Privacy Policy

Salubrious Ltd, trading as SkinSafe
Last updated: 2026-06-12 · Effective: 2026-06-12 · Version 3.0

Quick summary

SkinSafe is compliance software for special-procedures studios (tattoo, piercing, semi-permanent make-up, electrolysis, acupuncture) across England, Wales and Scotland.

This policy explains what we do with your data if you are a studio owner, a practitioner, or a website visitor.

It does not cover client health, screening and consent data. When a studio uses SkinSafe to screen and obtain consent from its clients, the studio is the data controller of that information and we only process it on the studio's instructions. Each studio gives its own clients a separate privacy notice for that.

Questions? privacy@skinsafe.pro

1. Who we are

Salubrious Ltd, a company registered in England and Wales, company number 04051176, registered office C/O Ascot Drummond, Devonshire House, Manor Way, Borehamwood, Hertfordshire, WD6 1QQ, trading as SkinSafe.

ICO registration number: ZA262968
Privacy contact: privacy@skinsafe.pro
Post: Data Protection Lead, Salubrious Ltd, C/O Ascot Drummond, Devonshire House, Manor Way, Borehamwood, Hertfordshire, WD6 1QQ

This policy is governed by the law of England and Wales and complies with the UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025.

2. Our two roles — please read this

SkinSafe handles data in two different capacities, and your rights differ depending on which applies.

When we are the processor (the studio is the controller). Client health information, screening answers and consent records belong to the studio that treats the client. The studio decides why and how that data is used; we only act on the studio's documented instructions under a Data Processing Agreement. If you are a client, exercise your rights with the studio, not with us. If you are a practitioner, the professional records that form part of your studio's regulatory compliance also sit here.

When we are the controller (this policy). For the data we need to run the SkinSafe service itself — your account, your log-in and identity, billing, how you use the platform, and our communications with you — we decide why and how it is processed, so we are the controller. The rest of this policy is about that data.

If you are a practitioner — the simple version. Data about you as an account holder (your log-in, identity verification, security, support requests): we are the controller — ask us. Data about your professional credentials held as part of your studio's compliance records (your registration, insurance, the consent packs you create): your studio is the controller — ask your studio. If you are unsure which applies, email us and we will tell you.

3. The data we collect as controller

Account and identity: name, email address, phone number, password (stored only as a secure hash — we never see it), role and permissions.

Studio/business details: studio name, trading name, business address, your relationship to the studio.

Professional information you give us for your own account: registration or licence number, qualifications, insurance details. (Where these also form part of your studio's regulatory records, see section 2.)

Billing: subscription plan, billing contact, payment records. Your card details are handled directly by our payment provider — we do not store them.

Usage and technical data: log-ins, device and browser information, IP address, and audit-trail events (who did what, and when) needed for security and compliance.

Support: the content of messages, emails and calls when you contact us.

Marketing preferences: your choices about optional communications.

4. Why we use it, and our legal basis

What we do	Legal basis (UK GDPR)
Provide the service, manage your account, take payment	Contract (Art 6(1)(b))
Keep the platform secure, prevent fraud, improve the product, defend legal claims	Legitimate interests (Art 6(1)(f)) — backed by a recorded Legitimate Interests Assessment
Meet tax, accounting and other statutory duties	Legal obligation (Art 6(1)(c))
Send optional marketing	Consent (Art 6(1)(a)) — withdrawable at any time

We do not process special-category (e.g. health) data about you as controller. Special-category client data is handled only in our processor role under section 2.

5. Who we share your data with

Sub-processors who help us run the service — infrastructure and database hosting, licence-document OCR, business-address lookup, and (where applicable) payment processing and email/SMS delivery — each under a written contract that limits them to our documented instructions. The current list, with the country each operates in, is at skinsafe.pro/subprocessors; we update it before adding a new one.
Professional or regulatory bodies where we are required to verify or report.
Authorities (e.g. police, courts) where there is a valid legal basis; we tell you unless the law prevents us.
A buyer or successor if the business is restructured or sold, under confidentiality.

We never sell your data, use it for third-party advertising, or use it to train AI models. Our OCR provider processes licence documents under contractual terms that prohibit training on your data.

6. Where your data is processed (international transfers)

We keep personal data within the UK and the European Economic Area (EEA).

Storage at rest is in Europe — our infrastructure is hosted with Hetzner (Germany) and our database with Supabase, configured to an EU region.
Licence-document OCR is processed through our OCR provider's European data-residency endpoint, so that processing also stays in Europe and is not retained.
The one limited exception is business-address validation: when a studio enters its premises address during onboarding, we use Google's address service to check it. This involves business address data only — never client or health data. Where a studio is a sole trader working from a home address, that address may also be personal data; any resulting transfer is covered by Google's data-processing terms and the UK Addendum to the EU Standard Contractual Clauses.

A current list of sub-processors and the country each operates in is at skinsafe.pro/subprocessors.

7. How long we keep it

Data	Retention
Account data	For as long as you have an account, then 2 years
Billing and tax records	6 years (HMRC requirement)
Marketing consent	Until you withdraw it
Security and audit logs	7 years

Retention of client health and consent records is set by the studio (the controller) and explained in the studio's client notice, not here.

8. How we protect your data

Encryption in transit (TLS 1.3) and at rest.
Role-based access — people see only what their job requires.
Multi-factor authentication on practitioner and admin accounts.
Access logging and regular access reviews.
Staff confidentiality agreements and data-protection training.

9. Your rights

You can ask us to:

give you a copy of your data (access);
correct inaccurate data (rectification);
delete data (erasure), where it applies;
restrict or object to processing;
provide your data in a portable format;
withdraw consent (for anything based on consent).

How to ask: email privacy@skinsafe.pro.

Our response time: within one month. We may extend by up to two further months for complex or numerous requests, and will tell you if we do. We may pause that period while we confirm your identity or ask you to clarify the request. Requests are free unless they are manifestly unfounded or excessive.

10. Automated decision-making

We do not make decisions about you by solely automated means that produce legal or similarly significant effects. Where AI assists (for example, helping structure information), a person remains responsible for any decision.

11. Cookies

We use essential cookies only. See our Cookie Policy for details.

12. Complaints

If you are unhappy with how we handle your data:

Email privacy@skinsafe.pro — we acknowledge and aim to respond within one month.
You can complain to the Information Commissioner's Office (ICO) at any time, whether or not you contact us first:
- ico.org.uk/make-a-complaint · 0303 123 1113
- Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

13. Changes to this policy

We update this policy when the law or our service changes. We notify you of material changes by email and through the platform, and keep a version history below.

Version history

v3.0 (2026-06-12): rebuilt around the controller/processor split; corrected legal entity; updated for the Data (Use and Access) Act 2025.

14. Contact

Salubrious Ltd, trading as SkinSafe privacy@skinsafe.pro · C/O Ascot Drummond, Devonshire House, Manor Way, Borehamwood, Hertfordshire, WD6 1QQ

Written in plain English in line with ICO guidance. If anything is unclear, email us and we will explain.