Informational only — not legal advice. This article explains what Aesthetix CRM's privacy features do and how to use them. It is not legal advice and does not describe your specific legal obligations. For guidance on how data privacy laws apply to your practice, consult your own compliance officer or legal counsel.
Med spas handle some of the most sensitive information there is — patient names, contact details, treatment history, and payment data. Data privacy laws such as the EU/UK General Data Protection Regulation (GDPR) give individuals more control over how their personal data is collected and used, and they expect the businesses holding that data to be transparent about it. This article explains the basic concepts, how Aesthetix CRM supports your privacy practices, and how to capture consent and track your legal basis for processing a lead's or patient's data.
Personal data is any information that can identify an individual. In a med spa, this commonly includes:
Name, email address, and phone number
Location data and IP addresses
Payment details and order history
Appointment and treatment records
Because much of this data can also touch on health information (PHI), it deserves careful handling regardless of which privacy law applies to you.
Data privacy regulations assign different responsibilities depending on whether an entity is a controller or a processor of personal data.
A controller decides to process personal data and determines the basis and methods for doing so. When you use Aesthetix CRM, you are the controller. You control the data you upload, what you do with it, and why — so you are responsible for having a legal basis to process it and for not keeping it longer than necessary.
A processor stores and manages data on behalf of, and under the instructions of, the controller. Aesthetix CRM acts as a processor: we store and manage the data you collect, under your instructions, and do not use your patients' personal data for our own purposes.
You should understand your responsibilities as a controller and keep your own policies and notices up to date so personal data can be handled lawfully.
Personal data may only be collected and processed when there is a recognized legal basis for doing so. Typical legal bases include:
Informed consent — explicit permission from the individual.
Contractual obligation — processing needed to provide the services or products the person signed up for.
Legitimate interest — a business purpose that does not override the individual's rights.
As the controller, you choose the correct legal basis for each set of data you collect and put the appropriate notices and consents in place. Identify which bases apply to your practice before you start collecting data, collect only what you need for that basis, and avoid changing the basis after the fact without a strong reason.
Privacy laws grant individuals (your leads and patients) rights over their personal data, including the right to access, correct, and delete data relating to them. Make sure you understand how to respond to these requests — including for any personal data you hold outside of Aesthetix CRM — and how to forward instructions to us when one of your patients exercises those rights.
Aesthetix CRM includes built-in consent tools across the places where you collect data. Each collection point lets you link your Privacy Policy or Terms of Service and add customizable consent language so patients can give informed permission.
Personal data is typically collected through Forms & Surveys, Order Forms, Calendars, and Webchat embedded on your funnels and websites. Here is how to add consent at each touchpoint:
Forms & Surveys — Use the Custom Checkbox element in the Form Builder and add your own disclosure language based on your business practices and applicable regulations. The patient's selection is captured and stored on their contact record.
Webchat — Add your own disclosure language in the Legal Message description box. To link your Privacy Policy, highlight the Privacy Policy text, click Link, and paste your URL.
Calendars (Bookings) — Customize the consent checkbox text on the booking widget so it matches your specific requirements.
Order Forms — Enable the Terms & Conditions checkbox in the Order Form settings, add your own disclosure language, then highlight the Privacy Policy text, click Link, and paste your URL.
Always display your Privacy Policy at the point where you collect personal data, and make sure you have consent — or another valid legal basis — before processing it.
You can record the legal basis for processing each contact's data using custom fields and tags, which makes it easy to filter, export, or review your data-collection practices later.
Create a custom field (for example, Legal Basis) under Contacts. Add values that match your business needs, such as Consent, Contractual Obligation, and Legitimate Interest.
Create a tag for each legal basis if you want quick filtering — for example, Consent, Contractual Obligation, or Legitimate Interest.
Apply the tag and set the field on contacts manually, or automatically with an automation. For example, when a patient submits a form, automatically assign the corresponding tag and update the Legal Basis custom field.
Because the value is stored on the contact record, you can filter your database by legal basis at any time — useful when reviewing your data practices or responding to a data subject request.
Aesthetix CRM maintains security safeguards designed to keep the personal data you store with us protected, including:
Regular testing of our products for bugs and vulnerabilities.
Backup, data recovery, and data integrity processes to reduce the risk of data loss or corruption.
Standard Contractual Clauses within our data processing agreement to support lawful transfers of personal data where required.
Processes to detect data breaches and notify affected customers promptly.
Processes to handle data subject access and erasure requests, and to inform you when one of your patients makes such a request to us.
For our current privacy and data processing terms, see your Aesthetix CRM agreement and Privacy Policy, or reach out through the support portal with questions about your specific needs.
Is Aesthetix CRM a data controller or a data processor?
For the patient and lead data you collect, Aesthetix CRM acts as a processor. You are the controller — you decide what data to collect, why, and how it is used.
Does Aesthetix CRM provide legal advice on GDPR or privacy compliance?
No. Aesthetix CRM provides tools to help you collect and manage data and consent, but your compliance officer or legal counsel is the right resource for advice on your specific obligations.
Where can my patients give consent?
You can collect consent through Forms & Surveys, Webchat, Calendars (booking widgets), and Order Forms — each supports custom disclosure language and a link to your Privacy Policy.
How do I record a contact's legal basis for processing?
Create a Legal Basis custom field and matching tags under Contacts, then apply them manually or via automation. The value is stored on the contact record so you can filter, export, and review it.
What if I don't have explicit consent for a contact?
Consent is only one legal basis. If another basis applies — such as contractual obligation or legitimate interest — record that basis using the custom field and tag so your data practices are documented.
