SpotCheck - Privicy Policy
Last updated: 17 June 2026
SpotCheck processes limited personal data from practitioners and their clients to provide GP and dermatology advice, and does so in line with UK GDPR and the Data Protection Act 2018. Practitioners and clinics located outside the United Kingdom must, in addition, comply with Section 14 (International Practitioners and Clinics) before submitting any client data or images.
1. Who we are
SpotCheck is a clinical advice and guidance service for cosmetic and aesthetic practitioners, operated by Aesthetk Ltd (“we”, “us”, “our”). Our clinic address is: Aesthetk Clinic, First Floor, 40 Hutton Road, Shenfield, Brentwood, Essex, CM15 8LB.
We are the data controller for personal data collected through the SpotCheck website (https://spotcheck.uk) and SpotCheck web application, except where stated otherwise. Where a practitioner or clinic submits client data, the practitioner or clinic is the data controller for that client data and we act, in relevant respects, as set out in Sections 10 and 14 below.
2. What this policy covers
This Privacy Policy explains how we collect, use, store and share personal data when you:
- visit or use our website or web application;
- register as a SpotCheck practitioner; or
- submit client information and images for review.
It also explains your data protection rights under UK GDPR and the Data Protection Act 2018, and, for practitioners and clinics based outside the UK, the additional obligations you must satisfy before using SpotCheck (see Section 14).
3. The data we collect
Practitioner data
We may collect:
- identity details (name, title, professional role);
- contact details (email address, phone number, clinic name, postal address);
- login and profile data (username, password, usage preferences);
- payment and billing details where relevant;
- communication records, queries and feedback.
Client / patient data
When you submit a case, we may receive:
- basic identifiers (initials or code, age, gender as required);
- clinical information you provide (relevant medical history, medications, lesion description, treatment history);
- clinical photographs and associated metadata;
- your own notes and questions for our clinicians.
You should minimise identifying information where possible and follow your own professional and regulatory obligations when sharing client data. If you are based outside the UK, you must also follow the requirements in Section 14 before submitting any client data or images.
Technical and usage data
We may collect:
- IP address, browser type and version, device identifiers;
- login dates and times, page views and interactions;
- cookies and similar tracking technologies, subject to your preferences.
4. How we use personal data
We use personal data to:
Provide the SpotCheck service
- create and manage practitioner accounts;
- receive case submissions and provide clinical advice and reports;
- communicate with you about cases, queries and support.
Meet legal, regulatory and insurance obligations
- maintain appropriate clinical records of advice provided;
- cooperate with regulators, insurers or legal bodies where lawfully required;
- ensure information governance and audit trails.
Improve and protect our service
- monitor performance and security of the web application;
- troubleshoot, test and enhance features;
- produce anonymised or aggregated statistics for service evaluation, training and audit.
Marketing and business communication
- send service updates, training opportunities, and related SpotCheck or Aesthetk information to practitioner users, in line with your marketing preferences and applicable electronic marketing rules.
We do not use client images or clinical details for marketing without your explicit consent and, where required, explicit client consent.
5. Legal bases for processing
We process personal data on the following legal bases under UK GDPR:
- performance of a contract (providing SpotCheck services to you as a registered practitioner);
- compliance with legal obligations (e.g. clinical record-keeping, regulatory requirements);
- legitimate interests (service operation, security, quality improvement, professional communications with practitioners);
- explicit consent for certain uses of special category data and for specific marketing activities where required.
Special category health data about clients is processed only where necessary for the provision of the SpotCheck advice service and subject to appropriate safeguards, and usually on the basis of your professional relationship with the client plus any consents you obtain. Where a client is located outside the UK, the practitioner or clinic must independently confirm that an equivalent lawful basis exists under the law applicable to that client (see Section 14).
6. Sharing your data
We may share personal data with:
- clinicians engaged by SpotCheck (e.g. UK-registered GPs and dermatology specialists) who need access to provide advice;
- technical service providers who host or support the SpotCheck platform, email, payment or security services, under strict data processing agreements;
- insurers, legal advisers, regulators or law enforcement where required by law or to establish, exercise or defend legal claims.
We do not sell personal data to third parties.
Where data is transferred outside the UK (including where it is sent to us from outside the UK), we implement appropriate safeguards such as standard contractual clauses or equivalent measures required by law. International practitioners and clinics are separately responsible for the safeguards required under their own local law when exporting client data to the UK, as set out in Section 14.
7. Data security
We take appropriate technical and organisational measures to protect personal data, including:
- secure hosting and access controls for the SpotCheck web application;
- encryption in transit and at rest where appropriate;
- role-based access for clinical and support staff;
- regular monitoring, backup and security updates.
Despite these measures, no system is completely secure; users should also take care to protect login details and ensure their own devices and networks are secure.
8. Data retention
We keep personal data only for as long as necessary for the purposes described in this policy, including:
- clinical advice records and associated client data, retained for periods consistent with relevant clinical record-keeping guidance, insurer requirements and limitation periods;
- practitioner account and billing records, retained for as long as you have an account and for a reasonable period afterwards for audit and tax purposes;
- technical logs, retained for shorter periods needed for security, troubleshooting and analytics.
When data is no longer required, it is securely deleted or anonymised.
9. Your rights
Under UK data protection law you have the right to:
- access a copy of your personal data (subject access);
- request correction of inaccurate or incomplete data;
- request erasure of your data in certain circumstances;
- request restriction of processing;
- object to processing based on legitimate interests or to direct marketing;
- request data portability where applicable;
- withdraw consent where we rely on consent (this will not affect previous lawful processing).
Some rights may be limited where we must retain information for legal, regulatory or clinical safety reasons.
To exercise your rights, please contact us using the details in Section 15. You also have the right to complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we handle your data. If you are located outside the UK, you may also have rights under your own local data protection law and may need to raise concerns with your own supervisory authority in the first instance.
10. Practitioner responsibilities
As a practitioner user you are usually the primary data controller for your clients’ records, including information you share with SpotCheck. You are responsible for:
- obtaining appropriate consent or providing fair processing information to clients before sharing their data;
- ensuring information is accurate, relevant and minimised;
- complying with your own regulator, insurer and local data protection requirements.
Where we act as a processor on your behalf for certain functions, this will be documented in a separate data processing agreement if required. Practitioners and clinics based outside the UK must also comply with Section 14 in full.
11. Cookies and similar technologies
Our website and web application may use cookies and similar technologies to:
- enable core functionality and security;
- remember your preferences;
- collect anonymised usage statistics to improve the service.
Where required, we will request your consent before setting non-essential cookies and provide controls for you to update your preferences.
12. Links to other sites
The SpotCheck website may include links to external websites, training providers or partners. This Privacy Policy does not apply to those sites, and we are not responsible for their content or privacy practices. You should review their privacy policies separately.
13. Changes to this policy
We may update this Privacy Policy from time to time, for example to reflect changes in law, guidance or our services. The latest version will always be available on our website, and the “last updated” date will indicate when it was revised. Continued use of the service after changes are published means you accept the updated policy.
14. International practitioners and clinics
SpotCheck is designed and operated for practitioners established and practising in the United Kingdom. We also accept registrations from practitioners and clinics based outside the UK (“international practitioners”). This section sets out the additional regulatory steps international practitioners must complete, and the basis on which we accept their registration.
14.1 Mandatory pre-submission checklist
Before registering, and before submitting any client data, images or other personal information to SpotCheck, an international practitioner or clinic must independently verify and be able to evidence, on request, that it has:
- a lawful basis under the data protection law applicable in its own country or region to collect, process and export the client’s personal data, including any special category or health data, to a UK-based recipient;
- obtained explicit, informed, and (where the data includes images or health information) specific consent from the client that covers: the capture and transfer of their data outside their home jurisdiction; review of that data by UK-based clinicians and, where used, AI-assisted triage tools; and SpotCheck’s and Aesthetk’s retention of the data in line with this policy;
- confirmed that obtaining cross-border clinical advice or “teleadvice” of this kind, and transmitting client health data abroad for that purpose, is lawful and permitted under its local telemedicine, health information, licensing and professional conduct rules;
- checked that there is no local law, regulation, professional rule or data localisation requirement that prohibits or restricts the export of client health data to a UK processor;
- minimised and, where required by local law, anonymised or pseudonymised client data so that no more information is submitted than is necessary for SpotCheck to provide advice;
- satisfied itself that its own professional indemnity and/or public liability insurance extends to cross-border use of third-party clinical advice services such as SpotCheck; and
- read and accepted SpotCheck’s Terms and Conditions and GDPR Policy in full.
SpotCheck may require a practitioner to confirm completion of this checklist by way of a registration declaration before account access or case submission is enabled. Submitting a case constitutes confirmation that this checklist has been satisfied, whether or not a separate declaration is presented.
14.2 Controller status and responsibility
For all client data, the international practitioner or clinic remains the data controller (or equivalent under its local law) at all times. SpotCheck acts only as a processor of that data for the purpose of providing the requested clinical advice, and does not independently verify a practitioner’s consent records, local legal basis, or regulatory standing. Responsibility for compliance with Section 14.1 rests solely with the submitting practitioner or clinic.
14.3 No warranty; assumption of risk
SpotCheck and Aesthetk Ltd do not represent, warrant or guarantee that the Site, the SpotCheck application, or any clinical advice provided through it is appropriate, lawful, or permitted for use by a practitioner or clinic in any jurisdiction outside the UK. Any international practitioner who chooses to register or submit data does so at its own risk and is solely responsible for confirming the legality of that use in its own jurisdiction in advance.
14.4 Indemnity
By registering as, or operating as, an international practitioner or clinic, you agree to indemnify, defend and hold harmless SpotCheck, Aesthetk Ltd, its officers, employees, contracted clinicians and agents against any and all claims, demands, fines, penalties, regulatory action, third-party claims (including claims by clients or data subjects), losses, damages, costs and reasonable legal expenses arising out of or connected with:
- your failure to satisfy any item in the checklist at Section 14.1;
- your breach of any data protection, health information, telemedicine, licensing or professional conduct law applicable to you; or
- your submission of client data or images without the consents or legal basis required by this policy.
This indemnity is in addition to, and does not limit, any equivalent indemnity given in SpotCheck’s Terms and Conditions.
14.5 Suspension and data handling
We may suspend or terminate an international practitioner’s account, and decline to process a submission, at any time if we reasonably believe the requirements of this Section 14 have not been met, without liability to the practitioner or clinic for doing so.
14.6 Governing law
We may suspend or terminate an international practitioner’s account, and decline to process a submission, at any time if we reasonably believe the requirements of this Section 14 have not been met, without liability to the practitioner or clinic for doing so.
15. Contact us
For questions about this Privacy Policy or how we handle personal data, please contact:
- Aesthetk Clinic / SpotCheck, First Floor, 40 Hutton Road, Shenfield, Brentwood, Essex, CM15 8LB; or
- using the email address or contact form provided on the SpotCheck website or within the SpotCheck application (contact@spotcheck.uk).
Don’t risk it. SpotCheck it.
Product of Aesthetk Ltd. UK’s first GP & Dermatology Advice and Guidance Service for Cosmetic Practitioners.
SpotCheck is a service provided by Aesthetk Ltd (company registration number 15414315), a CQC registered healthcare provider.