Legal Information

1. Definitions

Terms used but not defined in this DPA have the meaning given in the main Terms of Service. References to UK GDPR include the Data Protection Act 2018 and any successor legislation.

2. Subject matter and duration

The Processor processes Controller Data only to deliver the AesthetIQ Insight products and related support. Processing begins when the Controller uploads or creates data within the Service and ends when the data is deleted in accordance with the Controller’s instructions or the agreement’s termination clauses.

3. Nature and purpose of processing

• Storage, structuring, and presentation of appointments, customers, services, and related data.
• Analytics and reporting features chosen by the Controller.
• Customer communications initiated by the Controller (e.g., booking confirmations).
• Backups, troubleshooting, and security monitoring necessary to provide the Service.

4. Types of personal data and data subjects

• Personal data submitted by the Controller, typically covering the Controller’s clients, staff, or service providers (names, contact details, appointment history, preferences).
• The Controller determines all categories of data uploaded and ensures it is collected lawfully.

5. Controller instructions

The Processor processes Controller Data solely on documented instructions from the Controller, including those provided through the Service interface. If an instruction infringes UK law, the Processor will inform the Controller unless legal restrictions apply.

6. Confidentiality

The Processor ensures that each person authorised to process Controller Data is subject to a duty of confidentiality and processes the data only in accordance with this DPA.

7. Security

The Processor implements the technical and organisational measures described in the Security & Responsible Disclosure policy and continually reviews/updates those measures. These include encryption in transit, access controls, regular patching, logging, and backups.

8. Subprocessors

The Controller authorises the Processor to engage subprocessors listed in the Service documentation (see the current list at /legal/subprocessors). The Processor remains responsible for each subprocessor and ensures written agreements impose data protection obligations equivalent to this DPA. The Processor will notify the Controller of intended changes, allowing the Controller to object on reasonable grounds.

9. International transfers

The Processor ensures any transfers of Controller Data outside the UK/EEA are subject to valid safeguards (such as the UK Addendum to EU Standard Contractual Clauses). Details are available on request.

10. Assistance to the Controller

Taking into account the nature of processing, the Processor assists the Controller, insofar as possible, with fulfilling obligations to respond to data subject requests and to ensure compliance with Articles 32 to 36 UK GDPR (security of processing, breach notification, DPIAs).

11. Data breach notification

After becoming aware of a personal data breach affecting Controller Data, the Processor notifies the Controller without undue delay, providing sufficient information to meet the Controller’s obligations (including reporting to the ICO or data subjects, where required).

12. Deletion or return of data

Upon termination of the agreement, the Controller may export Controller Data via the Service. The Processor will delete or anonymise remaining copies within 30 days unless UK law requires retention.

13. Audits

The Processor makes available information necessary to demonstrate compliance with this DPA and allows for audits by the Controller or an independent auditor on reasonable notice, subject to appropriate confidentiality commitments and carried out without unreasonable disruption.

14. Contact

Questions about this DPA or requests for executed copies can be sent to AesthetIQInsight@gmail.com.

15. Parties

For the Processor:
AesthetIQ Insight Ltd
26 Midland Road, St. Philips, Bristol, England, BS2 0JY
Company number: 16769981
ICO registration: Z0000000

For the Controller: details provided within the signed order form or online subscription.