may be limited where we are required to retain information for clinical, legal, regulatory or professional reasons, or where exemptions under the Data Protection Act 2018 apply.

To exercise your rights, please contact: privacy@drsnaclinic.com

Children and Young People

Our clinical services are generally intended for adults aged 18 and over. We do not knowingly provide treatment to those under 18 unless specifically agreed and clinically appropriate, with appropriate consent from a parent or guardian where required.

If we become aware that we have collected personal data from a child where this is not appropriate, we will take reasonable steps to delete it or to obtain appropriate consent where required.

Medical Confidentiality

We treat all patient information as strictly confidential. We will only disclose identifiable clinical information in the following circumstances:

  • Where necessary for your direct care and treatment
  • Where you have given explicit permission
  • Where required or permitted by law or regulation
  • Where required by a court, regulatory body or law enforcement authority
  • Where there is an overriding public interest or safeguarding concern, in accordance with applicable professional and legal guidance

Our approach to confidentiality is consistent with the duties set out in GMC guidance on confidentiality and the common law duty of confidence.

Complaints

If you have concerns about how we handle your personal data, please contact us in the first instance at privacy@drsnaclinic.com. We will aim to acknowledge your concern promptly and respond substantively as soon as reasonably practicable.

If you remain dissatisfied, you have the right to complain to the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, legal obligations or regulatory guidance. When we make material changes, we will update the date at the top of this page. Where required, we will notify you directly or seek fresh consent.

We recommend reviewing this policy periodically. The current version will always be available on our website.

4.9
42 reviews on Google Reviews
4.2
6 reviews on Trustpilot

Trusted by patients across the UK