Privacy Policy

Responsible Party

The responsible party for the purposes of POPIA is:

All enquiries relating to this policy, including requests to access, correct or delete personal information, may be directed to the above contact details.

Definitions

The following definitions apply throughout this policy:

• Personal Information — any information that identifies or can identify a natural person, including name, contact details, identity number, health and medical information, financial information, and any correspondence relating to a person.
• Special Personal Information — personal information concerning health or medical history, biometric information, or information concerning the physical or mental health of a data subject, as contemplated in section 26 of POPIA.
• Processing — any operation performed on personal information, including collection, receipt, recording, storage, updating, distribution, erasure or destruction.
• Data Subject — the natural person to whom the personal information relates.
• POPIA — the Protection of Personal Information Act 4 of 2013, as amended.
• Information Regulator — the statutory body established under Chapter 5 of POPIA.

Personal Information Collected

The following categories of personal information are collected in the ordinary course of providing aesthetic medical services and operating this website:

Identity and contact information

• Full name and surname
• Email address
• Mobile telephone number
• Residential or postal address (where required for records)

Health and medical information (Special Personal Information)

• Medical history relevant to treatment safety
• Current medications and known allergies
• Previous aesthetic treatments and outcomes
• Skin assessment results, including AI-assisted skin scan results
• Photographs taken for treatment planning and outcome comparison
• Treatment records, including procedure details, products used and post-treatment notes

Booking and communication information

• Preferred appointment dates and times
• WhatsApp or email correspondence
• Chatbot interactions on this website
• Feedback or reviews submitted voluntarily

Website and technical information

• IP address and browser type
• Pages visited and time spent on the website
• Referring URLs and search terms
• Google Analytics data (anonymised)

Lawful Basis for Processing

Personal information is processed on one or more of the following lawful bases as contemplated in POPIA:

• Consent — explicit consent is obtained prior to collecting health and medical information and prior to taking photographs for clinical purposes.
• Contract — processing is necessary for the performance of a contract for the provision of aesthetic medical services to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into such a contract.
• Legal obligation — processing is necessary for compliance with obligations under the National Health Act 61 of 2003, the Health Professions Act 56 of 1974, the Allied Health Professions Act 63 of 1982, and any applicable regulations issued thereunder, including the obligation to maintain accurate patient records.
• Legitimate interest — processing is necessary for the purposes of the legitimate interests of Dr Scott Barker Aesthetics, including appointment management, follow-up communications, and improving the quality of services, provided that such interests are not overridden by the interests, rights or freedoms of the data subject.

Purpose of Processing

Personal information is collected and used only for the following purposes:

• Booking, confirming and managing patient appointments
• Assessing suitability for and safely administering aesthetic medical treatments
• Maintaining accurate patient treatment records as required by applicable health legislation
• Sending post-treatment follow-up communications and care instructions
• Sending appointment reminders and relevant communications about bookings
• Providing AI-assisted skin analysis results where the skin scan feature is used
• Responding to queries and communications from patients and prospective patients
• Analysing website usage to improve user experience and service delivery
• Complying with legal and regulatory obligations

Personal information is not used for any purpose that is incompatible with the purposes set out above, and is not used for unsolicited direct marketing without separate and specific consent.

Sharing of Personal Information

Personal information is not sold, rented or traded to any third party.

Personal information is shared only in the following limited circumstances:

• Service providers — third-party service providers who process personal information on behalf of Dr Scott Barker Aesthetics in order to provide technical infrastructure and communication services, including Brevo (email delivery), n8n (workflow automation hosted on Hetzner VPS), and Google Analytics. These providers are contractually bound to process personal information only as instructed and to maintain appropriate security measures.
• Referral practitioners — where a patient is referred to another medical practitioner for a purpose related to the patient's treatment, relevant medical information is shared only with the patient's consent.
• Legal obligation — where disclosure is required by law, court order, or order of the Information Regulator, or where disclosure is necessary to protect the rights or safety of any person.

All third-party service providers who process personal information on behalf of Dr Scott Barker Aesthetics are required to maintain appropriate technical and organisational safeguards consistent with the requirements of POPIA.

Retention of Personal Information

Personal information is retained only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law.

• Patient medical records — retained for a minimum of six years from the date of the last treatment, in accordance with the requirements of the National Health Act and the rules of the Health Professions Council of South Africa.
• Appointment and communication records — retained for a period of two years from the date of the last interaction.
• Website analytics data — retained in anonymised form in accordance with Google Analytics data retention settings, not exceeding 26 months.
• Skin scan results and photographs — retained only for the duration necessary for the purpose of the assessment and any associated treatment, and deleted upon request unless retention is required for medical record purposes.

Upon expiry of the applicable retention period, personal information is securely deleted or anonymised.

Security of Personal Information

Appropriate technical and organisational measures are implemented to protect personal information against loss, damage, unauthorised access, disclosure, interference or destruction. These measures include:

• HTTPS encryption across all pages of the website
• Secure server infrastructure hosted within compliant data centres
• Access controls limiting personal information to authorised persons only
• Regular review of security practices and procedures
• The reCAPTCHA service on the skin scan feature to prevent automated abuse

In the event of a security compromise that is reasonably likely to affect the personal information of data subjects, the Information Regulator and affected data subjects will be notified as required by section 22 of POPIA.

Rights of Data Subjects

Under POPIA, every data subject has the following rights in respect of their personal information:

• Right of access — the right to request confirmation of whether personal information is held, and to request a copy of that information.
• Right to correction or deletion — the right to request that personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained be corrected or deleted, subject to any legal obligation to retain such information.
• Right to object to processing — the right to object, on reasonable grounds, to the processing of personal information where such processing is based on legitimate interests.
• Right to object to direct marketing — the right to object at any time to the use of personal information for the purposes of direct marketing by means of unsolicited electronic communications.
• Right to withdraw consent — where processing is based on consent, the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
• Right to lodge a complaint — the right to lodge a complaint with the Information Regulator if there are reasonable grounds to believe that personal information has been processed in violation of POPIA.

To exercise any of the above rights, contact Dr Scott Barker Aesthetics using the details in Section 1. A response will be provided within a reasonable time and in accordance with the requirements of POPIA.

Cookies and Website Tracking

This website uses Google Analytics to collect anonymised data about how visitors use the site. Google Analytics uses cookies — small text files placed on a visitor's device — to collect information such as pages visited, time spent on the site and the source of the visit. This data is used solely to understand and improve the performance of the website.

Google Analytics data is processed by Google LLC in accordance with Google's Privacy Policy. IP addresses are anonymised before being recorded. No personally identifiable information is transmitted to Google Analytics.

This website also uses reCAPTCHA (provided by Google LLC) on the skin scan feature to protect against automated abuse. reCAPTCHA collects hardware and software information for anti-spam purposes. This data is processed in accordance with Google's Privacy Policy.

Visitors who do not wish to be tracked by Google Analytics may install the Google Analytics Opt-out Browser Add-on.

Children's Personal Information

This website and the services offered by Dr Scott Barker Aesthetics are not directed at persons under the age of 18 years. Personal information of persons under the age of 18 is not knowingly collected through this website without the verifiable consent of a parent or legal guardian. Where it comes to the attention that personal information of a minor has been collected without appropriate consent, such information will be deleted promptly.

Cross-Border Transfer of Personal Information

Personal information may be transferred to or processed in countries outside of South Africa only where:

• the recipient country has adopted laws substantially similar to the conditions for the lawful processing of personal information as set out in POPIA; or
• the data subject has consented to the transfer; or
• the transfer is necessary for the performance of a contract between the data subject and the responsible party; or
• the transfer is for the benefit of the data subject and it is not reasonably practicable to obtain the consent of the data subject.

Third-party service providers used (including Brevo, Google, and Hetzner) may process data in their respective jurisdictions. Each of these providers maintains data protection standards consistent with applicable law.

Complaints to the Information Regulator

Any data subject who believes that their personal information has been processed in a manner inconsistent with POPIA has the right to lodge a complaint with the Information Regulator of South Africa:

It is recommended that concerns be raised with Dr Scott Barker Aesthetics in the first instance before approaching the Information Regulator, to allow for prompt resolution.

Amendments to This Policy

This policy is reviewed periodically and may be amended to reflect changes in applicable law, regulatory guidance, or practice. The effective date at the top of this page will be updated whenever material changes are made. Continued use of this website or the services of Dr Scott Barker Aesthetics following the publication of an amended policy constitutes acceptance of the amended terms.

For significant changes affecting the processing of Special Personal Information, affected data subjects will be notified directly where reasonably practicable.

Contact and Queries

For any questions, concerns or requests relating to this policy or to the processing of personal information, contact Dr Scott Barker Aesthetics directly: