An AI receptionist can be fully ASA and UK GDPR compliant for an aesthetic clinic when it is built correctly. It must never promote prescription-only treatment medicines to the public, must handle patient enquiries as special-category health data with a data processing agreement and UK-hosted storage, must identify itself as an AI, and must only send reactivation messages to consented contacts under PECR. A done-for-you build bakes these in; a generic voice bot usually does not.
Aesthetics is one of the most tightly advertised sectors in the UK, and it is getting tighter with cosmetic-procedure licensing rolling out across England in 2026. So before you put any AI in front of clients, it has to be built for the rules. Here is what compliance actually requires.
ASA and MHRA: the prescription-only medicine rule
Botulinum toxin is a prescription-only medicine, and it is against UK advertising rules to promote a prescription-only medicine to the public - the ASA now treats even indirect references as breaches, and serious cases can be referred to the MHRA. A compliant AI therefore never names or promotes the medicine and never quotes treatment-medicine prices to callers. It books a consultation and gives balanced information only. This protects the clinic, which is legally responsible for how it advertises.
UK GDPR: patient data done properly
An enquiry about a treatment is special-category health data, which carries a higher bar. A compliant AI receptionist runs a verbal consent notice at the start of each call, stores recordings and transcripts in UK data centres under encryption, operates under a data processing agreement with the clinic as controller, and supports configurable retention and right-to-erasure. The ICO's 2026 guidance also treats AI analysis of call recordings as a separate processing activity that must be disclosed, so the privacy notice needs to cover it.
Working on something like this? Let’s talk it through.
Transparency: it must say it is an AI
UK transparency expectations, and the EU AI Act where an EU resident is involved, mean the AI should identify itself as an automated assistant at the start of the interaction. Done well, this builds trust rather than undermining it.
PECR: reactivation consent
Rebooking lapsed clients is powerful, but marketing messages may go only to people who consented to be contacted. A compliant reactivation segments the list and messages consented contacts only.
Why a done-for-you build matters here
Most of these controls are not on by default in a generic voice platform - they are things a clinic would have to configure and document itself. A done-for-you service such as Softomate's AI receptionist for aesthetic clinics ships ASA-safe scripting, a data processing agreement, UK-hosted storage, AI disclosure and PECR-safe reactivation as standard, so the clinic is safer than its current setup rather than exposed by it. For the underlying rules on recording, see our guide to GDPR and PECR for AI call recording.
Frequently asked questions
Can an AI receptionist mention Botox at all?
It should not promote it. There are narrow circumstances where a medicine may be referenced in limited contexts, but on public-facing calls and messages the safe approach is to book a consultation and avoid promoting the medicine or its price entirely.
Who is responsible if the AI breaches ASA rules?
The clinic is responsible for its advertising, which is exactly why the scripting must be built ASA-safe from the start rather than left to a generic bot.
Is patient call data safe with an AI receptionist?
It is when the provider uses UK-hosted storage, encryption, a data processing agreement and clear retention - all of which should be confirmed before go-live.
Want an AI front desk that is compliant by design? Book a free missed-revenue audit.
We protect the real names of all clients featured in examples and case studies. Every testimonial is from a real client.