1. Definitions

In this DPA the following terms have the meanings set out below:

• "Applicable Data Protection Law" means the UK GDPR (as defined in section 3(10) of the Data Protection Act 2018 as supplemented by section 205(4)), the Data Protection Act 2018, and any other applicable UK data protection legislation as amended from time to time.
• "Data Controller" means the clinic or practitioner who registers for and uses Clinic Insight and determines the purposes and means of processing personal data through the platform.
• "Data Processor" means Clinic Insight, which processes personal data on behalf of the Data Controller.
• "Personal Data" has the meaning given in the UK GDPR and includes all client, patient, and staff data entered into the platform.
• "Special Category Data" means personal data revealing health information, including medical history, treatment records, clinical notes, photographs, and any other health-related data entered into the platform.
• "Processing" has the meaning given in the UK GDPR.
• "Sub-processor" means any third party engaged by the Data Processor to process Personal Data in connection with the platform.

2. Roles and Responsibilities

The parties acknowledge that for the purposes of Applicable Data Protection Law:

• The Data Controller is responsible for determining the lawful basis for processing, obtaining necessary consents from data subjects (clients/patients), responding to data subject rights requests, and complying with all Data Controller obligations under Applicable Data Protection Law.
• The Data Processor (Clinic Insight) processes Personal Data only on behalf of and under the instructions of the Data Controller, as documented in this DPA and the platform's Terms of Service.

3. Nature and Purpose of Processing

Element	Details
Subject matter	Operation of an aesthetic clinic management platform
Duration	For the duration of the Data Controller's active account, plus any retention period required by law
Nature of processing	Storage, retrieval, display, analysis, AI-assisted review, PDF generation, and deletion of personal and special category data
Purpose	Client management, clinical record keeping, treatment planning, consent management, appointment scheduling, and practice analytics
Types of Personal Data	Names, contact details, dates of birth, photographs, medical history, treatment records, clinical notes, consent signatures, and session data
Categories of data subjects	Clients and patients of the Data Controller; clinic staff and practitioners

4. Data Processor Obligations

The Data Processor agrees to:

• Process Personal Data only on documented instructions from the Data Controller, unless required to do so by applicable law.
• Ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
• Implement and maintain appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
• Not engage any Sub-processor without prior general authorisation from the Data Controller (a current list of Sub-processors is set out in section 7) and impose equivalent data protection obligations on each Sub-processor.
• Assist the Data Controller, insofar as reasonably possible, to respond to requests from data subjects exercising their rights under Applicable Data Protection Law.
• Assist the Data Controller in ensuring compliance with its obligations relating to security, breach notification, data protection impact assessments, and prior consultation.
• At the Data Controller's election, delete or return all Personal Data upon termination of the agreement, and delete existing copies unless storage is required by applicable law.
• Make available to the Data Controller all information necessary to demonstrate compliance with this DPA and permit audits (including inspections) conducted by the Data Controller or an auditor appointed by the Data Controller, subject to reasonable notice and confidentiality obligations.
• Notify the Data Controller without undue delay (and in any event within 72 hours where feasible) upon becoming aware of a Personal Data breach affecting the Data Controller's data.

5. Data Controller Obligations

The Data Controller agrees to:

• Ensure there is a lawful basis for all Personal Data entered into the platform, including obtaining valid consent from clients where required.
• Provide clients with appropriate privacy notices explaining how their data will be processed, including that a software platform processes data on the clinic's behalf.
• Ensure that any Special Category Data (health data) entered into the platform is processed in compliance with Article 9 UK GDPR.
• Maintain appropriate records of processing activities as required by Article 30 UK GDPR.
• Not instruct the Data Processor to process Personal Data in a way that would violate Applicable Data Protection Law.
• Comply with all applicable medical record-keeping obligations, including UK guidance on 7-year minimum retention for adult records.

6. Security Measures

The Data Processor implements and maintains the following technical and organisational measures:

• Encryption: Data is encrypted in transit using TLS 1.2 or higher. Databases are encrypted at rest.
• Access control: Multi-clinic data isolation ensures each clinic can only access its own data. Role-based access controls limit data access to authorised users.
• Authentication: Password hashing using industry-standard algorithms. Session-based authentication with secure session management.
• Data segregation: Complete logical separation of data between clinics (multi-tenancy isolation).
• Backups: Regular automated database backups with point-in-time recovery capability.
• Audit logging: Key data actions (consent signing, data export, deletion) are logged with user and timestamp information.
• Vulnerability management: Regular security reviews and dependency updates.

7. Sub-processors

The Data Controller grants general authorisation for the Data Processor to engage the following Sub-processors. The Data Processor will notify the Data Controller of any intended changes (additions or replacements) and give the Data Controller an opportunity to object:

Sub-processor	Purpose	Location	Safeguards
Replit Inc.	Cloud hosting and infrastructure	USA	Standard Contractual Clauses (SCCs); SOC 2 compliance
OpenAI, LLC	AI-assisted clinical safety assessment, treatment planning support, and medication/allergy risk review. Data sent to OpenAI: Pseudonymised clinical data only — age, Fitzpatrick skin type, skin concerns, medical conditions, current medications, allergies, lifestyle factors (smoking, exercise, sun exposure), and treatment history. This constitutes Special Category Data (health data) under Article 9 UK GDPR, processed without direct identifiers. Data never sent to OpenAI: Client names, dates of birth, contact details (email, phone, address), photographs, or any other directly identifying information.	USA	OpenAI Data Processing Agreement; SCCs (UK Addendum); data not used for model training under OpenAI API terms
Neon / PostgreSQL hosting	Database storage	EU / USA	Encryption at rest and in transit; access controls

8. International Transfers

Where Personal Data is transferred outside the UK to a country not covered by UK adequacy regulations, the Data Processor will ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved for use under UK law (the UK International Data Transfer Agreement or UK Addendum to EU SCCs), or other lawful transfer mechanisms.

9. Data Retention and Deletion

• Personal Data is retained for the duration of the active account plus any legally required retention period.
• UK guidance recommends a minimum of 7 years for adult medical records. Data Controllers are responsible for ensuring their retention periods comply with applicable law.
• Upon termination, the Data Controller may request a full data export in CSV format. Following export (or after a 30-day notice period), data will be securely deleted.
• Backups containing Personal Data are deleted on a rolling schedule in accordance with the backup retention policy.

10. Data Subject Rights

The Data Processor provides tools within the platform to assist the Data Controller in fulfilling data subject rights requests, including:

• Right of access: Client data export in CSV format available from the client profile.
• Right to erasure: Client deletion functionality with confirmation workflow available from the client profile.
• Right to rectification: Full client profile editing is available to authorised clinic users.

The Data Controller remains responsible for receiving, assessing, and responding to data subject rights requests within the statutory timeframes.

11. Personal Data Breaches

The Data Processor will notify the Data Controller without undue delay upon becoming aware of a Personal Data breach. Notification will include, where available, a description of the nature of the breach, the categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

The Data Controller is responsible for notifying the ICO (Information Commissioner's Office) where required under Article 33 UK GDPR, within 72 hours of becoming aware of the breach.

12. Term and Termination

This DPA remains in force for the duration of the Data Controller's use of the Clinic Insight platform. It automatically terminates when the Data Controller's account is closed. Obligations relating to the security and confidentiality of Personal Data processed prior to termination survive termination of this DPA.

13. Governing Law and Jurisdiction

This DPA is governed by the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

14. Contact

For any data protection queries, to exercise data subject rights, or to report a suspected breach, please contact:

• Data Protection contact: Clinic Insight — via the support contact provided within the platform
• ICO (supervisory authority): ico.org.uk · 0303 123 1113