UK GDPR draws a hard line between ordinary personal data (Article 6) and special-category data (Article 9). Article 9 covers data about health, ethnicity, religion, biometrics, sexual orientation, and a handful of other categories that attract higher protection: explicit consent, stricter retention, tighter access controls, mandatory DPIAs for high- risk processing, and so on.
The line matters a lot for aesthetics clinics. The moment you start asking a client about pregnancy, prior facial treatments, autoimmune conditions, blood-thinning medications, allergies, or skin reactions — which you must, to treat them safely — you’re handling Article 9 data. The ICO has been explicit about this in guidance to the aesthetics sector.
Most salon-software products started as hair-and-nails booking tools. They handle name, phone, email, appointment history. That’s Article 6 data. When the same product gets used by an aesthetics clinic for medical-history forms, the data category shifts — but the software was never built with Article 9 in mind. So the controls aren’t right. Forms aren’t version-pinned. Audit logs are minimal. Erasure is half-hearted.
We built Covered Beauty in the opposite direction. The default assumption is that every client form you collect might be Article 9, and the system handles it accordingly:
- Explicit consent at the point of collection. The client ticks a separate box authorising the salon to store medical information specifically for the purpose of safe treatment.
- Version pinning. Every medical form is timestamped to the version of the questions that were asked. A regulator examining a five-year-old appointment can see exactly what was asked at the time.
- Append-only audit log for every privileged action: access, export, edit, erasure. Recorded with actor, timestamp and before/after state.
- Tighter retention. Where ordinary client data follows our standard retention policy, medical forms can be set to a shorter ceiling and are excluded from general exports unless explicitly requested.
- Real erasure. When a client exercises their Article 17 right, we anonymise the personal details (name, email, phone) immediately, keep the financial records required by HMRC for six years, and write the erasure to the audit log.
We’re also ICO-registered and our subprocessors (Supabase, Vercel, Stripe, Resend) are themselves SOC 2 Type II and/or ISO/IEC 27001 certified, all running in EU regions. The detail is on our security page and our DPA.
None of this is exotic for medical software. It is exotic for booking software. We think the gap was wrong and we’ve closed it.