Data Protection

GraftScan3D Ltd ("we", "us", "our") is committed to protecting all personal and imaging data processed through our website, software, and clinical systems. This Data Protection Policy outlines how we collect, store, secure, and manage data in full compliance with the General Data Protection Regulation (GDPR) and applicable EU/Cyprus laws.

1. Our Commitment to Data Protection

We take data privacy seriously and ensure that all personal and imaging data is:

• Processed lawfully, fairly, and transparently
• Collected for specific, legitimate purposes
• Limited to what is necessary
• Accurate and securely stored
• Used only for defined clinical and operational purposes
• Protected with strong technical and organisational measures

We do not sell or rent personal data to third parties.

2. Scope of This Policy

This policy applies to:

• Visitors to our website
• Clinics and medical partners using our scalp or body scanning systems
• Partners, distributors, and resellers
• Individuals who contact us or provide personal data through forms or email

Clinic patients remain under the data protection responsibility of the clinic (Data Controller), while GraftScan3D may act as a Data Processor depending on service configuration.

3. Data We Process

3.1 Website & Business Communication Data

We may process:

• Names
• Email addresses
• Clinic details
• Enquiry messages
• Technical/browser information
• IP address (for security & analytics)

3.2 Imaging Data (Clinics Only)

When clinics use our 3D imaging platforms, the system may process:

• Scalp imaging files
• Full-body imaging files
• Graft data, density data, or body measurement metadata
• Session information

We do not require or store identifying patient information unless explicitly provided by the clinic.

Clinics are responsible for obtaining informed patient consent.

4. Roles Under GDPR

Data Controller

• For website visitors and enquiries: GraftScan3D Ltd
• For patient imaging data: The clinic, not GraftScan3D

Data Processor

In cases where imaging data passes through our cloud systems, GraftScan3D may act as a processor on behalf of the clinic under a Data Processing Agreement (DPA).

5. Legal Basis for Processing

We rely on the following lawful bases:

• Consent – website forms, demo requests, marketing opt-ins
• Contractual necessity – providing imaging services to clinics
• Legitimate interests – improving platform performance and security
• Legal obligations – compliance with regulation

6. Data Security Measures

We apply strict technical and organisational measures to safeguard data, including:

• Encrypted storage (AES-256)
• Encrypted data transmission (HTTPS / TLS)
• Secure EU-based cloud hosting
• Regular security audits
• Access control and authentication layers
• Encrypted backups
• Logging and monitoring of access events

We ensure that all staff handling data follow strict confidentiality procedures.

7. Data Retention

• Website enquiries: up to 24 months
• Clinic account data: as long as the clinic maintains a contract
• Imaging data: retained based on clinic's chosen data retention policy
• Logs and analytics: minimal retention as required for security

Data is deleted securely when no longer required.

8. Data Sharing

We only share data with:

• Trusted service providers (hosting, analytics, support platforms)
• Legal authorities when required
• Clinics using the imaging systems (only with consent)

All third parties follow GDPR-aligned protections.

We do not share data with advertisers or unrelated third parties.

9. International Transfers

If data is transferred outside the EU/EEA, we use:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions
• Equivalent GDPR-compliant safeguards

10. Your Rights

Under GDPR, individuals have the right to:

• Access their data
• Correct inaccurate information
• Request deletion (right to be forgotten)
• Restrict processing
• Object to processing
• Withdraw consent
• Request data portability

Requests can be made at: [email protected]

11. Data Breach Procedure

In the event of a personal data breach:

• We will assess the scope and impact
• Notify affected clinics or individuals where required
• Report to authorities when legally necessary
• Implement remediation and prevention measures

12. Updates to This Policy

We may update this Data Protection Policy periodically.

Changes will be posted with an updated revision date at the top of this page.