Privacy Policy

The data controller responsible for your personal data is Estetika Professional, a company registered in Belgium. [LEGAL REVIEW NEEDED: Insert full company name, registration number, and registered address.]

Data Protection Officer contact: privacy@estetikaprofessional.com

2.1 Account Data (Practitioners)

• Full name, email address, phone number
• Business name, specialty (e.g., PMU artist, lash technician, esthetician)
• Business address, VAT number (if applicable)
• Profile photo, professional certifications
• Payment and billing information (processed by Stripe)

2.2 Client Data (Entered by Practitioners)

• Client name, email, phone number, date of birth
• Treatment history and appointment records
• Signed digital consent forms with timestamps
• Portfolio photographs (before-and-after images)

2.3 Medical & Health Data

• Allergies and skin sensitivities
• Current medications
• Skin conditions and relevant medical history
• Pregnancy or nursing status
• Previous treatment reactions

This data constitutes special category data under GDPR Article 9 and is processed with explicit consent.

2.4 Technical Data

• Device type, operating system, app version
• IP address (anonymized for analytics)
• Usage patterns and feature interaction data
• Crash reports and performance metrics

We process your personal data under the following legal bases as defined in GDPR Article 6(1):

• Contract performance (Art. 6(1)(b)): Processing necessary to provide our service, manage your subscription, and deliver app functionality.
• Legitimate interest (Art. 6(1)(f)): Analytics to improve our service, fraud prevention, and app security. We balance this against your privacy rights.
• Consent (Art. 6(1)(a)): Marketing communications, optional cookies, and any processing where we specifically request your consent.
• Legal obligation (Art. 6(1)(c)): Tax records, compliance with Belgian and EU regulatory requirements.

Medical history and health-related data entered into Estetika Professional constitutes "special category data" under GDPR Article 9. This data is processed solely on the basis of explicit consent (Art. 9(2)(a)) provided by the client through our digital consent form system. The practitioner (our user) acts as a joint controller for this data within the context of their client relationship.

[LEGAL REVIEW NEEDED: Confirm joint controller vs. processor relationship for practitioner-entered client medical data.]

• Providing and maintaining the Estetika Professional application
• Processing subscriptions and payments
• Storing and organizing client records for practitioners
• Generating and securely storing digital consent forms
• Sending transactional emails (confirmations, receipts, reminders)
• Improving app functionality through anonymized usage analytics
• Providing customer support
• Complying with legal obligations

We use the following third-party processors, all of whom are GDPR compliant with appropriate Data Processing Agreements (DPAs) in place:

• Account data: Retained for the duration of your subscription plus 30 days after account deletion.
• Client records & consent forms: Retained as long as the practitioner's account is active. Practitioners can delete individual client records at any time.
• Medical history: Same retention as client records. Subject to any applicable Belgian healthcare record retention requirements. [LEGAL REVIEW NEEDED: Verify Belgian retention requirements for aesthetic treatment records.]
• Payment records: Retained for 7 years as required by Belgian tax law.
• Analytics data: Anonymized and retained indefinitely (no personal data).

Under the General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15): Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate personal data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to restrict processing (Art. 18): Request that we limit how we use your data.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interest or for direct marketing.
• Right to withdraw consent: Withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@estetikaprofessional.com. We will respond within 30 days as required by GDPR.

You also have the right to lodge a complaint with the Belgian Data Protection Authority (Autoriteit Persoonsgegevens / Autorité de protection des données): www.dataprotectionauthority.be

• 256-bit AES encryption for data at rest
• TLS 1.3 encryption for data in transit
• Row Level Security (RLS) on all database tables
• Regular security audits and penetration testing
• Secure authentication with bcrypt password hashing
• Automated backups with point-in-time recovery

For any privacy-related questions or to exercise your data rights:

• Email: privacy@estetikaprofessional.com
• General: support@estetikaprofessional.com
• Address: [LEGAL REVIEW NEEDED: Insert registered business address]