Privacy Policy

Introduction

bombylwxou B.V. ("we", "our", "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our services, or interact with us. We are the Data Controller for the purposes of the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This policy applies to all personal data we process about you in connection with our cosmetic clinic services, website, and related communications. By using our services, you agree to the collection and use of information in accordance with this policy.

Data Collection

The data we collect includes personal information that you provide directly to us, information we collect automatically when you use our services, and information we may receive from third parties. We collect this information to provide you with the best possible cosmetic clinic services and to comply with our legal obligations.

Information You Provide to Us:

• Personal identification information (name, email address, phone number, date of birth)
• Contact information and postal address
• Medical history and health information relevant to cosmetic treatments
• Treatment preferences and aesthetic goals
• Payment information and billing details
• Communication preferences and consent records
• Photos and images for treatment documentation and progress tracking
• Feedback, reviews, and correspondence with our clinic

Information We Collect Automatically:

• Website usage data, including pages visited and time spent
• Device information (IP address, browser type, operating system)
• Cookies and similar tracking technologies (see our Cookie Policy)
• Location data when you visit our clinic or use location-based services
• Appointment and treatment history

How We Use Your Information

We explain how we use your information to provide our cosmetic clinic services, improve our offerings, and comply with legal requirements. The use of your data is always based on a lawful basis under GDPR, including consent, contractual necessity, legitimate interests, or legal obligations.

We use your information for:

• Providing cosmetic treatments and related healthcare services
• Scheduling and managing appointments
• Processing payments and managing billing
• Maintaining medical records and treatment history
• Communicating about your treatments, appointments, and aftercare
• Sending service updates, promotional materials, and newsletters (with consent)
• Improving our services and developing new treatments
• Complying with legal and regulatory requirements
• Protecting the safety and security of our patients and staff
• Conducting research and analysis to enhance our services

Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

• Consent: When you have given explicit consent for specific processing activities
• Contract: To perform our contractual obligations in providing cosmetic services
• Legal Obligation: To comply with healthcare regulations and legal requirements
• Vital Interests: To protect your health and safety during treatments
• Legitimate Interests: For business operations, service improvement, and fraud prevention

Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

• With healthcare professionals involved in your treatment
• With service providers who assist us in operating our clinic (under strict confidentiality agreements)
• When required by law, regulation, or court order
• To protect our rights, property, or safety, or that of our patients or staff
• With your explicit consent for specific purposes
• In case of business transfer, merger, or acquisition (with appropriate safeguards)

Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, and protect our legitimate interests. Our retention periods are based on the nature of the data and legal requirements:

• Medical records and treatment data: 15 years after last treatment (healthcare regulations)
• Financial records: 7 years (tax and accounting requirements)
• Marketing communications: Until you withdraw consent or 3 years of inactivity
• Website analytics: 26 months maximum
• CCTV recordings: 30 days unless required for legal proceedings

After the retention period expires, we securely delete or anonymise your personal data in accordance with our data destruction procedures.

Your Rights

Under GDPR and applicable data protection laws, you have the following rights regarding your personal data:

• Right of Access: Request copies of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data in certain circumstances
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for marketing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Complain: Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)

To exercise these rights, please contact us using the information provided in the Contact section below. We will respond to your request within one month.

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include:

• Encryption of data in transit and at rest
• Access controls and authentication systems
• Regular security assessments and updates
• Staff training on data protection and confidentiality
• Secure disposal of physical and electronic records
• Incident response procedures for data breaches

While we strive to protect your personal data, no method of transmission or storage is completely secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents.

International Data Transfers

Your personal data is primarily processed within the European Economic Area (EEA). If we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as:

• European Commission adequacy decisions
• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules for multinational organisations
• Certification schemes and codes of conduct

Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your browsing experience and analyse website performance. For detailed information about our use of cookies, please refer to our Cookie Policy.

Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete such information promptly.

For patients between 16 and 18 years of age, we may require parental consent for certain treatments in accordance with applicable laws and medical ethics.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. We will notify you of any material changes by posting the updated policy on our website and, where appropriate, by email or other communication methods.

The "Last updated" date at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically to stay informed about how we protect your information.

Contact Information

If you have any questions about this Privacy Policy, wish to exercise your rights, or need to contact us regarding your personal data, please reach out using the following contact information:

We are committed to addressing your privacy concerns and will respond to your inquiries within a reasonable timeframe, typically within 30 days as required by GDPR.