top of page

Privacy Policy

Overview and Scope

Last updated: 5th January 2026
 

The Ink Removal Lab is committed to protecting the privacy of clients, staff and other individuals whose personal and health information we collect in connection with our tattoo removal services. This Policy describes how we collect, hold, use, disclose and protect personal and health information, and the rights individuals have under New South Wales and Commonwealth law.

This Policy is intended to ensure compliance with:

  • The Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) and the NSW Health Privacy Principles (HPPs) for health information;

  • The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) where those laws apply to our operations;

  • NSW guidance on retention and storage of health information and privacy manuals issued by NSW agencies; and

  • NSW radiation and device regulation and guidance applicable to laser / energy-based cosmetic procedures (including the Protection from Harmful Radiation Regulation 2025 and SafeWork NSW guidance)

If any conflict arises between this Policy and a statutory requirement, the statutory requirement will prevail.

The kinds of information we collect

We collect information necessary to deliver safe, lawful and effective tattoo removal services, including:

Identity & contact details

  • Full name, date of birth, residential address, email, phone numbers, emergency contact.

Health and medical information (sensitive)

  • Medical history, medications, allergies, skin type, treatment assessments, consent forms, pre- and post-treatment notes, clinical photos to assess area(s) for treatment.

Treatment & appointment records

  • Dates of services, procedures performed, practitioner notes, complications, follow-ups.

Payment & billing

  • Billing name and address, third-party payment processor tokens (we do not store full card numbers), invoices and receipts.

Technical and website data

  • IP addresses, website cookies and analytics when you interact with our website (see our Cookies section).

Why we collect this information and legal bases

We collect and use personal and health information for purposes including:

  • assessing suitability and risk for laser tattoo removal and providing medical/clinical care;

  • booking, billing and managing appointments;

  • complying with regulatory, public-health and reporting obligations (including device/radiation safety rules);

  • responding to enquiries, complaints and legal requests;

  • training, quality improvement, and safety monitoring; and

  • marketing communications where you have given valid consent.

Under the HRIP Act and the Privacy Act we rely on a combination of legal bases: consent, contractual necessity (to provide services), compliance with legal obligations, and legitimate interests (for clinic operations and safety). For health information, the HRIP Act’s Health Privacy Principles set special rules for how health information may be used and disclosed.

How we collect information

We collect information:

  • directly from you (forms, intake interviews, phone, email, website booking forms);

  • during consultations and treatments (clinical assessment, photos);

  • from third parties where necessary and lawful (referring practitioners, specialists, allied health providers, insurers); and

  • automatically where you use our website (cookies and analytics).

We do not routinely collect health information from third parties without your consent unless otherwise authorised or required by law.

Use and disclosure

We do not sell personal information.

We may disclose personal or health information to:

  • our clinical staff and contracted practitioners to provide care;

  • trusted service providers who perform functions for us (payment processors, appointment-booking platforms, hosted clinical record systems, IT/cloud providers and secure backup providers); these parties are contractually required to keep data secure and use it only for the services they supply;

  • other health professionals where necessary for continuity of care (with consent except in emergency circumstances)

  • regulators, police or courts when required by law; and

  • insurers, legal advisers or auditors where necessary to defend or manage legal claims.

Where we engage cloud or offshore service providers, we take steps to ensure cross-border disclosures comply with the Privacy Act and applicable NSW rules (including contractual protections and risk assessments). You will be told (on request) the countries to which information may be sent and the safeguards we use.

Photographs, Clinical Imaging and Marketing

We take clinical photographs to assess tattoos, document progress and for clinical records. Photos used for marketing, social media or public display will only be used with your explicit written consent (opt-in), and you can withdraw that consent at any time. Clinical images used for training or quality purposes will be de-identified where practicable.

Retention and Secure Disposal of Records

We retain health records in accordance with NSW rules: health service providers must retain patient health information for at least 7 years from the date of last service for adults, and for records collected when the patient was under 18 years, until the patient turns 25 years (whichever is longer). We securely destroy or anonymise records once the retention period ends. (See IPC NSW guidance for details.)

If you request earlier destruction this will be considered but may be refused where we are required by law to retain records (for example for legal, clinical or insurance reasons).

Data Security

We implement organisational, physical and technical safeguards to protect information from unauthorised access, disclosure, misuse, alteration or loss. Measures include: secure access controls, role-based permissions, encrypted backups, secure Wi-Fi, up-to-date software and patching, staff confidentiality obligations and regular security reviews.

Despite reasonable measures, no system is 100% secure — in the unlikely event of a data breach we will act in accordance with the Notifiable Data Breaches (NDB) scheme where applicable.

Data Breach Response and Notifications

If an eligible data breach occurs (one likely to cause serious harm to affected individuals), and the Privacy Act applies to our organisation, we will comply with the OAIC’s Notifiable Data Breaches scheme and notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required. We also have internal incident response steps to contain, investigate and remediate breaches.

(If you become aware of a suspected privacy breach involving us, please notify us immediately at the contact details below.)

Your rights - Access, Correction, Complaints

You have rights to:

  • access personal and health information we hold about you (subject to limited exceptions);

  • request correction of inaccurate or incomplete information;

  • request restriction of certain processing or lodge objections (to the extent permitted by law);

  • withdraw consent to marketing communications; and

  • make a privacy complaint to us.

To exercise these rights, contact us. We will respond promptly and in any case within timeframes required by law.

Children and persons under 18

We do not provide laser treatments to persons under 18 without a parent or legal guardian’s informed, written consent. Clinical eligibility and consent requirements are followed in line with national guidance (e.g. ARPANSA guidance on lasers and light-based devices).

Special Categories and Sensitive Information

Health and medical details are sensitive personal information and are handled with additional care under the HRIP Act and APPs. We only collect and use such information where necessary for clinical treatment, consented purposes, or other lawful exceptions.

Cookies and website analytics

Our website uses cookies and analytics to operate booking features, remember preferences and measure site usage. You can manage cookie settings through your browser; disabling cookies may affect some site functions.

Staff, Contractors and Job Applicants

We collect personal information from staff and job applicants for recruitment, employment management, credential checks and statutory obligations (e.g. working with children checks where relevant). Staff handling of client data is subject to strict confidentiality and training requirements.

Regulatory Compliance and Device Safety 

We operate under NSW and Commonwealth requirements for laser and radiation safety, including licensing, equipment maintenance, operation by appropriately trained persons, and any radiation management plans required under NSW regulation. Where relevant, we will collect and hold information required by those regulatory frameworks (for example incident records or device maintenance logs).

Changes to this Policy 

We may update this Policy from time to time to reflect changes in law, technology and our operations. The “Last updated” date at the top will show when this Policy was last changed.

bottom of page