Privacy policy

ClearDerm: Online Specialist Acne Clinic | clearderm.ie
Privacy Notice (Effective Date: 15 June 2026)
Treacy's Skin Solutions Limited (CRO No. 660157)

1. Who We Are

Treacy's Skin Solutions Limited (trading as ClearDerm, CRO No. 660157) is the data controller for the personal data you provide to ClearDerm. Registered office: 44 Oaklands, Salthill, Galway, H91 PHR9. Trading address: 7 Odeon House, Eyre Square, Galway, H91 CP5T.

We are committed to protecting your privacy and handling your data transparently. This Notice explains how we collect, use, store, and share your personal data when you use ClearDerm's services.

Questions about this Notice: tara@clearderm.ie.

2. Data We Collect

2.1 Personal Data

       Full name, date of birth, email address, phone number;

       County and country of residence;

       Named GP and GP practice details, and your nominated pharmacy details (for prescription delivery);

       Payment information processed via Stripe (ClearDerm does not store card details);

       Login credentials for the Pabau patient portal;

       IP address and device data collected via our website.

2.2 Special Category Health Data (GDPR Article 9)

The following constitutes special category data and is subject to additional safeguards:

       Medical history, current medications, allergies, surgical and hospitalisation history;

       Acne severity, duration, and previous treatments, including your responses to intake, assessment, and renewal questionnaires (such as the Tretinoin Prescription Service questionnaire) and any pregnancy or breastfeeding declarations;

       Skin type, hormonal and reproductive health information, contraception use;

       PHQ-9 mental health assessment scores;

       Blood test results (LFTs, fasting lipids, and serum beta-hCG);

       Clinical consultation notes, treatment plans, and prescription records;

       Clinical skin photographs;

       Any other clinical information disclosed during consultations or via the Pabau portal.

3. How We Use Your Data and Our Legal Bases

 

Purpose

Lawful Basis (Art 6 GDPR)

Art 9 Basis (Health Data)

Providing medical consultations, asynchronous prescribing assessments (including the Tretinoin Prescription Service), treatment, and prescriptions

Performance of contract (Art 6(1)(b))

Explicit consent (Art 9(2)(a)) and health care provision (Art 9(2)(h))

Booking management, scheduling, and communications

Performance of contract (Art 6(1)(b))

N/A

Processing payments via Stripe

Performance of contract (Art 6(1)(b))

N/A

Sending GP information letters

Legitimate interests (Art 6(1)(f)) / Legal obligation (Art 6(1)(c))

Health care provision (Art 9(2)(h))

Maintaining clinical records as required by law

Legal obligation (Art 6(1)(c))

Health care provision (Art 9(2)(h))

Sending marketing communications

Consent (Art 6(1)(a))

N/A

Fraud prevention and legal compliance

Legitimate interests (Art 6(1)(f))

N/A

Using patient photographs for marketing

Consent (Art 6(1)(a))

Explicit consent (Art 9(2)(a))

4. Our Data Processors

We use the following third-party processors; each engaged under a Data Processing Agreement (DPA) or equivalent contractual safeguard:

Processor

Purpose

Location / Safeguard

Pabau (Hambrand Technology Ltd)

Patient portal, scheduling, records, video consultations

UK (EU Adequacy Decision) / Sub-processors: AWS, DigitalOcean - see Section 5

Stripe

Payment processing

USA (EU-US Data Privacy Framework / SCCs)

Healthmail

Secure clinical messaging and e-prescriptions

Republic of Ireland

Microsoft 365

Email and document management

EEA

Shopify

Website hosting and online booking journey

International transfers under SCCs (Shopify DPA)

Eurofins Biomnis

Laboratory blood testing and results (via secure CDxConnect portal)

Republic of Ireland

Mailchimp (Intuit Inc.)

Marketing email communications

USA (EU-US Data Privacy Framework / SCCs); non-clinical marketing data only

5. International Data Transfers

5.1 Pabau (Hambrand Technology Ltd) is incorporated in the United Kingdom. The UK currently benefits from a European Commission adequacy decision. Transfers to Pabau are therefore treated as equivalent to EEA transfers.

5.2 'Pabau's approved sub-processors include Amazon Web Services (AWS) and DigitalOcean. Pabau states that appropriate safeguards including Standard Contractual Clauses (SCCs) are in place for all international transfers. For ClearDerm patient data, hosting on AWS is restricted to the London (eu-west-2) region and hosting on DigitalOcean is likewise restricted to London data centres, so patient data does not leave the UK/EEA in the ordinary course of the service. For details of specific regional configurations, contact tara@clearderm.ie. (Pabau Data Processing Agreement, Clause 7.1)

5.3 Stripe may process payment data outside the EEA. Stripe participates in the EU-US Data Privacy Framework and uses SCCs where applicable. Mailchimp (Intuit Inc.), our marketing email platform, processes marketing list data (name, email address, and consent records only - never clinical data) in the United States under the EU-US Data Privacy Framework. Shopify, our website platform, may transfer website data internationally under Standard Contractual Clauses contained in its Data Processing Agreement.

5.4 Where we transfer your data outside the EEA, appropriate safeguards are in place in accordance with GDPR Chapter V. You may obtain a copy of the relevant safeguards by contacting tara@clearderm.ie.

6. How Long We Keep Your Data

Data Type

Retention Period

Clinical records (consultation notes, prescriptions, blood results)

Minimum 8 years from last patient contact (Irish Medical Council guidance)

Financial records

6 years (Irish Revenue requirement)

Marketing consent records

Until consent is withdrawn, then 1 year

Photography consent records

Life of marketing use + 3 years

Website analytics data (Google Analytics 4)

14 months

7. Your Rights

Under GDPR, you have the following rights regarding your personal data:

       Right of Access: Request a copy of the data we hold about you.

       Right to Rectification: Request correction of inaccurate or incomplete data.

       Right to Erasure: Request deletion in certain circumstances. Note that we are legally required to retain certain clinical and financial records and cannot delete them on request.

       Right to Restriction: Request that we restrict processing in certain circumstances.

       Right to Data Portability: Receive your data in a structured, commonly used format where processing is based on consent or contract and carried out by automated means.

       Right to Object: Object to processing based on legitimate interests or for direct marketing.

       Right to Withdraw Consent: Withdraw consent at any time. Withdrawal of clinical consent will be treated as a request to cease treatment.

To exercise any right, contact tara@clearderm.ie. We will respond within one month.

8. Consultation AI Summarisation

 ClearDerm uses Pabau’s integrated clinical management platform, which includes an optional AI-assisted consultation summarisation feature (Pabau Scribe). ClearDerm does not currently use this feature: consultations are not recorded or transcribed by AI. If ClearDerm activates this feature in the future, consultation audio would be processed by Pabau’s sub-processor AssemblyAI in the United States under the UK Addendum to the EU Standard Contractual Clauses, retained no longer than needed to complete transcription, and never used for AI model training. This Notice will be updated, and your explicit consent sought, before the feature is used in your care.

9. Marketing Communications

9.1 If you have given marketing consent, we will send you a monthly newsletter and welcome email sequence via Mailchimp. You can unsubscribe at any time via the unsubscribe link in any marketing email or by contacting hello@clearderm.ie.

9.2 Withdrawal of marketing consent does not affect clinical communications (appointment confirmations, treatment plans, blood test instructions).

10. Cookies

ClearDerm uses cookies on clearderm.ie. For full details see our Cookie Policy at clearderm.ie/cookie-policy.

11. Changes to This Notice

We may update this Notice from time to time. Material changes will be notified by email. The effective date at the top shows when this Notice was last updated.

12. Contact and Complaints

Contact: tara@clearderm.ie

Complaints may be submitted to the Irish Data Protection Commission (DPC):  www.dataprotection.ie | Lo Call: 0761 104 800.

We would appreciate the opportunity to address your concerns before you contact the DPC. Please email tara@clearderm.ie in the first instance.