Privacy Policy

MySkinPlans Ltd (MySkinPlans) is the data controller for personal information collected when you purchase or use a personalised skincare plan through a clinic-branded MySkinPlans page.

Contact: hello@myskinplans.com.

Depending on how you use the service, we may collect:

• Identity and contact details — name, email address, and optional phone number.
• Questionnaire answers — skin type, concerns, current routine, budget, lifestyle, and related information you provide voluntarily.
• Optional photos — if you choose to upload images to help your practitioner, with your explicit consent at the point of upload.
• Payment information — processed by our payment provider; we do not store full card numbers on our servers.
• Communications — emails you send us and support correspondence.
• Technical data — IP address, browser type, device information, and analytics events where permitted.

• Prepare and deliver your personalised skincare plan.
• Enable a qualified practitioner at your clinic to review and approve your plan.
• Process payments, issue receipts, and handle refunds.
• Send transactional emails (plan delivery, account access, refund confirmations).
• Send optional lifecycle emails where you have given marketing consent.
• Improve the service, prevent fraud, and meet legal obligations.

We rely on the following lawful bases:

• Contract — processing necessary to deliver the plan you purchased.
• Legitimate interests — service improvement, security, and limited analytics on transactional communications.
• Consent — optional photo uploads, marketing emails, and non-essential cookies or tracking where applicable.
• Legal obligation — record-keeping for tax, fraud prevention, and regulatory compliance.

We use trusted processors who handle data only on our instructions and under appropriate contracts:

• Cloud hosting and database (Supabase).
• Payment processing (PayPal or equivalent provider).
• Transactional email (Resend).
• Analytics (PostHog, where enabled).
• Error monitoring (Sentry, where enabled).
• AI and embedding providers used to prepare draft plan content, before practitioner review.

We do not sell your personal data. We may disclose information if required by law or to protect our rights, users, or the public.

• Account and plan records — kept for as long as needed to provide the service and meet legal obligations.
• Optional photos — automatically deleted after 60 days unless a shorter period is stated at upload.
• Payment and refund records — retained as required for accounting and dispute resolution.
• Marketing suppression — if you unsubscribe, we retain a minimal record so we do not contact you again.

You may request deletion of your data via your customer portal or by emailing us. Some records must be kept for legal or accounting reasons even after deletion is requested.

Under UK data protection law you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request erasure in certain circumstances.
• Object to or restrict processing in certain circumstances.
• Data portability where processing is based on consent or contract.
• Withdraw consent at any time where processing is consent-based.
• Lodge a complaint with the Information Commissioner's Office (ICO).

To exercise these rights, email hello@myskinplans.com or use the data tools in your customer portal where available.

We use essential cookies to keep you signed in and to operate the service. Where enabled, we use privacy-conscious analytics to understand how pages are used. Non-essential tracking on marketing emails is limited to customers who have opted in.

Some processors may store or process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place (such as standard contractual clauses or UK extension agreements) consistent with UK GDPR requirements.

We may update this privacy policy from time to time. The “Last updated” date at the top of this page will change when we do. Significant changes will be communicated where appropriate.