top of page
Skin treatments

Data Security Policy

In order to comply with data laws these policies and procedures have been reviewed and updated to ensure they comply with UK GDPR and The Data Protection Act 2018 to ensure we uphold the highest standards of privacy and data protection:

  • Privacy Notice

  • Data Protection Policy and Procedures

  • Records Management Policy

  • Data Security Policy

  • Subject Access Request Procedure

  • Data Breach Reporting Procedures

What is this privacy notice for?

This policy describes how we will collect and use personal data about you. We take your privacy seriously. This notice is to confirm that Heavenly Beautie, hereafter referred to as Heavenly Beautie, ensures that all data is collected, stored, and processed in accordance with current data protection legislation which includes

  • The General Data Protection Regulation (UK GDPR), the Law Enforcement Directive (LED), and any applicable national implementing Laws as amended from time to time

  • The Data Protection Act 2018 (DPA) to the extent that it relates to the processing of personal data and privacy.

This policy applies to all data, regardless of whether it is in paper or electronic format.

We process information about:

“Prospects” - potential customers or referrers; 
“Customers” - who have bought goods or services from us;
“Suppliers”, “Affiliates” - suppliers or potential suppliers of goods or services to us;
“Affiliates” - who have signed up to our Affiliate scheme (if we have one).


The Data Controller

Heavenly Beautie processes personal information relating to staff and, therefore, is a data controller.

The GDPR Lead for Heavenly Beautie is Hannah Bonser:




Personal data: Data from which a person can be identified, including data that, when combined with other readily available information, leads to a person being identified.

Sensitive personal data:

Data such as:

  • Racial or ethnic origin

  • Political opinions

  • Religious beliefs, or beliefs of a similar nature

  • Where a person is a member of a trade union

  • Physical and mental health

  • Sexual orientation

  • Whether a person has committed or is alleged to have committed, an offense

  • Criminal convictions

Processing: Obtaining, recording or holding data.

Data subject: The person whose personal data is held or processed.

Data controller: A person or organisation that determines the purposes for which, and the manner in which, personal data is processed.

Data processor: A person, other than an employee of the data controller, who processes the data on behalf of the data controller.


Our legal bases of collecting data

There are a number of different reasons a company may collect and process personal data according to the law on data protection. The reasons can be:

If you have given clear consent for us to process your personal data. When we collect your data we will ensure that we only collect the data which is necessary to our services, and for the specific reasons, you have consented to. For example, when you send us a contact form message and tick a box to subscribe to our blog notifications.

When we need to process important data in order to carry out services explained in a contract between an individual or business. For example, if we need to contact you about a service that you already have a contract with us.

Legitimate interest
In specific circumstances, we may use your data to pursue our legitimate interests that would be reasonably expected as part of running a business and does not impact your rights, interests or freedom. The option to opt out of subscriptions and remove your data will always be presented.


What type of data do we process?

Here at Heavenly Beautie, we take your privacy seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us.

We process data relating to our website visitors, customers, prospects, affiliates, and suppliers to assist in the operations of Heavenly Beautie including executive business support and consultancy for our clients. The data we may process includes:

  • Identity Data includes photographs of you, first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.

  • Contact Data includes billing address, delivery address, email address and telephone numbers.

  • Customer/Affiliate/Supplier Specific Data includes the information not included in other categories which we will collect from those who work with us, including those who apply to work with us such as recruitment information and employment records.

  • Financial Data includes bank account and payment card details.

  • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.

  • Demographic Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website and other information relevant to customer surveys and/or offers

  • Usage Data includes information about how you use our website and services.

  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We will only retain the data we collect for as long as is necessary to satisfy the purpose for which it has been collected.

We will not share information about customers with third parties without consent unless the law allows us to.

Any data subject wishing to see a copy of the information about them that Heavenly Beautie holds should contact the data controller.

What Information Do We Process, And Why?

a. Prospect
Most of the information we process comes from you.  We process it so we can reply to you, and when you contact us again we know what you asked before, what you were sent, and what you told us.


Typically, we are collecting name, contact details, how we came across you, and background information from you or published by you on social media or freely accessible on the internet, on why you might be interested in our products or services or a relevant contact for our business.


If you sign up to a newsletter list, you will be sent what you asked for.   We normally operate ‘double opt-in’ lists and you will need to reconfirm your subscription before anything is sent.   You can unsubscribe at any time by clicking the unsubscribe button on any email. 

You are not automatically subscribed to any other lists, but may be invited to join an appropriate one.

If we email you individually using our own email system, or respond to an email sent to us at any of our business email addresses, a copy of that email will also be stored.


If you make an enquiry via our website, we will keep details of that enquiry and response for our data retention period of 7 years.


We do not routinely keep special category data.  To the extent we hold this, it was supplied or made publicly available by you.

b. Customer
Once you buy something from us, we will collect information from you at the point of sale.


This will include the information we collect from Prospects (above).  We collect your email address, phone number, and postal address so we can provide what we have contracted to, invoice you and keep proper records of our business relationship.


We process your data to support the delivery of goods and services you have bought.  We keep records of the goods/services provided to you, and the information you give us, so we can support you when needed and advise you of any additional services you may need.

Financial and credit card details
We do not receive or store your credit card details.

If you pay us by BACS or direct transfer, we know only what the bank tells us, which is usually the name of the person who paid us and how much and the reference number.
We do not routinely keep credit scores nor use credit reference agencies.  


c. Supplier and Associates
We collect information on potential and actual suppliers and associates.   This is mostly provided by you, but we do add to it the same kind of data we use for Prospects (see above).

If you become a supplier or associate we keep a copy of the contract between us and your bank details so we can pay you.  We also keep a record of invoices/payments for accounting purposes.

We keep a record of the work you undertook for us/our clients along with any comments, reviews or suggestions about that work including complaints (if any) and their resolution.
This information is all needed to manage our customer relationships and our supply chain.

d. Affiliate
If we set up an affiliate scheme, affiliate data will be held in accordance with this policy.  We will ask you for information when you apply and that will be kept to administer the affiliate scheme.

e. Website Visitors

For website users we require this information to understand your needs and provide you with a better service, and in particular for the following reasons:

  • Internal record keeping.

  • We may use the information to improve our products and services.

  • We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided or we have obtained from your company website or other publicly available sources.

  • From time to time, we may also use the information you have provided, or which is publicly available, to contact you for market research purposes. We may contact you by email, phone, or mail. We may use the information to customise the website according to your interests.


How do we protect the data we hold and where is it stored?

We take the security of all the data we hold very seriously.  We have a framework of policies, procedures, and training in place covering data protection, confidentiality, and security and regularly review the appropriateness of the measures we have in place to keep the data we hold secure.

Like most small businesses, we use mainstream packages for everything from our customer records, to email, to accounting.

This means that some of your data may be held in the EEA, and some may be held in services in the USA (with suitable data privacy shields) or elsewhere.  We have picked mainstream suppliers with appropriate security standards.


Some of the security measures currently in place include:

  • Where possible, all personal data is transmitted via our secure online cloud storage.

  • All data is stored online within secure datacentres (within the UK wherever possible).

  • Appropriate anti-virus software is kept up to date on all PC’s, Laptops and mobile devices.

  • All data is backed up regularly on secure servers.

Use of cookies on this website

This website uses cookies to better the users experience while visiting the website. Where applicable this website uses a cookie control system allowing the user on their first visit to the website to allow or disallow the use of cookies on their computer/device. This complies with recent legislation requirements for websites to obtain explicit consent from users before leaving behind or reading files such as cookies on a user’s computer/device.

Cookies are small files saved to the user’s computer’s hard drive that track, save and store information about the user’s interactions and usage of the website. This allows the website, through its server to provide the users with a tailored experience within this website.

Users are advised that if they wish to deny the use and saving of cookies from this website onto their computer’s hard drive they should take necessary steps within their web browser’s security settings to block all cookies from this website and its external serving vendors.

This website uses tracking software to monitor its visitors to better understand how they use it. This software is provided by Google Analytics which uses cookies to track visitor usage. The software will save a cookie to your computer’s hard drive in order to track and monitor your engagement and usage of the website, but will not store, save or collect personal information. You can read Google’s privacy policy for further information.

Other cookies may be stored on your computer’s hard drive by external vendors when this website uses referral programs, sponsored links or adverts. Such cookies are used for conversion and referral tracking and typically expire after 30 days, though some may take longer. No personal information is stored, saved or collected.

Email newsletter, marketing information and blog subscriptions

This website operates an email newsletter program, used to inform subscribers about products and services supplied by this website. Users can subscribe through an online automated process should they wish to do so but do so at their own discretion. Some subscriptions may be manually processed through prior written agreement with the user.

Subscriptions are taken in compliance with UK Spam Laws detailed in the Privacy and Electronic Communications Regulations 2003. All personal details relating to subscriptions are held securely and in accordance with the UK GDPR.

Email marketing campaigns published by this website or its owners may contain tracking facilities within the actual email. Subscriber activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include; the opening of emails, forwarding of emails, the clicking of links within the email content, times, dates, and frequency of activity [this is not a comprehensive list].

This information is used to refine future email campaigns and supply the user with more relevant content based on their activity.

In compliance with UK Spam Laws and the Privacy and Electronic Communications Regulations 2003 subscribers are given the opportunity to update their communication preferences or UN-subscribe at any time through an automated system. This process is detailed at the footer of each email campaign. If an automated un-subscription system is unavailable clear instructions on how to UN-subscribe will be detailed instead.

External links on this website

Although this website only looks to include quality, safe and relevant external links, users are advised to adopt a policy of caution before clicking any external web links mentioned throughout this website. (External links are clickable text/banner / image links to other websites)

The owners of this website cannot guarantee or verify the contents of any externally linked website despite their best efforts. Users should therefore note they click on external links at their own risk and this website and its owners cannot be held liable for any damages or implications caused by visiting any external links mentioned.

Adverts and Sponsored Links

This website may contain sponsored links and adverts. These will typically be served through our advertising partners, who may have detailed privacy policies relating directly to the adverts they serve.

Clicking on any such adverts will send you to the advertisers’ website through a referral program which may use cookies and will track the number of referrals sent from this website. This may include the use of cookies which may, in turn, be saved on your computer’s hard drive. Users should therefore note they click on sponsored external links at their own risk and this website and its owners cannot be held liable for any damages or implications caused by visiting any external links mentioned.

Social media platforms

Communication, engagement, and actions taken through external social media platforms that this website and its owners participate on are custom to the terms and conditions as well as the privacy policies held with each social media platform respectively.

Users are advised to use social media platforms wisely and communicate/engage upon them with due care and caution in regard to their own privacy and personal details. This website nor its owners will ever ask for personal or sensitive information through social media platforms and encourage users wishing to discuss sensitive details to contact them through primary communication channels such as by telephone or email.

This website may use social sharing buttons which help share web content directly from web pages to the social media platform in question. Users are advised before using such social sharing buttons that they do so at their own discretion and note that the social media platform may track and save your request to share a web page respectively through your social media platform account.

Shortened Links in Social Media

This website and its owners through their social media platform accounts may share web links to relevant web pages. By default some social media platforms shorten lengthy urls [web addresses] (this is an example: 

Users are advised to take caution and good judgement before clicking any shortened urls published on social media platforms by this website and its owners. Despite the best efforts to ensure only genuine urls are published many social media platforms are prone to spam and hacking and therefore this website and its owners cannot be held liable for any damages or implications caused by visiting any shortened links.

Who do we share data with?

We do not sell or exchange your personal data with organisations that may want to sell you something or use your data for research or other purposes.

In order to carry out our services, Heavenly Beautie must share personal data with some external companies e.g. software providers, government bodies, banks, auditors, Virtual Assistants, Web Designers, IT support, Sales and Marketing support, Accountants etc. Heavenly Beautie have carried out due diligence to ensure that all of our suppliers comply with the UK GDPR and DPA. Access to data we share is only available to those who need it and for the purposes that we have agreed when collecting that information. 

Your information/advice is held in the strictest confidence. We adhere to strict confidentiality clauses.

How long will we keep data about you?

Heavenly Beautie will only keep personal information for as long as it is needed to provide a service to you. If we no longer provide that service to you or your employer, we will delete the data securely.  

If data has become inaccurate or out of date, it will be corrected or disposed of securely. To dispose of records, we will shred or incinerate paper-based records, and override electronic files.

We may retain some forms of data after our contract has ended with you to comply with the law. After which time it will be disposed of securely.

How do you find out what data is held about you and correct it if it isn't accurate?

Under the UK GDPR data subjects have a right to request access to information Heavenly Beautie holds about them. This is known as a subject access request.

Subject access requests must be submitted in writing, either by letter or email. Requests should include:

  • The data subjects name

  • A correspondence address

  • A contact number and email address

  • Details about the information requested

Data relating to a subject access request will be provided within 30 days and will be free of charge.

To make a subject access request please contact the data controller.

If you find that data held about you is inaccurate or incomplete, please contact the data controller to arrange for this to be rectified.

How do you withdraw consent?

All data subjects have the right to withdraw consent. If you would like to withdraw consent, please email the information below to confirming what you would like to withdraw consent for. 



Telephone Number:

What would you like to withdraw consent for?

You also have the right to be forgotten or restrict processing

This means you can ask for us to delete your data completely. As long as we are not required to keep this data by law, it will be deleted from our records.

The only record we will retain is your notice to withdraw consent. This will ensure that if your details are provided again, we are aware not to process them.

You can request to block or restrict the processing of your personal data.  You must make a request verbally or in writing to the data controller. Restriction of personal data will usually be for one of the following reasons:

  • an individual contests the accuracy of the personal data, Heavenly Beautie will restrict the processing until we have verified the accuracy of the personal data.

  • an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and Heavenly Beautie is considering whether our businesses’ legitimate grounds override those of the individual.

  • processing is unlawful and the individual opposes erasure and requests restriction instead.

  • Heavenly Beautie no longer needs the personal data, but the individual requires the data to be retained to allow them to establish, exercise, or defend a legal claim.

Your right to make a complaint

If you have a complaint about the way we are handling your information or how we have responded to a request for information or removal, you can take this up in the first instance by emailing us at the email address set out above. If we cannot find a resolution, data subjects have the right to lodge a complaint with the Information Commissioner’s Office.

Monitoring this document

This privacy notice will be reviewed annually by the Data Controller.

Resources and further information

Data Protection Policy 2018


Privacy and Electronic Communications Regulations 2003

Twitter Privacy Policy

Facebook Privacy Policy

LinkedIn Privacy Policy

Document control

Approved by: Hannah Bonser

Date: 19.08.22

Next review due: 20.08.23

Document Version: Heavenly Beautie/GDPR/01

bottom of page