Legal

Privacy Policy

Last updated: 31 May 2026

Legal review note: Sections marked [LEGAL REVIEW REQUIRED] contain placeholder text that must be reviewed and confirmed by a qualified solicitor before this policy is published. This draft is provided for structural guidance only.

1. Who we are

This website is operated by Dr. Bernhard Louw, trading as Bernhard Louw Aesthetics. Dr. Louw is a medical doctor and the data controller responsible for your personal data.

Contact: bernhard@bernhardlouw-aesthetics.com

Website: www.drberns.ie

[LEGAL REVIEW REQUIRED] Confirm registered business address and, if applicable, company registration number or sole trader details.

2. What data we collect and why

2.1 Contact form

When you submit a consultation enquiry via our contact form, we collect your name, email address and optionally your phone number and message. We use this to respond to your enquiry and to arrange a consultation.

Legal basis: Legitimate interests (Article 6(1)(f) GDPR), responding to prospective patient enquiries; and, where the enquiry relates to your health, explicit consent (Article 9(2)(a) GDPR).

2.2 Online appointment booking (Phorest)

Appointment bookings are handled by Phorest Salon Software, an Irish company. When you book through Phorest, your data (name, contact details, appointment information) is processed by Phorest under their own Privacy Policy. We receive booking confirmation and appointment details as part of our clinical management.

Legal basis: Performance of a contract (Article 6(1)(b) GDPR), fulfilling your appointment request.

Phorest Privacy Policy: www.phorest.com/privacy-policy

2.3 Analytics (Google Analytics 4)

With your consent, we use Google Analytics 4 (via Google Tag Manager) to understand how visitors use this website, pages visited, time spent, device type, and approximate geographic location. This data is aggregated and anonymised; it does not identify you personally.

Legal basis: Consent (Article 6(1)(a) GDPR). You may withdraw consent at any time via our Cookie Settings link.

Google's Privacy Policy: policies.google.com/privacy

2.4 Health data

Medical aesthetic treatments involve processing special category health data (Article 9 GDPR). Any health information you provide, whether through our contact form, during consultation, or treatment, is processed strictly for the purpose of providing your care. We never use health data for marketing.

Legal basis: Explicit consent (Article 9(2)(a)) and, where applicable, necessity for the provision of health care (Article 9(2)(h)).

[LEGAL REVIEW REQUIRED] Confirm whether a formal Article 9 policy is required under Irish health data regulations and whether a Data Protection Impact Assessment (DPIA) is needed for special category data processing.

3. How long we keep your data

Consultation enquiry data (contact form submissions) is retained for 12 months from the date of enquiry, or longer if a treatment relationship is established.

Patient records (where a consultation or treatment occurs) are retained in accordance with Irish Medical Council guidelines, typically 8 years for adult patients and until age 25 for patients who were minors at the time of treatment.

[LEGAL REVIEW REQUIRED] Confirm exact retention periods with your solicitor and/or medical defence organisation, and verify compliance with Irish Medical Council guidance on patient record retention.

4. Who we share data with

We do not sell your personal data. We share data only with:

  • Phorest: for appointment booking and clinic management
  • Google LLC: for website analytics (with your consent)
  • Netlify: our website hosting provider, who processes contact form submissions on our behalf
  • Medical defence organisations or insurers: where required by law or in relation to a clinical matter

[LEGAL REVIEW REQUIRED] Confirm whether formal Data Processing Agreements (DPAs) are in place with each processor, particularly Netlify and Phorest.

5. International transfers

Google Analytics data is processed by Google LLC in the United States. Google participates in the EU–US Data Privacy Framework. Netlify also processes data in the United States under standard contractual clauses.

[LEGAL REVIEW REQUIRED] Verify current transfer mechanisms are adequate following any post-Schrems II developments and confirm Netlify's DPA status.

6. Your rights under GDPR

As an EU/EEA data subject, you have the right to:

  • Access: request a copy of your personal data
  • Rectification: correct inaccurate data
  • Erasure: request deletion of your data (where no legal obligation to retain applies)
  • Restriction: ask us to limit processing in certain circumstances
  • Data portability: receive your data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interests
  • Withdraw consent: at any time, where processing is based on consent

To exercise any of these rights, email bernhard@bernhardlouw-aesthetics.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Data Protection Commission (DPC), Ireland's supervisory authority: dataprotection.ie

7. Security

We take reasonable technical and organisational measures to protect your personal data, including encrypted HTTPS transmission, restricted access to contact form data, and use of reputable third-party processors. No transmission over the internet is completely secure; we cannot guarantee absolute security.

8. Changes to this policy

We may update this Privacy Policy from time to time. The "last updated" date at the top of this page will reflect any changes. We encourage you to review this page periodically.

9. Contact

For any privacy-related questions, contact Dr. Bernhard Louw at:
bernhard@bernhardlouw-aesthetics.com

Book Consultation