Aura Booking Limited (Company No. SC888835) is the data controller for personal data processed through the AURA platform. Our registered office is at Unit W5 Rosemount Business Park, 141 Charles Street, Glasgow, G21 2QA.
We are registered with the Information Commissioner's Office (ICO) as a data controller. You can verify our registration at ico.org.uk.
Our data protection contact is: support@aurabooking.co.uk
| Data | Why we collect it |
|---|---|
| Name, email address, phone number | Account creation, login, communications |
| Business name, address, specialty | Public booking page and platform records |
| Profile photo (if uploaded) | Personalised booking page |
| Treatment menu, pricing, descriptions | Client-facing booking functionality |
| Working hours, blocked periods | Diary and booking availability |
| Stripe Connect account ID | Payment processing and payout routing |
| Onboarding progress, account status | Platform operations and support |
| IP address, login timestamps | Security and fraud prevention |
| Data | Why we collect it |
|---|---|
| Name, email address, phone number | Booking confirmation, reminders, communications |
| Date of birth (if requested by practitioner) | Age verification for certain treatments |
| Appointment details (treatment, date, time) | Booking management and diary |
| Consent form responses and e-signature | Clinical record; legal requirement for many treatments |
| Stripe session ID, payment status, deposit amount | Transaction records and reconciliation (see Section 3) |
| IP address (at time of booking and consent) | Fraud prevention; legal evidence of consent |
| Notes added by practitioner | Clinical record management by practitioner |
We may collect standard web server logs (IP address, browser type, pages viewed, referrer URL) for security and performance purposes. We do not use advertising tracking pixels or third-party analytics that profile individual visitors.
Stripe's privacy policy is available at stripe.com/gb/privacy.
| Processing activity | Lawful basis |
|---|---|
| Practitioner account creation and management | Contract performance (Art. 6(1)(b)) |
| Processing bookings and deposits | Contract performance (Art. 6(1)(b)) |
| Sending booking confirmations and reminders | Contract performance (Art. 6(1)(b)) |
| Collecting and storing consent form data | Legal obligation / legitimate interests (Art. 6(1)(c)/(f)); Special category data under Art. 9(2)(h) where health information is involved |
| Fraud prevention and security logging | Legitimate interests (Art. 6(1)(f)) |
| Communicating platform updates to practitioners | Legitimate interests (Art. 6(1)(f)) or consent |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not sell personal data. We share data only where necessary to deliver the platform's services:
| Recipient | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing, Stripe Connect payouts | USA (see Section 6) |
| Supabase, Inc. | Database and authentication hosting | UK (London region) |
| Resend, Inc. | Transactional and notification emails | USA (see Section 6) |
| Netlify, Inc. | Platform hosting and content delivery | USA / global CDN (see Section 6) |
| Practitioners | Client booking details, consent forms, client records — visible to the practitioner the client books with | UK |
We may also disclose data to law enforcement or regulatory authorities where required by law.
Some of our service providers are based in the United States. Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place:
You can request copies of the relevant transfer mechanisms by contacting us at support@aurabooking.co.uk.
| Data type | Retention period |
|---|---|
| Practitioner account data | Duration of account + 7 years after closure (tax and legal obligations) |
| Client booking records and payment metadata | 7 years from appointment date (financial record obligations) |
| Consent form data | Minimum 8 years from last treatment (clinical record best practice); longer if required by professional body standards |
| Security logs (IP addresses, login records) | 90 days |
| Marketing communications (opt-in) | Until withdrawal of consent |
Where a client or practitioner requests erasure of their data under the "right to be forgotten" (see Section 8), we will delete personal data that is not required to be retained under a legal obligation. Retained data will be held securely and not used for any other purpose.
Under UK GDPR, you have the following rights in respect of your personal data:
To exercise any of these rights, contact us at support@aurabooking.co.uk. We will respond within 30 days. We may ask you to verify your identity before processing a request.
Clients: If your request relates to data held by a practitioner in their capacity as data controller (e.g., clinical notes, consent forms), you should contact the practitioner directly in the first instance.
AURA uses cookies and similar technologies. Please see our Cookie Policy for full details, including the types of cookies we use and how to manage your preferences.
AURA is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we hold data relating to a child, please contact us immediately.
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will notify registered practitioners by email.
For any privacy-related query or to exercise your rights:
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):