Privacy Policy

Privacy Policy

Last updated: 23 October 2025

1. Who we are and how to contact us

This Privacy Policy describes how Freezing Fat (“we”, “us”, “our”) collects, uses, shares and protects personal data when you use freezingfat.co.uk, contact us, or book treatments at our clinics.

2. What data we collect

  • Identity & contact data: name, email, phone, postcode, preferred clinic.
  • Booking & communications data: enquiry messages, appointment details, call‑back/WhatsApp interactions.
  • Health information (special category): information you provide in pre‑treatment questionnaires or consultations (e.g., medical conditions, contraindications).
  • Transaction data: payments and related records (processed via PCI‑compliant providers; we do not store full card numbers).
  • Technical data: device, IP address, pages viewed, referral source, cookie/consent preferences (see our Cookie Policy).
  • Marketing preferences: your opt‑ins/opt‑outs and campaign interactions.

3. How we obtain your data

Directly from you (forms, bookings, calls, WhatsApp), automatically via the Site (e.g., analytics with consent), and from service providers where necessary to operate the Site and bookings.

4. Why we use your data (and legal bases)

We process personal data only where we have a legal basis under the UK GDPR / DPA 2018, such as:

  • Contract – to deliver consultations, bookings and customer support.
  • Consent – for marketing by email/SMS/WhatsApp and for any special category health data you provide for treatment suitability (explicit consent).
  • Legitimate interests – to run, secure and improve our Site; to prevent fraud; to tailor communications to existing customers (balanced against your rights).
  • Legal obligation – to keep certain records and comply with regulatory or tax requirements. Your cookie‑based analytics/advertising data is used only with consent (except for strictly necessary cookies). ICO

5. Special category (health) data

If you choose to share health information for treatment suitability, we will process it only with your explicit consent and on a strict need‑to‑know basis. You may withdraw consent at any time, but this won’t affect prior lawful processing and may affect our ability to provide certain treatments.

6. Sharing your data

We share data with trusted processors who help us run the Site and our services, e.g., website/hosting, booking systems, communications (email/SMS/WhatsApp), analytics (if enabled), payment providers, security/CDN, and professional advisers. These providers act on our instructions and are bound by contracts. If required by law, we may also share data with regulators or law enforcement.

7. International transfers

Some providers may process data outside the UK. Where this happens, we use appropriate safeguards (e.g., UK IDTA or UK Addendum to EU SCCs, or adequacy decisions) to protect your rights.

8. Data retention

We keep data only as long as necessary for the purposes above, including to meet legal, accounting, or regulatory requirements. Example periods:

  • Booking & service records: typically up to 6 years from last interaction (longer where law/regulation requires).
  • Marketing preferences: until you opt out or we delete inactive contacts.
  • Health/clinical records: retain in line with industry/insurer guidance. ⚙︎ TODO – confirm your retention schedule

9. Your rights

Depending on where you live, you may have the following rights. For UK users these are set out by the ICO: access, rectification, erasure, restriction, objection, data portability, and rights related to automated decision‑making. We explain how to exercise them below. ICO

How to exercise your rights Email us at ⚙︎ TODO privacy email and tell us what you need. We may need to verify your identity. We will respond within one month (or explain if we need longer for complex requests). You can also make a complaint to the Information Commissioner’s Office (ICO) if you’re not satisfied with our response. ICO

ICO contact (UK): ico.org.uk / 0303 123 1113.

Additional jurisdiction‑specific information

  • United Arab Emirates (UAE PDPL) – Individuals have rights to access, correction, erasure, restriction, objection and data portability. Complaints can be made to the UAE Data Office. U.AE+1
  • India (DPDP Act 2023) – Data Principals have rights to access information, correction and erasure, grievance redressal, and to nominate a representative; consent must be free, specific and informed, with simple withdrawal. meity.gov.in+1

10. Marketing

We’ll only send you marketing where permitted (e.g., with your consent or as a customer under soft‑opt‑in rules). You can opt out at any time using the link in our messages or by contacting us.

11. Cookies and similar technologies

See our Cookie Policy for details and choices. Non‑essential cookies require your consent.

12. Security

We use appropriate technical and organisational measures to protect personal data. No online service is 100% secure, but we regularly review our controls and our suppliers’ protections.

13. Children

Our services are intended for adults. If you are under 18, please do not submit personal data without a parent or guardian.

14. Changes to this Policy

We may update this notice from time to time. We will post any changes here and update the “Last updated” date.

15. Contact us

Contact us using the buttons at the top of the screen.