Privacy Policy

1. Introduction

At The Skin and Laser Clinic, your trust matters as much as your skin health. This Privacy Policy explains how we collect, use and look after the personal information you share with us when you visit theskinandlaserclinic.co.za, contact us, book a treatment or attend the clinic. It is written to align with South Africa's Protection of Personal Information Act, 4 of 2013 (POPIA), and to be transparent about exactly what happens with your information.

2. Who we are

The Skin and Laser Clinic is the Responsible Party in terms of POPIA for the personal information described in this policy.

3. Personal information we collect

We only collect what we genuinely need to care for you well and to run the clinic responsibly. Depending on how you interact with us, this may include:

• Contact details — your name, email address and phone number.
• Medical and skincare history — information relevant to consultations and treatments, including allergies, medications, previous procedures and skin concerns. POPIA treats this as special personal information. Section 32 allows medical professionals to process health information without separate consent where it is necessary for the proper provision of care, which is the basis we rely on for clinical records.
• Appointment, treatment and consultation records — notes, photographs (where you have agreed to them) and aftercare instructions specific to you.
• Payment information — processed securely by our payment partners. We do not store full card numbers on our systems.
• Online identifiers — IP address, device and browser type, referring URL and pages visited, collected through cookies and analytics when you use our website.

4. How we use your information

POPIA, in section 11, requires us to have a lawful basis for every use of your personal information. We rely on the following:

• Performance of a contract / service delivery — to provide consultations, treatments, bookings, follow-up care and aftercare communication.
• Compliance with a legal obligation — to keep records required by the Health Professions Council of South Africa (HPCSA), tax authorities and other applicable regulations.
• Legitimate interest — to keep our website and clinic secure, prevent fraud, understand how the site is used and improve our service.
• Consent — for marketing communications, optional newsletter sign-ups and non-essential cookies once our cookie banner is live. You can withdraw consent at any time.

5. Cookies and tracking technologies

Our website uses cookies and similar technologies for the purposes below. A category-level cookie consent banner is currently in development. Until it is live, you can manage cookies through your browser settings or use the opt-out tools linked in each category.

Strictly necessary

Session, security and CSRF cookies that allow the site to function safely. These are always on and cannot be switched off without breaking core features.

Analytics

We use Google Analytics 4, loaded through Google Tag Manager, to understand how visitors use the site in aggregate (which pages are popular, where visitors come from, how long they stay). You can read Google's privacy policy at policies.google.com/privacy and opt out of Google Analytics at tools.google.com/dlpage/gaoptout.

Advertising

We use Google Ads conversion tracking, and remarketing where applicable, to measure how well our campaigns work. You can manage your ads preferences at adssettings.google.com.

Form security

We use Google reCAPTCHA Enterprise on our forms to protect them from automated abuse. Use of reCAPTCHA is subject to Google's privacy policy and terms of service.

Booking

Our booking widget is provided by Fresha. When you book through it, your information is processed by Fresha as well. You can read their privacy policy at fresha.com/privacy-policy.

6. Sharing with third parties

We do not sell your personal information. We do share it with carefully chosen processors who help us run the clinic and the website. Some of these processors are based outside South Africa, so transfers may take place under section 72 of POPIA, which permits cross-border transfers where the recipient is subject to comparable data-protection safeguards.

• Google LLC (USA) — analytics and advertising. Google maintains adequate data-protection mechanisms for international transfers.
• Fresha (United Kingdom) — booking and appointment management.
• Sanity (Norway / USA) — content management for the website.
• Netlify (USA) — website hosting and edge delivery.
• Medical referrals — only where you have given consent or where we are legally required to share information for your care.

7. Security safeguards

In line with section 19 of POPIA, we take reasonable technical and organisational steps to keep your information safe. These include HTTPS encryption across the website, access controls on clinic and admin systems, ongoing staff training on confidentiality, and choosing third-party processors who maintain recognised security standards. No system is ever 100% secure, but we work to make sure your information is treated with the care it deserves.

8. Retention

In line with section 14 of POPIA, we keep personal information only for as long as we genuinely need it.

• Treatment records — kept for at least six years from the date of your last consultation, in line with HPCSA guidelines. Records relating to minors are kept for longer where required by law.
• Marketing data — kept until you opt out or ask us to remove it.
• Website analytics — Google Analytics 4 is currently set to its default user-and-event retention of 14 months.

9. Your rights under POPIA

POPIA gives you meaningful rights over your information. You have:

• Right of access (s.23) — to ask for a copy of the personal information we hold about you.
• Right of correction (s.24) — to ask us to fix information that is inaccurate or out of date.
• Right to deletion (s.24(1)(d)) — to ask us to delete information, subject to legal retention rules (such as HPCSA recordkeeping).
• Right to object (s.11(3)) — to object to processing that is based on our legitimate interests.
• Right to lodge a complaint (s.99) — with us first, and then with the Information Regulator if you are not satisfied.

To exercise any of these rights, please email our Information Officer using the contact details in section 10.

10. Contact our Information Officer

For any questions about this policy or to exercise your POPIA rights, please contact our Information Officer:

11. How to lodge a complaint with the Information Regulator

If you feel we have not handled your personal information appropriately and we have not been able to resolve it directly, you may lodge a complaint with the Information Regulator of South Africa:

• Postal address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
• Complaints email: complaints.IR@justice.gov.za
• Website: inforegulator.org.za

12. Children's privacy

In line with sections 34 and 35 of POPIA, we do not knowingly collect personal information from anyone under 18 without the consent of a parent or legal guardian. Treatments for minors require a guardian to be involved in the consultation and consent process.

13. Changes to this policy

We may update this policy from time to time as our services, technology or the law change. Material changes will be flagged on the website. The date at the top of this page shows when this policy was last updated.

14. Related policies

Read our Terms & Conditions for the rules that govern your use of this site and our services.