Legal & Privacy

Privacy Policy

This policy explains how Santi London (“we”, “our”, “us”) collects, uses, stores and shares your personal data when you visit our website, contact us, or receive services in-clinic.

Effective date:

1) Who we are

Santi London is a wellness, aesthetics and medical clinic based in South Kensington.

Clinic address

33 Thurloe Street, South Kensington, London SW7 2LQ, United Kingdom

For privacy laws, we are the data controller of your personal data.

2) Data we collect

  • Identity data: name, title, date of birth, gender.
  • Contact data: email, phone number, postal address, WhatsApp contact.
  • Booking & service data: treatments booked, appointment history, communications.
  • Health (special category) data: medical history, allergies, medications, treatment notes, photographs used for assessment (with consent).
  • Technical data: IP address, device and browser type, pages visited, cookies and similar technologies.
  • Payment data: transaction details from payment processors (we do not store full card numbers).
  • Marketing preferences: your subscriptions and consent choices.
  • Media: images you upload or that we capture in-clinic with your consent for clinical records.

We collect data directly from you, from devices you use on our site, and—where applicable—from referrers you authorise.

3) How we use your data

  • To provide treatments and manage appointments.
  • To assess clinical suitability and maintain accurate records.
  • To send essential communications (confirmations, reminders, updates).
  • To respond to enquiries and provide customer support.
  • To improve our website, services and training.
  • To conduct marketing with your consent or where permitted by law.
  • To comply with legal, regulatory and insurance obligations.

4) Lawful bases

  • Contract: to deliver services you request.
  • Legal obligation: to meet healthcare, tax or regulatory duties.
  • Legitimate interests: to operate and secure our services, improve quality, and communicate necessary information.
  • Consent: for marketing, use of certain cookies, and some processing of special category (health) data and images. You can withdraw consent at any time.

5) How long we keep data

  • Medical/aesthetic records: generally retained for a minimum of 10 years in line with healthcare guidance.
  • Marketing data: kept until you unsubscribe or withdraw consent.
  • Cookies/analytics: per our Cookie Policy and tool settings.
  • Other records: no longer than necessary for the purpose collected.

6) Sharing your data

We only share data where necessary, for example with:

  • Authorised clinicians, therapists and administrative staff.
  • Trusted service providers (e.g. booking, email/SMS, cloud hosting, secure file storage, analytics).
  • Payment processors for transactions (we do not store full card details).
  • Regulators, insurers or legal authorities when required by law.

We do not sell your personal data.

7) International transfers

Your data may be processed outside the UK/EEA by some providers (e.g. secure cloud, communications, AI-assisted tools). Where this occurs, we use appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms.

8) How we protect data

  • Encryption in transit and at rest where feasible.
  • Access controls based on role and necessity.
  • Staff training and confidentiality agreements.
  • Regular updates, backups and security monitoring.
  • Incident response and breach notification procedures.

9) Your rights

You have the following rights under UK GDPR (subject to conditions and exemptions):

  • Access – request a copy of your personal data and information about how it’s used.
  • Rectification – correct inaccurate or incomplete data.
  • Erasure (“right to be forgotten”) – request deletion where data is no longer needed or consent is withdrawn (subject to legal retention duties).
  • Restriction – request we limit processing in certain circumstances.
  • Portability – receive your data in a structured, machine-readable format (e.g. CSV/JSON) and transmit it to another controller.
  • Object – to processing based on legitimate interests and to direct marketing at any time.
  • Withdraw consent – where processing relies on consent; withdrawal does not affect prior lawful processing.
  • Automated decisions – where used, you can request human review and to express your point of view.

To exercise any right, email privacy@santilondon.com. We may request proof of identity. We aim to respond within one month of receiving a valid request (extensions may apply for complex cases).

You can also lodge a complaint with the UK Information Commissioner’s Office (ICO): ico.org.uk.

We use cookies and similar technologies to operate our site, remember preferences, and analyse performance. You can manage cookies via your browser or our on-site controls where available.

See our Cookie Policy for details on types, purposes and retention.

11) Marketing

We only send marketing communications with your consent or where permitted by law. You can unsubscribe at any time using the link in our emails or by contacting us.

Operational messages (e.g. booking confirmations, updates) are not marketing and will still be sent as needed to deliver our services.

12) Changes to this policy

We may update this policy to reflect changes in our practices or legal requirements. We will post the updated version here with a new effective date.

Last updated:

13) Contact us

If you have questions, requests, or complaints about this policy or your data, contact:

Santi London Data Controller
33 Thurloe Street, South Kensington, London SW7 2LQ, United Kingdom
Tel: +44 (0)20 7584 7000
Email: privacy@santilondon.com

© Santi London · Terms · Cookie Policy