Legal Information

1. Who we are

AesthetIQ Insight Ltd (company number 16769981) is the data controller for personal data processed in connection with AesthetIQ Insight. Our registered office is 26 Midland Road, St. Philips, Bristol, England, BS2 0JY. You can contact us at AesthetIQInsight@gmail.com. We are registered with the UK Information Commissioner’s Office (ICO) under number Z0000000.

2. Our role for different data

• For data about website visitors, trial users, subscribers, billing, support, and marketing,AesthetIQ Insight Ltd acts as a controller.
• For customer-uploaded business data (for example, your clients’ details, appointments, and services) that we host and process on your instructions, we act as a processor. Our Data Processing Addendum (Article 28 UK GDPR) forms part of our contract with you. See: Data Processing Addendum.

3. Personal data we collect

We collect and process the following categories of data:

• Account data: name, email address, password hash, profile metadata.
• Subscription data: billing address, plan selection, payment status, transaction references (processed securely by our payment partners).
• Customer business data: client records, appointments, product catalogues, and other operational data uploaded to the Service.
• Usage data: IP address, device/browser information, session logs, and actions within the dashboard for analytics and security.
• Support data: messages or attachments sent to our support channels.

4. Purposes and lawful bases

We rely on the following lawful bases. Where we mention legitimate interests, you can object at any time (see “Your rights”).

• Account creation & billing – Contractual necessity: to register your account, provide the Service, manage subscriptions, and issue invoices. We also retain some records to meet legal obligations (tax and accounting).
• Service delivery & security – Legitimate interests: to operate, secure, and improve a reliable SaaS platform, prevent abuse and fraud, and troubleshoot issues. You can object to processing based on legitimate interests by contacting us (see “Your rights”).
• Product analytics (only after cookie consent) – Legitimate interests: to understand feature usage and improve performance. You may withdraw analytics consent at any time via the cookie settings link in the banner or Settings → Legal & Compliance.
• Direct marketing to existing users – Legitimate interests / PECR soft opt-in: to tell you about features similar to those you already use. Opt out using the unsubscribe link in any email or by contacting us.
• Optional marketing at sign-up – Consent: when you tick a marketing checkbox or otherwise opt in. You can withdraw consent at any time via the unsubscribe link or by contacting us.
• Non-essential cookies (e.g. analytics, marketing pixels) – Consent: collected only after you accept in the cookie banner or settings. Withdraw consent via cookie settings.
• Responding to legal requests – Legal obligation: to comply with court orders, regulators, or applicable law.

5. Retention

We retain personal data only as long as necessary for the purposes described. We weigh factors such as contractual necessity, legal limitation periods, and statutory record-keeping. Where possible, we anonymise data for analytics and service improvement. In general:

• Account data is retained while your subscription is active and for up to 24 months after cancellation for record keeping and to help you reactivate.
• Payment records are kept for at least six years in line with HMRC requirements.
• Operational data you upload can be deleted by you at any time. We may retain backups for up to 30 days before permanent deletion.

6. Vendors and international transfers

We use vetted service providers to run the platform. Key processors include:

• Stripe (payments & billing) – primary processing in the EEA/USA; safeguards include the UK Addendum to the EU Standard Contractual Clauses (SCCs) and Stripe’s technical measures.
• Supabase (database/auth) – regional hosting as configured (UK/EU by default); SCCs or equivalent safeguards where relevant.
• Vercel (hosting/CDN/analytics) – global edge network; SCCs and security measures where relevant.
• Mailjet / Sinch (email delivery) – EU & US infrastructure; SCCs and Sinch security measures.

We keep an up-to-date list of subprocessors and regions at /legal/subprocessors. Where data leaves the UK/EEA, we rely on approved transfer mechanisms (such as the UK Addendum to the EU SCCs) and apply appropriate technical and organisational measures.

We may also disclose data to comply with legal obligations, enforce our agreements, or protect the rights, property, or safety of us, our customers, or others. We do not sell personal data.

7. International transfers

We store data in the UK and European Economic Area where possible. If we transfer personal data outside the UK/EEA, we ensure appropriate safeguards (such as UK data transfer addenda or Standard Contractual Clauses) are in place.

8. Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Request deletion of your data (“right to be forgotten”).
• Restrict or object to certain processing.
• Receive a copy of your data in a portable format.
• Withdraw consent at any time where processing is based on consent.

To exercise your rights (access, rectification, erasure, restriction, portability, objection), email AesthetIQInsight@gmail.com with “Privacy request” in the subject. We respond within one month. If you are unhappy with our response you may complain to the ICO (details below).

Children

The Service is not intended for children under 16 and we do not knowingly collect their data. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

Automated decision-making

We do not make decisions that produce legal or similarly significant effects solely by automated means.

9. Cookies and similar technologies

We use cookies and similar tracking technologies to provide the Service, remember preferences, and analyse usage. We only set non-essential cookies (for example, analytics) after you consent in the banner. You can change your choice any time via the cookie settings link in the banner or Settings → Legal & Compliance. We keep an audit trail of cookie consent decisions. For the latest cookie list (name, purpose, duration, essential vs. non-essential) see our Cookie Policy.

10. Marketing communications

We may send product or marketing emails when you opt in or where we have a lawful legitimate interest. You can opt out at any time by clicking the unsubscribe link in the message or contacting us at the address above.

We only send marketing (a) with your consent, or (b) under the PECR soft opt-in when we collected your details during sign-up/purchase of our own, similar services. Every message identifies us and includes a simple opt-out. You can also opt out by emailing AesthetIQInsight@gmail.com.

11. Data security

We apply appropriate technical and organisational measures, including MFA-protected admin access, encryption in transit and at rest, regular backups, access controls, logging/monitoring, and vendor due diligence. Learn more in our Security & Responsible Disclosure policy.

We assess and log incidents and will notify the ICO and affected individuals when legally required.

12. Complaints

If you have concerns about our data practices, please contact us first so we can resolve the issue. You also have the right to complain to the UK Information Commissioner’s Office:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. ico.org.uk/make-a-complaint