Your Privacy Matters

Contents

Carisma Aesthetics Ltd.(“Carisma Aesthetics”, “we”, “us”, or “our”) is a medical-aesthetics clinic based in St Julian's, Malta. We provide doctor-led aesthetic treatments and related services. This Privacy Policy explains what personal data we collect about you, why and how we use it, who we share it with, how long we keep it, and the rights you have over it.

We process personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”), the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) and its subsidiary legislation, and guidance issued by the Information and Data Protection Commissioner (IDPC) of Malta. As a clinic handling health information, we apply heightened standards to your medical and special-category data.

By using our website, booking a consultation, or receiving treatment from us, you acknowledge that you have read and understood this Policy. If you do not agree with it, please do not provide us with your personal data.

The data controller responsible for your personal data is:

Carisma Aesthetics Ltd.
Company Registration Number: C 106006
VAT Number: MT30347620
Registered Address: 114, Triq il-Mizura, Swieqi SWQ 2064, Malta
Clinic Location: St Julian's, Malta
Email: info@carismaaesthetics.com
Phone: +356 27802062

For all privacy-related queries, requests, or complaints, our designated privacy contact is: the Carisma Aesthetics Data Protection contact. You can reach this contact using the email address above, marking your message for the attention of the Data Protection contact.

Depending on how you interact with us, we may collect and process the following categories of personal data:

Identity & contact data

• Full name, title, date of birth, and gender
• Postal address, email address, and telephone/mobile number
• Emergency contact details, where you provide them
• Identification details where required to verify identity or age

Booking, treatment & financial data

• Appointment history, treatments received, and consultation notes
• Consent forms and pre/post-treatment instructions
• Billing name and address, amounts paid, and payment references (we do not store full card numbers — these are handled by our payment provider)
• Records of correspondence and enquiries (email, phone, WhatsApp, social media, and contact-form messages)

Health & clinical data (special-category)

• Medical history, allergies, current medication, and relevant lifestyle information
• Clinical assessment, suitability screening, and treatment records
• Before-and-after photographs and video taken for clinical documentation and monitoring
• Adverse-event, complication, and aftercare records

Technical & website data

• IP address, device, browser, and operating-system information
• Pages visited, referring URLs, and interactions on our website
• Cookie and similar tracking-technology data (see Section 7)
• Email open and click data, for subscribers to our communications

Where we ask you to provide personal data to meet a legal or contractual requirement (for example, a medical history before treatment), failure to provide it may mean we are unable to treat you safely or at all.

Some of the data we collect — in particular your medical history, the treatments you receive, and clinical photographs — is “special-category” data under Article 9 of the GDPR. We treat this data with additional care.

We rely on the following conditions to process special-category (health) data:

• Article 9(2)(h) GDPR — processing necessary for the provision of healthcare and treatment, and the management of healthcare services, by or under the responsibility of a health professional bound by a duty of confidentiality;
• Article 9(2)(a) GDPR — your explicit consent, for example for the use of clinical photographs beyond direct treatment documentation (such as marketing), which you may withdraw at any time;
• Article 9(2)(c) GDPR — where necessary to protect your vital interests or those of another person, in a medical emergency where you are unable to consent.

Clinical photographs and videos are taken only with your knowledge. We will always obtain your separate, explicit, written consent before using any image that could identify you for marketing, social media, training, or promotional purposes, and you may refuse or withdraw that consent without affecting your treatment.

We process your personal data on one or more of the following legal bases under Article 6 of the GDPR:

• Consent (Art. 6(1)(a)) — for marketing communications, non-essential cookies, and optional uses of your data such as testimonials.
• Contract (Art. 6(1)(b)) — to take steps at your request before entering into a contract (e.g. a consultation) and to provide the treatments and services you book.
• Legal obligation (Art. 6(1)(c)) — to comply with healthcare, tax, accounting, consumer-protection, and other legal duties.
• Vital interests (Art. 6(1)(d)) — to protect someone’s life or health in an emergency.
• Legitimate interests (Art. 6(1)(f)) — to run, secure, and improve our clinic and website, prevent fraud, and respond to enquiries, where these interests are not overridden by your rights. Where we rely on legitimate interests, you may object (see Section 12).

For special-category (health) data, we additionally rely on the Article 9 conditions set out in Section 4.

• Assessing your suitability for treatment and providing safe, appropriate aesthetic care
• Managing bookings, consultations, reminders, aftercare, and follow-up
• Maintaining accurate clinical records and documenting outcomes
• Processing payments, deposits, refunds, and invoicing
• Responding to your enquiries, requests, and complaints
• Sending you service messages (e.g. appointment confirmations and changes)
• Sending marketing communications where you have consented (see Section 13)
• Operating, securing, and improving our website and services
• Meeting our legal, regulatory, accounting, and insurance obligations
• Establishing, exercising, or defending legal claims

Our website uses cookies and similar technologies. Strictly necessary cookies are required for the site to function and do not need consent. Analytics, performance, and marketing cookies (for example from Google or Meta) are only set where you give consent through our cookie banner.

You can withdraw or change your cookie preferences at any time via the cookie settings on our website, and you can block or delete cookies through your browser settings. Disabling some cookies may affect how the website works. For detailed information on the specific cookies we use, please refer to the cookie banner and settings on our website.

We do not sell your personal data. We share it only where necessary and with appropriate safeguards, including with:

• Our clinicians and authorised staff, who are bound by confidentiality, to deliver your care
• Trusted service providers (data processors) acting on our instructions — for example IT, hosting, booking/CRM, payment processing, email and communications, and analytics providers
• Professional advisers such as accountants, insurers, and lawyers, where necessary
• Public authorities, regulators, or courts where we are legally required to disclose data
• A successor entity in the event of a business sale or reorganisation, subject to this Policy

All processors are bound by written contracts that require them to keep your data secure and to process it only on our documented instructions, as required by Article 28 of the GDPR.

We aim to keep your personal data within the European Economic Area (EEA). Some of our service providers may process data outside the EEA. Where this happens, we ensure an adequate level of protection by relying on a European Commission adequacy decision, or on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, together with any additional measures required. You may request a copy of the relevant safeguards using the contact details in Section 17.

We keep your personal data only for as long as necessary for the purposes set out in this Policy and to meet our legal obligations.

• Clinical and medical records are retained for the period required by applicable Maltese healthcare and professional standards, and to allow us to defend potential claims.
• Financial and accounting records are retained as required by Maltese tax and company law (generally a minimum of 10 years for VAT/accounting purposes).
• Marketing data is retained until you unsubscribe or withdraw consent, after which we keep a suppression record so we do not contact you again.
• Website and analytics data is retained for limited periods in line with the relevant cookie or tool settings.

When data is no longer needed, we securely delete or anonymise it. The specific retention periods we apply are available on request.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, disclosure, or destruction. These include access controls, staff confidentiality obligations and training, secure storage of clinical records, encryption in transit where appropriate, and the use of reputable, security-conscious service providers. No method of transmission or storage is completely secure, but we work continually to protect your data.

Under the GDPR and Maltese data-protection law, you have the right to:

• Be informed about how we use your data (this Policy)
• Access a copy of the personal data we hold about you
• Have inaccurate or incomplete data corrected (rectification)
• Have your data erased in certain circumstances (the 'right to be forgotten')
• Restrict our processing of your data in certain circumstances
• Object to processing based on our legitimate interests, and to direct marketing at any time
• Data portability — to receive certain data in a structured, machine-readable format
• Withdraw consent at any time, where we rely on consent (without affecting prior processing)

Some rights are subject to exemptions — for example, we may be required to retain clinical records for legal and safety reasons even if you request erasure. To exercise any right, contact us using the details in Section 17. We will respond within one month, as required by law. We do not charge a fee unless your request is manifestly unfounded or excessive.

We will only send you marketing communications (such as offers, news, and treatment information) where you have given consent, or where otherwise permitted by law. Every marketing email contains an easy way to unsubscribe, and you can opt out at any time by contacting us. Opting out of marketing does not stop essential service messages relating to your appointments or care.

Our services and website are intended for adults. We do not knowingly market to or collect data from children. Where a treatment may, by exception, be appropriate for a person under 18, it will only be provided following a clinical assessment and with the consent of a parent or legal guardian, in line with applicable law and professional standards. If you believe a child has provided us with personal data without appropriate consent, please contact us and we will take appropriate steps.

We have procedures to detect, report, and investigate personal-data breaches. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the Information and Data Protection Commissioner (IDPC) without undue delay and, where required, within 72 hours. Where the breach is likely to result in a high risk to you, we will also notify you directly.

We may update this Policy from time to time to reflect changes in our practices or the law. The “Last Updated” date at the top of this page shows when it was last revised. Where changes are significant, we will take reasonable steps to bring them to your attention. We encourage you to review this page periodically.

If you have any questions about this Policy, wish to exercise your rights, or want to make a complaint about how we handle your data, please contact us:

You also have the right to lodge a complaint with the supervisory authority in Malta — the Information and Data Protection Commissioner (IDPC), Floriana, Malta — idpc.org.mt. We would, however, appreciate the chance to address your concerns first.