Privacy Policy
Your Privacy Matters
We are committed to protecting your personal data and being fully transparent about how we collect, use, and safeguard it.
Last Updated: 22 June 2026Data Safety
Your data is never sold to third parties.
Medical Data
Health records receive enhanced GDPR protection.
Marketing
Unsubscribe from marketing at any time.
Contents
Section 01
Introduction
Carisma Aesthetics Ltd., trading as Carisma Slimming (“we”, “us”, “our”, or the “Clinic”), is a Malta-based medical slimming clinic registered under company number C 106006. We provide a range of weight management, body contouring, and lifestyle services to patients in Malta and beyond.
This Privacy Policy explains how we collect, use, store, and protect the personal information you provide to us — whether as a patient, website visitor, or marketing subscriber. It applies to all services offered through www.carismaslimming.com and at our clinic premises.
We are committed to handling your personal data with care, in full compliance with the EU General Data Protection Regulation (GDPR), the Data Protection Act (Chapter 586, Laws of Malta), and all other applicable data protection legislation.
Please read this policy carefully. If you have any questions about how we process your data, contact us at info@carismaslimming.com.
Last Updated: 22 June 2026. We may update this policy from time to time — see Section 15 for how we notify you of changes.
Section 02
Data Controller
The data controller responsible for your personal information is:
Carisma Aesthetics Ltd.
Trading as: Carisma Slimming
Company Number: C 106006
Registered Address: 35/16B Hever Court, Triq Moletta, Swieqi, SWQ 3532, Malta
Email: info@carismaslimming.com
For all data protection queries — including access requests, erasure requests, or complaints — please contact us at the email address above. We aim to respond to all data-related requests within 30 calendar days.
Section 03
What Personal Data We Collect
Depending on your relationship with us (patient, website visitor, or marketing subscriber), we may collect the following categories of personal data:
a) Identity & Contact Information
- Full name, date of birth, and gender
- Postal address, email address, and phone number
- Identity document number (where required for patient registration)
- Emergency contact details
b) Health & Medical Data (Special Category — GDPR Art. 9)
Health data is a special category of personal data under GDPR and is afforded the highest level of protection. We collect:
- Medical history, pre-existing conditions, and past surgeries
- Current medications, allergies, and contraindications
- Mental health history relevant to safe treatment delivery
- Blood test results and diagnostic data (where required)
- Pregnancy and reproductive health information (relevant to treatment safety)
c) Treatment & Appointment Records
- Consultation notes and clinical assessments
- Treatment plans, progress notes, and session records
- Slimming Card check-in data and attendance logs
- Dosage records for prescribed medications (e.g. GLP-1 agonists)
d) Photographs & Body Measurements
- Before/after photographs taken for clinical monitoring and progress tracking
- Body measurements (weight, circumference, body composition)
- Photos used for marketing purposes only with your separate, explicit written consent
e) Payment Data
- Billing name, address, and payment reference
- Transaction records for services rendered
- We do not store full card numbers — payments are processed by compliant third-party providers
f) Website & Marketing Data
- Cookie data and IP address (see Section 6 for full details)
- Email open and click data (for subscribers)
- Form submissions (consultation requests, free guide downloads, contact enquiries)
- Device type and browser information for website analytics
Section 04
Legal Bases for Processing
We only process your personal data when we have a lawful basis to do so. The relevant legal bases under GDPR are as follows:
- Article 6(1)(b) — Performance of a contract: Processing your identity, contact, and appointment data is necessary to deliver the services you have contracted with us (e.g. booking consultations, administering your treatment programme).
- Article 9(2)(h) — Healthcare provision: Processing your health and medical data is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare or treatment, subject to professional confidentiality obligations.
- Article 6(1)(c) — Legal obligation: We process certain data (e.g. clinical records, financial records) because we are legally required to do so under Maltese law, including medical record-keeping regulations and tax/accounting legislation.
- Article 6(1)(a) — Consent: For marketing communications, use of optional analytics cookies, and use of your photographs in promotional materials, we rely on your explicit consent. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Where we rely on consent as a legal basis, withdrawal of that consent will not affect your access to clinical care. We will never make treatment conditional on consent to marketing.
Section 05
How We Use Your Data
We use the personal data we collect for the following purposes:
- Treatment delivery: Planning and administering your personalised slimming programme, including prescribing medication, conducting body contouring sessions, and delivering lifestyle interventions.
- Appointment management: Booking, confirming, reminding, and rescheduling your consultations and treatment sessions.
- Progress tracking: Monitoring your weight, measurements, and clinical outcomes over the course of your programme.
- Billing & payment: Processing fees, issuing invoices, managing prepaid packages, and maintaining financial records.
- Legal & regulatory compliance: Meeting our obligations under Maltese medical record-keeping law, tax legislation, and GDPR.
- Service improvement: Analysing anonymised, aggregated outcomes data to improve our programmes. Individual-level data is never used for this purpose.
- Marketing communications: Sending newsletters, offers, and health content — only where you have given explicit consent and only for as long as you remain subscribed.
We do not use your personal data for automated decision-making or profiling in a way that produces legal or similarly significant effects on you.
Section 07
Data Sharing
We respect your privacy. We do not sell, rent, or trade your personal data to any third party — ever. We share your data only in the following limited circumstances:
- Clinical partners: Laboratories and pharmacies that we work with to fulfil your treatment (e.g. blood testing labs, dispensing pharmacies). These parties receive only the minimum data necessary and are bound by professional confidentiality obligations.
- Cloud & IT service providers: Software platforms used to manage patient records, appointments, and communications (e.g. practice management software, cloud storage). All such providers operate under data processing agreements and GDPR-compliant safeguards.
- Legal & regulatory authorities: Where we are legally required to disclose data to Maltese courts, regulatory bodies, or law enforcement agencies. We will notify you of such disclosure wherever lawfully permitted to do so.
- Marketing platforms: Email and SMS marketing providers — only where you have given explicit marketing consent. You may opt out at any time.
All third-party data processors are subject to written data processing agreements that require them to implement appropriate technical and organisational security measures and to process your data only on our documented instructions.
Section 08
International Data Transfers
We are based in Malta (within the European Economic Area). Some of the cloud services and software platforms we use may store or process data on servers located outside the EEA — for example in the United States or United Kingdom.
Whenever your personal data is transferred outside the EEA, we ensure appropriate safeguards are in place as required by GDPR Article 46, including:
- Standard Contractual Clauses (SCCs): EU Commission-approved contractual terms that bind the recipient to GDPR-equivalent protections.
- Adequacy decisions: Where the European Commission has determined that a third country provides an adequate level of data protection (e.g. United Kingdom).
- Binding Corporate Rules: Where applicable for transfers within multinational corporate groups.
You may request details of the specific safeguards we have in place for any particular transfer by contacting us at info@carismaslimming.com.
Section 09
Data Retention
We keep your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are:
| Data Category | Retention Period |
|---|---|
| Clinical & medical records | Minimum 10 years per Maltese medical record-keeping law |
| Financial & payment records | 7 years per Maltese accounting / tax legislation |
| Marketing data (email/SMS lists) | Until consent withdrawn, plus 30-day grace period |
| Website analytics data (cookies) | 12 months from collection |
| Consent records | Duration of relationship + 6 years (evidence of compliance) |
| CCTV footage (if applicable) | Maximum 30 days unless required for an investigation |
When the applicable retention period expires, data is securely deleted, anonymised, or irreversibly destroyed in accordance with our data disposal policy.
Section 10
Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, destruction, or disclosure. Our security measures include:
- Encryption in transit: All data transmitted between your browser and our website is encrypted using TLS (HTTPS). Communications with cloud services also use encrypted connections.
- Encryption at rest: Personal data stored in our systems is encrypted at rest using industry-standard encryption protocols.
- Access controls: Access to patient records is restricted to authorised clinical and administrative staff on a strict need-to-know basis. All access is logged.
- Staff training: All team members who handle personal data receive data protection training as part of their onboarding and on an ongoing basis.
- Regular security reviews: We periodically review and test our data security arrangements and update them in response to new threats or regulatory guidance.
- Vendor security: Third-party data processors are assessed for security compliance before we engage them, and their obligations are enshrined in data processing agreements.
While we take every reasonable precaution, no system is entirely risk-free. If you suspect any unauthorised access to your personal data, please notify us immediately at info@carismaslimming.com.
Section 11
Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR. You can exercise any of these rights at any time by contacting us at info@carismaslimming.com. We will respond within 30 calendar days.
- Right of Access (Art. 15): You have the right to obtain confirmation of whether we hold personal data about you and to receive a copy of that data, along with information about how it is processed.
- Right to Rectification (Art. 16): You have the right to request correction of inaccurate or incomplete personal data we hold about you.
- Right to Erasure (Art. 17): In certain circumstances — such as when data is no longer necessary, consent is withdrawn, or data has been unlawfully processed — you may request that we delete your personal data.
- Right to Restrict Processing (Art. 18): You may request that we limit how we use your data in certain circumstances (e.g. while a dispute about accuracy is being resolved).
- Right to Data Portability (Art. 20): Where processing is based on consent or contract, you have the right to receive your personal data in a structured, machine-readable format and to transmit it to another controller.
- Right to Object (Art. 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds.
- Right to Withdraw Consent (Art. 7): Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
Please note that some rights are subject to exemptions — for example, we may be required to retain certain clinical records under Maltese medical law even if you request erasure. We will always explain the applicable exemption clearly.
If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Information and Data Protection Commissioner (IDPC) — see Section 16.
Section 12
Marketing Communications
We only send marketing communications — including newsletters, promotions, and health tips — to people who have explicitly opted in to receive them. We never add you to marketing lists without your active consent.
You can unsubscribe from all marketing communications at any time by:
- Clicking the "Unsubscribe" link at the bottom of any marketing email
- Replying to any SMS with "STOP"
- Emailing us at info@carismaslimming.com with "Unsubscribe" in the subject line
Unsubscribe requests are processed within 5 business days. Please note that even after opting out of marketing, we may still send you essential service communications (e.g. appointment reminders, clinical safety notices) as these are necessary to deliver your treatment and are not marketing.
We do not share your contact details with any third-party marketing partners without your separate, explicit consent.
Section 13
Children's Data
Our clinical services are primarily designed for adults aged 18 and over. We do not knowingly collect personal data from individuals under the age of 16 without verifiable parental or guardian consent.
Where we agree to provide services to a patient under the age of 18, the following requirements apply:
- Written consent from a parent or legal guardian is required before treatment commences
- The parent or guardian must be present during the initial consultation and consent process
- Age-specific risk disclosures will be provided where a medication is used outside its approved paediatric indications
- We reserve the right to decline treatment of a minor where it is not clinically appropriate
If you believe we have inadvertently collected personal data about a child under 16 without appropriate consent, please contact us immediately at info@carismaslimming.com and we will promptly delete such data.
Section 14
Data Breach
In the event of a personal data breach — an incident involving the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your personal data — we will take immediate steps to contain and investigate the incident.
Our breach response obligations under GDPR are as follows:
- Supervisory authority notification: Where a breach is likely to result in a risk to individuals' rights and freedoms, we will notify the Office of the Information and Data Protection Commissioner (IDPC) within 72 hours of becoming aware of the breach.
- Individual notification: Where a breach is likely to result in a high risk to your rights and freedoms (e.g. risk of identity theft, discrimination, or physical harm), we will notify you directly without undue delay, explaining the nature of the breach, likely consequences, and the steps we have taken or propose to take.
- Remediation: We will take prompt steps to mitigate the effects of the breach, review the root cause, and implement measures to prevent recurrence.
We maintain an internal breach register as required by GDPR Article 33(5).
Section 15
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements.
- The most current version of this policy is always available at carismaslimming.com/privacy-policy
- For material changes — those that significantly affect how we process your data or your rights — we will notify active patients and marketing subscribers by email at least 14 days before the changes take effect
- The "Last Updated" date at the top of this policy reflects when it was last revised
- Your continued use of our services after a policy update constitutes acceptance of the revised terms
If you have any questions about a change we have made, please contact us at info@carismaslimming.com.
Section 16
Contact & Complaints
If you have any questions about this Privacy Policy, want to exercise your GDPR rights, or wish to raise a concern about how we handle your personal data, please contact us:
Data Protection Contact
Carisma Aesthetics Ltd.
35/16B Hever Court, Triq Moletta,
Swieqi, SWQ 3532, Malta
We take all privacy concerns seriously and aim to resolve queries promptly and fairly. If you are not satisfied with our response, you have the right to lodge a complaint directly with the IDPC at any time.
Data Subject Rights
Exercise Your Rights
To access, correct, or delete your personal data — or for any data protection query — email us and we will respond within 30 days.
info@carismaslimming.comOr lodge a complaint with the IDPC at idpc.org.mt