Discover free eBooks, guides and med spa templates on our new resources page

Book a demo
Why us

Privacy Policy

Introduction

This Privacy Policy explains how Hambrand Technology Limited, trading as Pabau, collects, uses, stores, and protects personal information when you visit our website, use our clinic management software, or otherwise engage with us.

We are committed to complying with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (GDPR) where applicable, and relevant United States privacy laws, including the California Consumer Privacy Act (CCPA).This Privacy Policy applies to customers and users in the United Kingdom, the European Union, and the United States.

Personal Information We Collect

We collect personal information when you:

  • Visit our website or use our software
  • Communicate with us by email, phone, or other channels
  • Create, manage, or administer an account

The categories of personal information we may collect include:

  • Contact details such as name, address, email address, and phone number
  • Account, billing, and payment information
  • Technical information such as IP address, browser type, device information, and cookies
  • Communications, support requests, and correspondence
Where we act as a data processor, patient data is processed strictly in accordance with the instructions of our clinic customers.

SMS and Text Messaging

When a mobile phone number is provided, SMS messages may be sent in connection with service operation, including appointment confirmations, reminders, and system notifications.

  • Mobile numbers are not sold, rented, or shared for marketing purposes
  • SMS opt-in data and consent records are not shared with third parties
  • SMS communications are limited to service-related purposes
You may opt out of SMS messages at any time by replying STOP. A final confirmation message may be sent. Standard message and data rates may apply.For questions regarding SMS communications, contact [email protected].

How We Use Personal Information

Personal information is used to:

  • Provide, operate, and maintain our services
  • Manage user accounts and authentication
  • Process billing and payments
  • Communicate regarding service functionality and support
  • Improve system performance, security, and reliability
  • Meet legal and regulatory obligations
  • Protect our legal rights and interests
Marketing communications are sent only where permitted by law. Opt-out options are provided in all marketing messages.

Legal Bases for Processing

For individuals in the UK and EU, we rely on the following legal bases:

  • Performance of a contract
  • Consent, where required
  • Legitimate interests, including service improvement and security
  • Compliance with legal obligations
For individuals in the United States, personal data is processed in accordance with applicable federal and state privacy laws, including the CCPA where applicable.

Information Sharing and Disclosure

We do not sell personal information.Personal information may be shared only where necessary:

  • With service providers and subprocessors supporting hosting, communications, infrastructure, and payments
  • To comply with legal obligations or lawful requests
  • In connection with corporate transactions, subject to applicable safeguards
  • To protect our rights, users, or others
All third parties are required to process personal data only in accordance with our instructions and applicable data protection laws.

Data Hosting and Data Residency

UK Customers
For customers based in the United Kingdom:

  • Personal data and patient data is stored and processed exclusively within the UK
  • Databases, uploaded files, and backups are hosted in UK-based data centres (London)
  • Data is not transferred, stored, or processed outside the UK

Non-UK CustomersFor customers outside the UK, data is hosted in appropriate regional data centres in accordance with operational and regulatory requirements.

Subprocessors

We use the following subprocessors to provide our services:

  • DigitalOcean and Amazon Web Services (AWS)
  • Used for application hosting, infrastructure services, and file storage. For UK customers, services are regionally restricted to London.|
 
  • SendGrid
  • Used for transactional and operational email delivery.
 
  • Twilio
  • Used for SMS messaging related to service operation.

All subprocessors are subject to data processing agreements and appropriate confidentiality and security obligations.

International Data Transfers

For UK customers, personal data and patient data is not transferred outside the United Kingdom.For customers outside the UK, where personal data is transferred outside the UK or European Economic Area, appropriate safeguards are implemented, including Standard Contractual Clauses or equivalent mechanisms.

Your Rights

Depending on your location, you may have the right to:

  • Access personal data
  • Correct inaccurate data
  • Request deletion of data
  • Restrict or object to processing
  • Request data portability
  • Withdraw consent where applicable
  • Opt out of the sale of personal information, where applicable under US law
Requests may be made by contacting [email protected].

Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve our website and services. Further details are available in our Cookie Policy.

Security

We implement appropriate technical and organisational measures to protect personal data, including encryption, access controls, and regular security reviews. While no system can be guaranteed fully secure, we take reasonable steps to protect personal information.

Data Retention

Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected or to meet legal requirements. Data is securely deleted or anonymised when no longer required.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be published on our website and take effect from the date of posting.

Contact Us

For questions or concerns regarding this Privacy Policy or our data practices, contact:
Hambrand Technology Limited27 St Cuthbert’sBedford, MK40United Kingdom
Email: [email protected]
For US enquiries, please contact us via the same email address.

Last updated: 18 December 2025