Legal Documents
Legal
Privacy Policy
Last updated: June 2026  ·  UK GDPR compliant  ·  Aura Booking Limited · SC888835
Aura Booking Limited takes privacy seriously. This policy explains in plain terms what personal data we collect, why we collect it, who we share it with, and what your rights are. We are the data controller in respect of data processed by AURA on its own behalf. Where practitioners use AURA to manage their own clients, each practitioner is also an independent data controller for their client data.

Contents

  1. Who we are
  2. What data we collect and why
  3. Payment data — what AURA holds vs Stripe
  4. Lawful bases for processing
  5. Who we share data with
  6. International data transfers
  7. Data retention
  8. Your rights
  9. Cookies
  10. Children
  11. Changes to this policy
  12. Contact and complaints

1. Who We Are

Aura Booking Limited (Company No. SC888835) is the data controller for personal data processed through the AURA platform. Our registered office is at Unit W5 Rosemount Business Park, 141 Charles Street, Glasgow, G21 2QA.

We are registered with the Information Commissioner's Office (ICO) as a data controller. You can verify our registration at ico.org.uk.

Our data protection contact is: support@aurabooking.co.uk

2. What Data We Collect and Why

2.1 Practitioners

DataWhy we collect it
Name, email address, phone numberAccount creation, login, communications
Business name, address, specialtyPublic booking page and platform records
Profile photo (if uploaded)Personalised booking page
Treatment menu, pricing, descriptionsClient-facing booking functionality
Working hours, blocked periodsDiary and booking availability
Stripe Connect account IDPayment processing and payout routing
Onboarding progress, account statusPlatform operations and support
IP address, login timestampsSecurity and fraud prevention

2.2 Clients (booking through an AURA-powered page)

DataWhy we collect it
Name, email address, phone numberBooking confirmation, reminders, communications
Date of birth (if requested by practitioner)Age verification for certain treatments
Appointment details (treatment, date, time)Booking management and diary
Consent form responses and e-signatureClinical record; legal requirement for many treatments
Stripe session ID, payment status, deposit amountTransaction records and reconciliation (see Section 3)
IP address (at time of booking and consent)Fraud prevention; legal evidence of consent
Notes added by practitionerClinical record management by practitioner
Important: Client data entered through AURA is visible to and controlled by the practitioner the client books with. That practitioner is an independent data controller for this data. Clients should also review the practitioner's own privacy notice.

2.3 Anonymous visitors (aurabooking.co.uk and app.aurabooking.co.uk)

We may collect standard web server logs (IP address, browser type, pages viewed, referrer URL) for security and performance purposes. We do not use advertising tracking pixels or third-party analytics that profile individual visitors.

3. Payment Data — What AURA Holds vs Stripe

AURA does not store card numbers, CVV codes, or any raw payment card data. All card processing is handled entirely by Stripe, Inc. AURA stores only the following payment metadata: This metadata is necessary for booking reconciliation, dispute handling, and audit trails. It does not enable us or anyone else to charge a card — that capability resides entirely with Stripe.

Stripe's privacy policy is available at stripe.com/gb/privacy.

4. Lawful Bases for Processing

Processing activityLawful basis
Practitioner account creation and managementContract performance (Art. 6(1)(b))
Processing bookings and depositsContract performance (Art. 6(1)(b))
Sending booking confirmations and remindersContract performance (Art. 6(1)(b))
Collecting and storing consent form dataLegal obligation / legitimate interests (Art. 6(1)(c)/(f)); Special category data under Art. 9(2)(h) where health information is involved
Fraud prevention and security loggingLegitimate interests (Art. 6(1)(f))
Communicating platform updates to practitionersLegitimate interests (Art. 6(1)(f)) or consent
Compliance with legal obligationsLegal obligation (Art. 6(1)(c))

5. Who We Share Data With

We do not sell personal data. We share data only where necessary to deliver the platform's services:

RecipientPurposeLocation
Stripe, Inc.Payment processing, Stripe Connect payoutsUSA (see Section 6)
Supabase, Inc.Database and authentication hostingUK (London region)
Resend, Inc.Transactional and notification emailsUSA (see Section 6)
Netlify, Inc.Platform hosting and content deliveryUSA / global CDN (see Section 6)
PractitionersClient booking details, consent forms, client records — visible to the practitioner the client books withUK

We may also disclose data to law enforcement or regulatory authorities where required by law.

6. International Data Transfers

Some of our service providers are based in the United States. Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place:

You can request copies of the relevant transfer mechanisms by contacting us at support@aurabooking.co.uk.

7. Data Retention

Data typeRetention period
Practitioner account dataDuration of account + 7 years after closure (tax and legal obligations)
Client booking records and payment metadata7 years from appointment date (financial record obligations)
Consent form dataMinimum 8 years from last treatment (clinical record best practice); longer if required by professional body standards
Security logs (IP addresses, login records)90 days
Marketing communications (opt-in)Until withdrawal of consent

Where a client or practitioner requests erasure of their data under the "right to be forgotten" (see Section 8), we will delete personal data that is not required to be retained under a legal obligation. Retained data will be held securely and not used for any other purpose.

8. Your Rights

Under UK GDPR, you have the following rights in respect of your personal data:

To exercise any of these rights, contact us at support@aurabooking.co.uk. We will respond within 30 days. We may ask you to verify your identity before processing a request.

Clients: If your request relates to data held by a practitioner in their capacity as data controller (e.g., clinical notes, consent forms), you should contact the practitioner directly in the first instance.

9. Cookies

AURA uses cookies and similar technologies. Please see our Cookie Policy for full details, including the types of cookies we use and how to manage your preferences.

10. Children

AURA is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we hold data relating to a child, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will notify registered practitioners by email.

12. Contact and Complaints

For any privacy-related query or to exercise your rights:

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):