Privacy Policy

This Privacy Policy explains how Med Plasty Technologies ("Med Plasty", "we", "us", or "our") collects, uses, discloses, and safeguards personal data in connection with our website and our business-to-business AI-powered aesthetic treatment simulation platform (collectively, the "Services"). We are committed to protecting personal data and handling it in accordance with applicable data-protection laws, including the EU and UK General Data Protection Regulation (GDPR) where applicable. By using the Services, you acknowledge the practices described in this Policy.

Med Plasty provides software that licensed aesthetic clinics operate during patient consultations to generate illustrative before/after visualizations. With respect to clinic account data and our website visitors, Med Plasty acts as a data controller. With respect to patient photographs and lead information that a clinic uploads, the clinic is the data controller and Med Plasty acts as a data processor, processing that data solely on the clinic's documented instructions to deliver the Services.

We collect the following categories of personal data:

• Account & identity data — name, business email address, hashed password, clinic name, and role for clinic staff who hold accounts.
• Patient images — facial photographs uploaded by a clinic for the purpose of generating a simulation. These may constitute special-category (biometric/health-related) data and are processed on behalf of, and under the responsibility of, the uploading clinic.
• Lead & consultation data — patient or prospect contact details and treatment interests entered into the simulator by clinic staff.
• Usage & technical data — IP address, device and browser type, pages viewed, timestamps, and diagnostic logs used to operate, secure, and improve the Services.
• Communications — information you provide when you contact us, request a demo, or submit a support enquiry.
• Cookie data — see Section 8.

We use personal data to: provide, operate, and maintain the Services; authenticate users and secure accounts; generate and return simulation results; manage subscriptions, quotas, and billing; respond to enquiries and provide support; monitor, prevent, and investigate fraud, abuse, and security incidents; comply with legal obligations; and analyze and improve the Services. We do not sell personal data, and we do not use uploaded patient images to train third-party AI models.

Where the GDPR or similar laws apply, we rely on the following legal bases: performance of a contract (to provide the Services to a clinic); legitimate interests (to secure, maintain, and improve the Services, where not overridden by your rights); consent (for optional analytics and marketing cookies, and where otherwise required); and compliance with legal obligations. Where we act as a processor for patient data, the clinic is responsible for establishing the lawful basis (including any required explicit consent) for that processing.

We use strictly necessary cookies that are required for the Services to function (for example, authentication, security, and saving your preferences) and, only with your consent, optional analytics and marketing cookies. You may grant, refuse, or withdraw consent for optional cookies at any time using the Cookie settings link in our footer. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

We disclose personal data only as described here:

• Service providers / sub-processors — including cloud hosting, database, and AI image-generation providers that process data on our behalf under appropriate contractual safeguards, solely to deliver the Services.
• The relevant clinic — patient and lead data is made available to the clinic that captured it.
• Legal & safety — where required by law, regulation, legal process, or to protect the rights, property, or safety of Med Plasty, our users, or others.
• Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.

We do not sell personal data or share it for cross-context behavioral advertising.

Personal data may be processed in countries other than your own. Where we transfer personal data across borders, we implement appropriate safeguards required by applicable law, such as the European Commission's Standard Contractual Clauses or an equivalent recognized transfer mechanism.

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, to provide the Services, and to comply with our legal, accounting, or reporting obligations. Account data is retained for the life of the account; patient images and lead data are retained according to the controlling clinic's instructions and account settings. When no longer required, data is securely deleted or irreversibly anonymized.

We maintain technical and organizational measures designed to protect personal data, including encryption in transit, access controls, password hashing, tenant isolation between clinics, and signed, time-limited access to processing functions. No system can be guaranteed to be completely secure; you are responsible for keeping your account credentials confidential.

Subject to applicable law, you may have the right to access, correct, update, or delete your personal data; to restrict or object to certain processing; to data portability; and to withdraw consent where processing is based on consent. To exercise these rights: patients should contact the clinic that captured their data (the controller); clinic users and website visitors may contact us using the details in Section 14. You also have the right to lodge a complaint with your local data-protection authority.

The Services are intended for use by licensed professionals and are not directed to children. We do not knowingly collect personal data directly from children. Any processing of a minor's photograph is the responsibility of the controlling clinic, which must obtain all consents required by applicable law.

We may update this Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. The "Last updated" date above indicates when this Policy was last revised, and material changes will be communicated by appropriate means.

If you have questions about this Policy or wish to exercise your rights, please contact us through our contact page.