Last updated 16 June 2026
Last updated: 16 June 2026
Fix My Hair Ltd ("Fix My Hair", "we", "us", "our") is committed to protecting your personal data and respecting your privacy.
This Privacy Policy explains how we collect, use, store, and protect your personal information when you visit fixmyhair.co.uk, submit an enquiry, book a consultation, purchase a product, or use any of our services.
Please read this policy carefully. By using our website or services, you acknowledge that you have read and understood this policy.
Fix My Hair Ltd is the data controller for personal data collected through this website and in connection with our services.
Company name: Fix My Hair Ltd Company number: 16690689 Registered address: 20 Wenlock Road, London, England, N1 7GU Email: [email protected] Website: https://fixmyhair.co.uk
We are registered with the Information Commissioner's Office (ICO) as a data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Fix My Hair Ltd operates as an introducer and marketing entity. We connect patients with CQC-registered clinics and GMC-registered surgeons who perform procedures. We do not ourselves perform surgical or medical procedures.
All surgical procedures facilitated through Fix My Hair are performed by CQC-registered clinics or under CQC-registered practitioners, who hold responsibility for clinical care under their own CQC registration.
We collect the following categories of personal data:
Contact and identity data: Name, email address, telephone number, preferred contact method, location/preferred clinic.
Enquiry and consultation data: Details of your hair loss, hair loss pattern, treatment interests, graft estimates, and responses to our hair assessment quiz or simulator.
Special category health data (Article 9 UK GDPR): Information about your health condition, hair loss history, blood test results (where obtained through our diagnostics service), and medical history relevant to treatment planning.
Financial data: Payment information processed via Stripe (we do not store card details — these are handled by Stripe's PCI-DSS compliant infrastructure). Order information for product purchases.
Technical and usage data: IP address, browser type, device type, pages visited, time spent on pages, referral source, and interaction data collected via Google Analytics 4 (GA4) and Microsoft Clarity (subject to your cookie consent).
Communications data: Records of your communications with us by email, phone, or WhatsApp.
We collect personal data through:
We process your personal data on the following legal bases under Article 6 UK GDPR:
Consent (Article 6(1)(a)): For marketing communications, analytics cookies, and non-essential tracking technologies — where you have given explicit, active consent.
Contract (Article 6(1)(b)): For processing necessary to fulfil a product order, consultation booking, or service agreement with you.
Legitimate interests (Article 6(1)(f)): For responding to enquiries, improving our services, and maintaining records of communications. We have conducted a Legitimate Interests Assessment (LIA) and determined these interests are not overridden by your rights.
Legal obligation (Article 6(1)(c)): Where processing is required by law, including financial record-keeping and fraud prevention.
Special category health data (Article 9 UK GDPR): We process health data (including hair loss information and blood test results) on the basis of:
general consent at the point of data collection; and
(Article 9(2)(h)) — for the purpose of arranging medical consultations and treatment planning with CQC-registered clinics.
We never process special category health data on the basis of legitimate interests alone.
We use your personal data to:
We never sell your personal data to third parties.
We will only send you marketing emails, SMS, or WhatsApp messages if you have explicitly opted in to receive them.
You may withdraw consent for marketing at any time by:
Withdrawing marketing consent does not affect the lawfulness of processing before withdrawal.
We share your personal data only where necessary:
CQC-registered clinics and surgeons: We share relevant consultation and health data with the CQC-registered clinic or GMC-registered surgeon fulfilling your procedure. This sharing is necessary for the provision of your treatment.
Lab partner: Blood test samples and results are processed by our laboratory partner. Your data is shared only as necessary for analysis and reporting.
Pharmacy partner: For medication prescriptions, relevant health and contact data is shared with our registered UK pharmacy partner for prescription fulfilment.
EmailJS: Used to send automated confirmation emails. Data passes through EmailJS's infrastructure under appropriate data processing agreements.
Google (GA4): Website usage data is collected via Google Analytics 4 subject to your cookie consent. Google processes this data in accordance with its Privacy Policy and UK GDPR transfer safeguards.
Microsoft (Clarity): Session recording and heatmap data is collected via Microsoft Clarity subject to your cookie consent.
Stripe: Payment processing for product orders. Stripe is PCI-DSS compliant and processes payment data under its own privacy policy and data processing agreement.
Google (Sheets/Apps Script): Enquiry data submitted through our forms is logged to a secure Google Sheets database for our team's use.
All third-party processors are subject to data processing agreements ensuring UK GDPR compliance.
Some of our service providers (including Google and Microsoft) may transfer data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including:
We retain your personal data for the following periods:
| Data type | Retention period |
|---|---|
| Consultation enquiries | 7 years from last contact |
| Medical/health records | 8 years from last treatment (NHS standard) |
| Blood test results | 8 years |
| Product purchase records | 7 years (legal/financial requirement) |
| Marketing consent records | Until consent withdrawn + 3 years |
| Cookie consent records | 3 years |
| Website analytics data | 26 months (GA4 default) |
After these periods, data is securely deleted or anonymised.
You have the following rights regarding your personal data:
Right of access: Request a copy of the personal data we hold about you. Right to rectification: Request correction of inaccurate or incomplete data. Right to erasure: Request deletion of your data where no longer necessary. Right to restriction: Request we limit processing of your data. Right to portability: Receive your data in a structured, machine-readable format. Right to object: Object to processing based on legitimate interests. Right to withdraw consent: Withdraw consent at any time where processing is consent-based. Rights regarding automated decision-making: We do not make solely automated decisions with legal or significant effects.
To exercise any right, contact us at: Email: [email protected] Post: Fix My Hair Ltd, 20 Wenlock Road, London, England, N1 7GU
We will respond within one calendar month. We may need to verify your identity before processing your request.
Fix My Hair Ltd has a formal data protection complaints procedure in compliance with the Data (Use and Access) Act 2025, in force from 5 February 2026.
How to raise a complaint:
Step 1 — Contact us directly: Email: [email protected] Subject line: "Data Protection Complaint" Include: your name, contact details, description of the complaint, and what resolution you are seeking.
Step 2 — We will:
Step 3 — If unresolved: If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
ICO website: https://ico.org.uk/make-a-complaint ICO helpline: 0303 123 1113 ICO address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
All complaints are logged with: date received, nature of complaint, investigation steps taken, outcome, and date resolved. This audit trail is retained for 3 years.
We implement appropriate technical and organisational measures to protect your personal data, including:
In the event of a personal data breach likely to result in risk to individuals, we will notify the ICO within 72 hours and affected individuals without undue delay.
Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe we have collected data from a minor, please contact us immediately at [email protected].
We may update this Privacy Policy from time to time. The date at the top of this page shows when it was last updated. Material changes will be communicated by email where we hold your contact details.
For any questions about this Privacy Policy or your personal data:
Fix My Hair Ltd 20 Wenlock Road London England N1 7GU
Email: [email protected] Website: https://fixmyhair.co.uk
Registered with the Information Commissioner's Office (ICO). ICO Registration: ZB996283