Our Privacy policy
Last updated: 05/04/2026
Version 1.0
1. Who We Are
Cambridge Brow Sanctuary is a specialist beauty and semi-permanent makeup studio based in Cambridge, United Kingdom, offering treatments including microblading, nano brows, ombré/powder brows, lip blush, HD brows, LVL lash lift & tint, anti-wrinkle injections, and laser tattoo removal.
Business name:
Cambridge Brow Sanctuary
Business owner:
Charlotte Hollands
Contact email:
Cambridgebrowsanctuary@gmail.com
Business address:
181 Queen Ediths Way, Cambridge, CB1 8NJ
Website:
www.cambridgebrowsanctuary.co.uk
We are the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
ICO Registration:
We are registered with the Information Commissioner's Office (ICO) as required under the Data Protection Act 2018. Our ICO registration number is: [INSERT ICO REGISTRATION NUMBER].
2. What Data We Collect
2a. Standard Personal Data
We may collect and process the following categories of personal data:
• Full name
• Email address
• Phone number
• Treatment interest and enquiry details
• Appointment and consultation details
• Messages and communication history (via Instagram, WhatsApp, Facebook, SMS, and email)
• Technical data (including IP address, browser type, device identifiers, and cookies)
• Payment information (processed securely through third-party payment providers — we do not store card details)
• Before and after treatment photographs for insurance purposes
• Before and after treatment photographs (where provided with your explicit consent)
2b. Special Category (Health) Data
Because we provide semi-permanent makeup, anti-wrinkle injections, laser tattoo removal, and other aesthetic treatments, we are required to collect certain health-related information to ensure your safety. This is classed as Special Category data under UK GDPR and is subject to additional legal safeguards.
This may include:
• Medical history and current health conditions
• Medications you are taking
• Skin conditions, allergies, or sensitivities
• Contraindications to specific treatments
• Pregnancy status (where relevant to treatment safety)
We will only collect health data that is directly necessary to provide your treatment safely. This data is collected with your explicit consent via a health and consent form completed prior to your appointment. You may withdraw this consent at any time, though doing so may mean we are unable to carry out your treatment safely.
3. How We Collect Your Data
We collect personal data through the following means:
• Enquiry forms on our website (cambridgebrowsanctuary.co.uk)
• Meta Lead Generation Ads on Facebook and Instagram — when you submit your details in response to one of our advertisements
• Direct messages or comments on Facebook, Instagram, or WhatsApp
• Telephone or email contact
• Booking and appointment forms via Acuity Scheduling (our online booking platform)
• Health and consent forms completed prior to your treatment
• Our website, via cookies, Meta Pixel, and analytics tools
• Email newsletter sign-up forms on our website
4. How We Use Your Data
We use your personal data for the following purposes:
• To respond to your enquiries and questions
• To assess suitability and book consultations and appointments
• To send appointment confirmations, reminders, and follow-ups via email, SMS, or WhatsApp — including automated messages sent through our client management system (GoHighLevel)
• To send automated follow-up messages to enquiries received through our website or Facebook/Instagram/whatsapp or SMS Text Message, in order to arrange consultations
• To provide the treatment or service you have requested, including reviewing any relevant health information
• To provide aftercare support and advice following your treatment
• To send you marketing communications about our services, offers, and updates (see Section 6)
• To create Custom Audiences and Lookalike Audiences on Meta (Facebook/Instagram) to improve the targeting of our advertising — this involves securely sharing your contact details with Meta in a protected format
• To measure and improve the effectiveness of our advertising campaigns using Meta Pixel
• To analyse website usage and improve our website and services
• To comply with legal and regulatory obligations
5. Legal Basis for Processing
Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:
• Consent —
When you submit an enquiry or sign up for marketing communications. You have the right to withdraw consent at any time. For Special Category (health) data, we rely on your explicit consent.
• Contract —
When processing is necessary to fulfil a booking or deliver a treatment you have requested.
• Legitimate Interests —
To respond to enquiries, send follow-up messages to potential clients who have engaged with our advertising or website, improve our services, and protect the security of our business. Where we rely on legitimate interests, we have balanced these against your rights and concluded our interests do not override them.
• Legal Obligation —
Where we are required to retain or process information to comply with a legal or regulatory requirement.
For marketing to existing clients and recent enquirers by electronic means (email, SMS, WhatsApp), we rely on the 'soft opt-in' provision under the Privacy and Electronic Communications Regulations (PECR) — see Section 6 for full details.
6. Marketing Communications
We may send you marketing messages about our services, promotions, and news by email, SMS, or WhatsApp in the following circumstances:
• You have given us your explicit consent to receive marketing, or
• You have previously enquired about or received a service from us, you did not opt out of marketing at the time, and the marketing relates to similar treatments or services (the 'soft opt-in' under PECR)
We may use GoHighLevel (our CRM and automation platform) to send automated marketing sequences. These may include follow-up messages after you submit an enquiry through our website or a Facebook/Instagram ad, and post-treatment follow-ups. Each message will make clear who it is from and how to opt out.
You can opt out of marketing communications at any time by:
• Clicking the unsubscribe link in any marketing email
• Replying STOP to any SMS
• Contacting us directly at [INSERT EMAIL ADDRESS]
Opting out of marketing will not affect your ability to receive service-related messages (such as appointment confirmations and reminders).
7. How We Share Your Data
We only share your data with trusted third parties where necessary to operate our business and deliver our services. These parties act as data processors on our behalf and are required to keep your data secure and to use it only for the purposes we specify.
Our current third-party processors and platforms include:
• GoHighLevel (CRM and marketing automation) —
Used to manage client enquiries, automate follow-up communications, and send appointment reminders by email, SMS, and WhatsApp. GoHighLevel is a US-based platform — see Section 9 (International Transfers).
• Acuity Scheduling —
Our online booking platform, used to manage and confirm appointments. Your name, email, phone number, and appointment details are processed by Acuity Scheduling (a Squarespace company, US-based) — see Section 9.
• Meta Platforms (Facebook and Instagram) —
We use Meta's advertising platform to run Facebook and Instagram Lead Ads. When you submit your details through a Meta Lead Ad, that data is transferred to us via Meta. We may also upload anonymised contact data to Meta to create Custom Audiences for ad targeting. Meta is a US-based company — see Section 9.
• Payment providers —
We may use third-party payment processors to handle transactions securely. We do not store your full card details.
• Email and SMS platforms —
Integrated within GoHighLevel or other providers we use to send communications.
• Website and analytics providers —
We use Squarespace to host our website and Google Analytics (or similar) to understand how visitors use our site.
We do not sell, rent, or trade your personal data to any third party.
We may disclose your data if required to do so by law or in response to a valid legal request from a public authority.
8. Cookies and Tracking Technologies
8a. Cookies
Our website uses cookies — small text files stored on your device — for the following purposes:
• Strictly necessary cookies —
Required for the website to function. These cannot be disabled.
• Analytics cookies —
To understand how visitors use our website and help us improve it (e.g. Google Analytics).
• Marketing and advertising cookies —
To measure the effectiveness of our advertising campaigns and to enable ad retargeting.
8b. Meta Pixel
Our website uses the Meta Pixel — a piece of code provided by Meta Platforms — which tracks actions taken on our website (such as viewing a page or submitting an enquiry form) and reports these back to Meta. This allows us to:
• Measure the effectiveness of our Facebook and Instagram advertising campaigns
• Show targeted advertising to people who have previously visited our website ('retargeting')
• Create Lookalike Audiences of people similar to our existing clients
The Meta Pixel operates as a cookie and requires your consent before it is activated. You can manage this through our cookie consent banner.
8c. Managing Cookies
When you first visit our website, you will be asked to accept or decline non-essential cookies via our cookie consent banner. You can change your preferences at any time through your browser settings or by clearing your cookies. Please note that disabling certain cookies may affect the functionality of our website.
For more information on how Meta uses data collected via the Pixel, please see Meta's Data Policy at facebook.com/policy.
9. International Data Transfers
Some of the third-party processors we use are based outside the United Kingdom, including in the United States. Under UK GDPR, transferring personal data to countries not covered by a UK adequacy decision requires appropriate safeguards.
For transfers to processors in the United States and other non-adequate countries, we rely on the UK International Data Transfer Agreement (UK IDTA) or equivalent Standard Contractual Clauses, and/or ensure that the processors are certified under applicable frameworks. The key processors involved are:
• GoHighLevel — US-based CRM and automation platform
• Acuity Scheduling (Squarespace Inc.) — US-based booking platform
• Meta Platforms — US-based advertising and social media platform
We take reasonable steps to ensure these providers maintain appropriate security standards and data protection practices. If you would like more information about the safeguards in place for any specific transfer, please contact us.
10. Data Retention
We retain your personal data only for as long as necessary for the purposes described in this policy. Our general retention periods are as follows:
• Client treatment records (standard beauty treatments):
Retained for 7 years from your last appointment, in line with standard practice for consumer service records.
• Medical aesthetic records (anti-wrinkle injections, laser treatment):
Retained for a minimum of 8 years from the date of treatment, in line with clinical record-keeping guidelines.
• Before and after photographs:
Retained only for the duration you have consented to, or until consent is withdrawn.
• Enquiry and marketing data:
Retained until you opt out or withdraw consent, or for 2 years from your last engagement with us if you have not become a client.
• Booking records:
Retained for 7 years for accounting and administrative purposes.
When data is no longer required, it is securely deleted or anonymised.
11. Data Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. These include:
• Use of trusted, reputable platforms with built-in security features (GoHighLevel, Acuity Scheduling, Squarespace)
• Secure, encrypted connections (HTTPS) for all data transmission via our website and booking forms
• Restricted access to personal data — only Charlotte Hollands and any authorised team members who require it to deliver services
• Regular review of systems and procedures
While we take all reasonable precautions, no method of data transmission or storage can be guaranteed to be 100% secure. If you have concerns about the security of your data, please contact us.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify you directly.
12. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
• Right of Access —
You can request a copy of the personal data we hold about you (known as a Subject Access Request).
• Right to Rectification —
You can ask us to correct any inaccurate or incomplete personal data.
• Right to Erasure —
Also known as the 'right to be forgotten'. You can ask us to delete your personal data, subject to any legal obligation we have to retain it.
• Right to Restrict Processing —
You can ask us to limit how we use your data in certain circumstances, such as while a dispute about accuracy is resolved.
• Right to Data Portability —
You can request a copy of your personal data in a structured, commonly used, machine-readable format, to transfer to another provider.
• Right to Object —
You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.
• Right to Withdraw Consent —
Where we rely on consent to process your data, you can withdraw that consent at any time. This will not affect the lawfulness of any processing carried out before withdrawal.
• Rights related to Automated Decision-Making —
You have the right not to be subject to decisions made solely by automated means that have a significant effect on you. Our automated outreach messages do not constitute automated decision-making of this nature, but you may opt out at any time.
To exercise any of these rights, please contact us at:
CambridgeBrowSanctuary@gmail.com , 181 Queen Ediths Way, Cambridge, CB1 8NJ
We will respond to all valid requests within one calendar month of receipt. Where requests are complex or numerous, we may extend this by a further two months, and we will notify you if this is the case.
13. Complaints
If you are unhappy with how we have handled your personal data, please contact us in the first instance so we can try to resolve the matter.
If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:
• Website: ico.org.uk
• Telephone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
14. Third-Party Platforms and Their Own Policies
When you interact with Cambridge Brow Sanctuary via third-party platforms, those platforms also collect and process data in accordance with their own privacy policies. We encourage you to review:
• Meta (Facebook and Instagram): facebook.com/policy
• WhatsApp: whatsapp.com/legal/privacy-policy
• Google (Analytics): policies.google.com/privacy
• Acuity Scheduling (Squarespace): squarespace.com/privacy
• GoHighLevel: gohighlevel.com/privacy-policy
We are not responsible for the privacy practices of these third-party platforms and recommend you read their policies directly.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services, the tools we use, or applicable data protection law. Any changes will be posted on this page with the revised date clearly shown at the top.
Where changes are material — for example, where we begin processing a new category of data or use data for a new purpose — we will take reasonable steps to notify you directly (for example by email), where we hold your contact details.
We encourage you to review this policy periodically.