Privacy Policy
Last updated: 14 March, 2026
Little Black Book respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, store and protect your personal data when you use our website and platform, and describes your privacy rights under the law.
1. Important information and who we are
1.1 Purpose of this privacy policy
This privacy policy describes how Little Black Book collects and processes your personal data when you use our website at mylittleblackbook.app, create an account as a customer, practitioner or prescriber, make bookings, or use our platform in any way.
Our website is not intended for children. We do not knowingly collect data relating to anyone under 18.
Please read this privacy policy together with our Terms & Conditions and End-user License Agreement . This policy supplements those documents and does not override them.
1.2 Controller
Little Black Book App Ltd (SC655855) is the controller and responsible for your personal data (referred to as "Little Black Book", "we", "us" or "our").
1.3 Contact details
If you have questions about this privacy policy or wish to exercise your legal rights:
- Legal entity: Little Black Book App Ltd – SC655855
- Email: info@mylittleblackbook.app
- Website: https://mylittleblackbook.app
You have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk. We would appreciate the chance to address your concerns first, so please contact us before approaching the ICO.
1.4 Changes and your duty to inform us
We keep this privacy policy under review. It is important that the personal data we hold is accurate. Please inform us if your personal data changes during your relationship with us.
1.5 Third-party links
Our website may include links to third-party websites (e.g. practitioner sites, Instagram, Stripe). We do not control those sites and are not responsible for their privacy practices. We encourage you to read the privacy policy of any site you visit.
2. The data we collect about you
Personal data means any information that can identify you. It does not include anonymised data. We may collect, use, store and transfer the following categories of personal data:
- Identity Data: First name, last name, username, title, date of birth, gender.
- Contact Data: Email address, telephone number, billing address, delivery address.
- Financial Data: Bank account and payment card details – these are processed by Stripe. We do not store full card numbers.
- Transaction Data: Details of payments, bookings, services purchased, Stripe references.
- Technical Data: IP address, login data, browser type, time zone, device type, operating system.
- Profile Data: Username, password (hashed), bookings, favourites, reviews, preferences, feedback. For practitioners: business details, services, photos, location, specialisations.
- Usage Data: How you use our website: pages visited, searches, booking flows, clicks.
- Marketing and Communications Data: Preferences for marketing, consent for email/SMS reminders, opt-in choices.
We may also collect aggregated or anonymised data (e.g. statistics). If we combine such data with personal data so that you can be identified, we treat it as personal data.
Special category data: Practitioners may collect health-related information (e.g. medical conditions, skin conditions) via intake forms before treatments. You consent to this when completing the form. We and our practitioners process such data only as necessary for the service.
If you fail to provide data: Where we need data by law or under our contract with you and you do not provide it, we may not be able to provide the service (e.g. complete a booking). We will tell you if this is the case.
3. How we collect your personal data
We collect data through:
3.1 Direct interactions
You give us Identity, Contact, Profile and Marketing data when you:
- Create an account (customer, practitioner or prescriber)
- Make a booking or subscribe to Prescribes
- Complete intake forms before appointments
- Request marketing, leave a review, or contact us
3.2 Automated technologies
As you use our website we automatically collect Technical and Usage data via cookies, server logs and similar technologies.
3.3 Third parties
We receive: Technical data from analytics providers; Contact, Financial and Transaction data from Stripe (our payment provider); Identity and Contact data from practitioners (when they add client details for bookings).
4. How we use your personal data
We only use your personal data when the law allows. Most commonly:
- To perform our contract with you (e.g. process bookings, manage accounts)
- Where necessary for our legitimate interests (e.g. improve the platform, prevent fraud) and your rights do not override those interests
- To comply with a legal obligation
- Where you have given consent (e.g. marketing). You may withdraw consent at any time.
| Purpose | Data types | Lawful basis |
|---|---|---|
| Register you as a customer, practitioner or prescriber | Identity, Contact | Performance of contract |
| Process and deliver bookings; manage payments (Stripe); recover money owed | Identity, Contact, Financial, Transaction, Marketing | Performance of contract; Legitimate interests (debt recovery) |
| Manage our relationship: notify changes to terms or privacy; ask for reviews | Identity, Contact, Profile, Marketing | Performance of contract; Legal obligation; Legitimate interests (records, improve services) |
| Send appointment reminders (email/SMS) | Identity, Contact | Performance of contract; Consent (where applicable) |
| Administer and protect our business and website; troubleshoot; host data | Identity, Contact, Technical | Legitimate interests (running business, IT, security, fraud prevention); Legal obligation |
| Use analytics to improve website, services and user experience | Technical, Usage | Legitimate interests (improve platform, grow business) |
| Make recommendations (e.g. practitioners, services) and send marketing | Identity, Contact, Technical, Usage, Profile, Marketing | Legitimate interests (develop services); Consent (marketing) |
| Process special category data (health info) from intake forms | Special category (health) | Explicit consent |
4.1 Marketing
We may use your Identity, Contact, Technical, Usage and Profile data to decide what may interest you. You will receive marketing from us if you have an account and have not opted out. We will get your express consent before sharing your data with third parties for their marketing.
You can opt out at any time via your account settings, by following opt-out links in messages, or by contacting us.
4.2 Cookies
You can set your browser to refuse cookies. Some parts of the site may not work properly if you do.
4.3 Change of purpose
We will only use your data for the purposes we collected it, unless we reasonably need it for another compatible purpose. If we need to use it for an unrelated purpose, we will notify you and explain the legal basis.
5. Disclosures of your personal data
We may share your personal data with:
- Practitioners – so they can fulfil bookings and manage clients
- Stripe – for payment processing
- Hosting, IT and analytics providers – to run our platform
- Professional advisers (lawyers, accountants) – when required
- HM Revenue & Customs, regulators, authorities – when legally required
- Third parties to whom we sell, transfer or merge parts of our business – the new owners may use your data as set out in this policy
We require third parties to respect the security of your data and process it only for specified purposes. We do not sell your personal data.
6. International transfers
Some of our service providers are based outside the UK. When we transfer your data outside the UK we ensure a similar degree of protection by using:
- Countries deemed to provide adequate protection
- Standard contractual clauses or other approved transfer mechanisms
Contact us if you want details of the safeguards we use.
7. Data security
We have appropriate security measures to prevent your data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We limit access to those with a business need. They process your data only on our instructions and are subject to confidentiality.
We have procedures to deal with suspected data breaches and will notify you and regulators where legally required.
8. Data retention
We retain your data only for as long as reasonably necessary to fulfil the purposes we collected it for, including legal, regulatory, tax or accounting requirements. We may retain it longer if there is a complaint or prospect of litigation.
By law we must keep basic information about customers and vendors (Contact, Identity, Financial, Transaction) for six years after they cease being customers for tax purposes.
In some cases we anonymise your data for research or statistics, in which case we may use it indefinitely.
9. Your legal rights
Under data protection law you have the right to:
- Request access – Receive a copy of your personal data (data subject access request)
- Request correction – Have inaccurate data corrected
- Request erasure – Ask us to delete your data where there is no good reason to continue processing
- Object to processing – Where we rely on legitimate interests or process for direct marketing
- Request restriction – Ask us to suspend processing in certain scenarios
- Request transfer – Receive your data in a structured, machine-readable format
- Withdraw consent – At any time where we rely on consent. This does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, contact us at info@mylittleblackbook.app.
You will not usually pay a fee. We may charge a reasonable fee if your request is unfounded, repetitive or excessive. We may need to verify your identity before responding.
We aim to respond within one month. We will let you know if we need longer.
10. Glossary
Lawful basis
- Legitimate Interest: Our interest in running our business and giving you the best service. We balance our interests against any impact on you. Contact us for details.
- Performance of Contract: Processing necessary to perform our contract with you or to take steps before entering into it.
- Legal Obligation: Processing necessary to comply with a legal obligation we are subject to.
- Consent: You have given clear consent for us to process your data for a specific purpose.
Your legal rights (summary)
See section 9 above for full descriptions of your rights under UK data protection law.
