Skip to content
CoLaz Aesthetics Clinic

Legal

Privacy Policy

Last updated: 26 May 2026

In short

CoLaz takes your privacy seriously. We collect personal data only when you choose to share it (booking a consultation, signing up for the newsletter, messaging us on WhatsApp), we use it only to deliver the service you asked for, and we keep it only as long as we need to. You can ask to see, correct or delete your data at any time. If you are not happy with how we handle it, you can complain to the Information Commissioner's Office (ICO).

1. Who we are

CoLaz Aesthetics Clinic (also trading as CoLaz Advance Beauty Specialist) is a UK aesthetic clinic group with seven locations in Derby, Wembley, London Paddington, Slough, Reading, Southall and Hounslow. Each clinic is independently owned and operated as a franchise of the CoLaz brand.

For the purposes of UK data protection law, the data controller for enquiries made through this website is:

  • COLAZ FRANCHISING LTD (trading as CoLaz Aesthetics Clinic)
  • Registered office: 84 High Street, Slough, England SL1 1EL
  • UK Companies House number: 08550943
  • Contact: [email protected]

When you book a treatment or attend a consultation at a specific CoLaz clinic, that clinic becomes a joint data controller for the treatment records held about you. Your treatment records are held by the clinic that delivered the treatment, not by the brand.

2. What information we collect

We only collect information you choose to give us, plus a small amount of technical data your browser sends automatically.

From you, when you fill in a form or message us

  • Your name and contact details (email, mobile number).
  • The clinic you have chosen.
  • The treatment or concern you are asking about.
  • Anything else you choose to tell us in the message field.
  • WhatsApp messages you send us, including any photos you attach.
  • Newsletter sign-up email address (if you choose to subscribe).
  • Franchise enquiry details (if you complete the franchise form).

In clinic, before and during your treatment

  • Your medical history relevant to the treatment.
  • Consent forms you sign.
  • Skin assessments, patch test results and treatment notes.
  • Before-and-after photographs, but only with your specific written consent.
  • Payment details, processed by our payment provider (we do not store full card numbers).

Automatically, when you use this website

  • Your IP address, browser type and operating system.
  • The pages you visit, the time spent on each page and the page you came from.
  • Cookie identifiers (see the Cookies section below).

3. How we use your information and our lawful basis

UK GDPR requires us to tell you the lawful basis on which we use each category of data. Here is ours:

What we do Lawful basis
Reply to your consultation enquiry and book your appointment.Performance of a contract (or steps before entering one).
Deliver your treatment, including taking and storing clinical notes.Performance of a contract, plus our public interest duty to keep accurate medical records.
Send you the newsletter you signed up for.Your consent. You can withdraw it any time using the unsubscribe link.
Send you appointment reminders and aftercare instructions.Legitimate interests (keeping you safe and informed about your treatment).
Improve the website using anonymised analytics.Legitimate interests. We use Google Analytics 4 with IP-anonymisation.
Use before-and-after photos in marketing.Your explicit, separate written consent. You can revoke it any time.
Keep your records to comply with medical-records retention rules.Legal obligation.

We do not sell your data, ever. We do not use your data for automated decision-making or profiling.

4. Who we share your information with

We share your data only with the people and services we need to in order to run the clinic. Each one is bound by a written data-processing agreement.

  • Your chosen clinic team. The clinic you pick is the team that receives your enquiry, books your appointment and delivers your treatment.
  • Resoclinx. Each CoLaz clinic uses the Resoclinx platform to manage appointments and treatment records, including WhatsApp messages you send to a clinic number. Resoclinx processes your data on the clinic's behalf under a UK-GDPR-compliant agreement.
  • Zoho Mail. Email enquiries are sent and stored in our Zoho mailbox. Zoho is a UK-GDPR-compliant provider.
  • Cloudflare. This website is hosted on Cloudflare. Cloudflare processes a small amount of technical data (IP address, browser type) to deliver the site and protect it from attacks.
  • Google Analytics 4. We use GA4 with IP-anonymisation to understand which pages help people most. You can opt out using the cookie controls on this site.
  • Payment provider. Card payments are processed by our payment gateway directly; we never see or store your full card number.
  • Regulators and authorities. If we are legally required to disclose data (for example, under a court order or to the police), we will.

We do not transfer your data outside the UK or European Economic Area except where a processor (such as Cloudflare) is headquartered in the US. Where we do, we rely on the UK International Data Transfer Agreement or equivalent safeguards.

5. How long we keep your information

  • Consultation enquiries that did not lead to a booking: up to 2 years from your last contact with us, then deleted.
  • Treatment records (clinical): kept by the treating clinic for the period required by the regulator and our insurer. Typically 8 years from the date of your last treatment for adults; longer for minors (until their 25th birthday or 8 years after last treatment, whichever is later).
  • Photographs used in marketing: kept until you ask us to remove them.
  • Newsletter subscriptions: kept until you unsubscribe.
  • Website analytics: anonymised and retained for 26 months in GA4.
  • Financial and tax records: 6 years, as required by HMRC.

6. Your rights

Under UK GDPR you have the right to:

  • Be told what data we hold about you.
  • Get a copy of that data (a "subject access request").
  • Have inaccurate data corrected.
  • Have your data erased, where the law allows.
  • Restrict how we use your data.
  • Object to us using your data (especially for direct marketing).
  • Receive your data in a portable, machine-readable format.
  • Withdraw consent any time, where we relied on consent in the first place.

To exercise any of these rights, email [email protected]. We will reply within one calendar month. We may need to verify your identity before we release any data.

7. Cookies

Cookies are small text files saved on your device by the websites you visit. CoLaz uses three kinds:

  • Strictly necessary: required to make the site work (for example, remembering your clinic choice on the WhatsApp selector). These are always on.
  • Analytics: Google Analytics 4 with IP-anonymisation, so we can see which pages are useful. You can turn these off in your browser settings or via a privacy add-on.
  • Marketing: we do not currently use marketing or advertising cookies. If we add any in future, we will ask for your consent first.

Most browsers let you block all cookies, block third-party cookies only, or delete cookies after each session. Blocking cookies will not stop you using the site, but some convenience features may not work.

8. How we protect your information

The website is served over HTTPS. Form submissions and WhatsApp messages are encrypted in transit. Clinical records are held in Resoclinx with role-based access controls so only the staff who need them can see them. Despite our best efforts, no internet transmission is ever completely secure and you accept that risk by using the site.

If we discover a data breach that is likely to risk your rights or freedoms, we will tell you and the ICO within 72 hours.

9. Children

CoLaz treatments are for adults aged 18 and over. We do not knowingly collect data from anyone under 18. If you are a parent or guardian and believe your child has shared data with us, please email us and we will delete it.

10. Changes to this policy

We update this policy when our practices change or when the law requires it. The "Last updated" date at the top tells you when the current version took effect. We will draw your attention to material changes (for example, a new third-party processor or a new lawful basis).

11. How to complain

If you are unhappy with how we handle your data, please email us first at [email protected] and give us the chance to fix it. If you are still unhappy, you can complain to the UK regulator:

  • Information Commissioner's Office
  • Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • Helpline: 0303 123 1113
  • Online: ico.org.uk/make-a-complaint

12. Contact

For any data protection question, email [email protected] or write to us at the registered office above.

This policy is governed by the laws of England and Wales.