Adoreal General Privacy Notice

For Patients, HCPs/Clinic Staff, Website Visitors

Welcome to the Adoreal Privacy Notice.

Introduction
This privacy notice is intended for:

  • users of Adoreal’s services;
  • visitors to Adoreal’s websites;
  • users of Adoreal’s systems and applications; 
  • members of the general public who are interested in contacting or are being contacted by Adoreal; and
  • any individual who has received this notice.

Adoreal understands that privacy is important to you. We are committed to treating your personal data with care and integrity.

Our privacy notice tells you what personal data we collect and how we collect it, including any data you may provide through this website when you visit the site or inquire about a product or service or take part in an event. It explains what we use your personal data for and how we protect your personal data and keep it safe. This privacy notice explains our general practices. However, where local laws or regulations require that we process information differently, or refrain from such processing, we will always comply with the applicable local law. This website is not intended for children and we do not knowingly collect data relating to children.

Adoreal values your privacy. Adoreal is made up of different legal companies related to us by common control or ownership (the “Adoreal Group”). This privacy notice is issued on behalf of the Adoreal Group so when we mention “Adoreal”, “we”, “us” or “our”, this is who we are referring to. Adoreal Limited (incorporated in the Republic of Ireland under number 72345090 D, whose registered office is at South Circular Road,Dublin 8, Ireland) is the controller and responsible for this website.

It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements other notices and privacy policies and is not intended to override them.

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

Contact details ([email protected])

If you have any questions about this privacy notice or our privacy practices, please contact our DPO in the following ways:
Full name of legal entity: Adoreal Limited
Email address: [email protected]

You have the right to make a complaint at any time to the data protection regulator in the country where you usually live or work, or where the alleged data protection infringement has taken place.  We would, however, appreciate the chance to deal with your concerns before you approach the applicable data protection regulator so please contact us in the first instance.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Personal data means any information or piece of information which could identify you either directly (e.g. your name) or indirectly (e.g. a unique ID number).

In this privacy notice, we explain:

  • Who is the controller of your personal data?
  • Contact information and your privacy point of contact
  • What personal data do we collect about you?
  • How do we collect your personal data?
  • How do we use your personal data?
  • Why are we allowed to collect and use your personal data?
  • How do we protect your personal data?
  • What are your rights regarding your personal data?
  • With whom do we share your personal data?
  • In what instances do we transfer your personal data outside of your home country?
  • Additional information if you are in the European Economic Area (EEA)
  • Information about children
  • Cookies, Website and Application Data; Use for Analytics and Marketing
  • Third Party Marketing
  • Opting out
  • Change of Purpose
  • How we update this Privacy Notice?
  • Our responsibility regarding websites that we do not own or control

Who is the controller of your personal data?

Adoreal Limited (incorporated in theRepublic of Ireland under number 72345090 D, whose registered office is at South Circular Road, Dublin 8, Ireland) (“Adoreal”) together with the local Adoreal company which has a relationship with you, are the controllers of your personal data.

Contact information and your privacy point of contact

If you want to exercise your rights, have any questions about this privacy notice, need more information or would like to raise a concern, each local privacy point of contact’s details can be found by contacting [email protected].

What personal data do we collect about you?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). The personal data we collect, and process, may include:

  • Identity data – your name, surname (including prefix or title), alias, gender, age or date of birth, social security number, as well as your preferred language. Similar information about children may also be collected in very limited circumstances, see ‘Information about children’ for more information; 
  • Contact data – information that enables us to contact you, e.g. your personal or business email, mailing address, telephone numbers and profile on a social media platform; 
  • Special Categories of personal data- information about your health, medical treatment;
  • Technical data and network activity information – information about your device and your usage of our websites, apps and systems, including your IP address, device ID, hardware model and version, mobile network information, operating system, platform and other online identifiers, type of browser, browser plug-in types and versions, browsing history, search history, access time, pages viewed, URLs clicked on, forms submitted, time zone setting/physical location and other technology on the devices that you use to access our website;
  • Financial information –your credit card, paypal account or bank details, including account name, account number and sort code if payments are made by you to Adoreal;
  • Usage data – data related to your use of our services offered (including feedback), your purchase history and preferences, your interactions with us, your preferred method of communications with us, and services you may use relating to your selection of aesthetic/cosmetic/plastic surgery practitioners and institutions/clinics;
  • Health information – your health status, health conditions you are experiencing and health information inferred from information that you have provided to us, including an aesthetic assessment where you would be asked questions related to any previous procedures/treatment that you have had, and your potential maximum expenditure. We will also collect feedback from you on your feelings towards your consultation, treatment and post-surgical experience so that we can maintain and improve our service and reduce barriers in communication between you and your healthcare provider;
  • Marketing and Communications Data - includes your preferences in receiving marketing from us and your communication preferences; and
  • Audio visual – photos, videos and voice recordings of you, if you submit those to us.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

You can choose not to give us personal data when we ask you for it. If you decide not to give us your personal data, it may restrict our relationship with you. For example, we may not be able to provide you with the services that you have requested.

How do we collect your personal data?

Directly from you when you:

  • Create an account and profile on one of our websites, or apps - As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our Cookie Notice;
  • A clinic creates an account for you as a patient with Adoreal – therefore the clinic that you have contacted may proceed to then create your Adoreal account with Adoreal on your behalf; 
  • Register with us to use Adoreal’s authentication services (currently OTP via mobile phone and email); 
  • Use our websites, apps and systems to inquire about our services;
  • Share or use your social media profile to contact Adoreal; 
  • Sign up with us to receive promotional material;
  • Get in touch for support or to provide feedback;
  • Attend future online events that Adoreal may organise, such as a webcast;
  • Respond to any self-assessment surveys that you may choose to participate in; and
  • Share adverse events or medical information enquiries with us.

From other sources:

  • When you talk about us online, like when you mention Adoreal product in a Tweet or other social media.  If you connect your social media account to our websites, or apps, you will share certain personal data from your social media account with us. This may include your name, email address, photo, list of social media contacts, and any other information you make accessible to us when you connect your social media account to our websites, or apps; and
  • We will receive personal data about you from various third parties, for example, analytics providers such as Google based outside the UK.

How do we use your personal data?

When the law allows us to, we use your personal data for the purposes we have described below in this privacy notice, or for purposes which are reasonably compatible to the ones described:

  1. 1. Purposes -
  2. a. We will receive personal data about you from various third parties, for example, analytics providers such as Google based outside the UK.
  3. b. To perform the contract (for services to you if are a patient/consumer, or the employment contract if you are an employee of Adoreal) that we are about to enter into or have entered into with you, or where it is necessary for our legitimate interests (see below), or those of a third party and your interests and fundamental rights do not override those interests. If you are a patient, Adoreal aims to use your personal data in order to reduce barriers in communication with your healthcare professional/institution/clinic;
  4. c. Where we need to comply with a legal obligation (see below); or
  5. d. To manage and improve Adoreal’s processes and our business operations.
  1. 2. Practically - this means that we will use your personal data to:
  2. a. Provide our products andservices to you;
  3. b. Provide online services to you if you are a patient/consumer –
  4. c. Provide employment opportunities if you are not a patient, but you are interested in applying to be an employee of Adoreal;
  5. e. Identify you and authenticate your access rights to our websites, systems and apps;
  6. f.  To respond to your queries and provide you with information when you request it or when we believe our services may be of interest to you. If we intend to share electronic marketing with you, we will ask for your consent where required and you can opt out at any time;
  7. g. Invite you to provide feedback, participate in research, surveys or attend events;
  8. h. Personalise your experience when interacting with Adoreal;
  9. i. Respond to you if you report adverse events to us – adverse events from your treatment should be reported to the healthcare professional/institution/clinic who treated you, so that medical assessment can be made; and
  10. j. Perform analytics, market research and segmentation to understand your preferences, improve our products and services and our communications to you.
  11. k. Manage our network and information systems security; 
  12. l. Manage our workforce effectively;
  13. m. Respond to reports you make of a possible side effect associated with your treatment by asking you to return to the healthcare professional/institution/clinic that treated you;
  14. n. Keep records related to our relationship with healthcare professionals;
  15. o. Perform data analyses, auditing and research to help us deliver and improve our Adoreal digital platforms, content and services;
  16. p. Monitor and analyse trends, usage and activities in connection with our services to understand which parts of our services are of the most interest and to improve them accordingly; and
  17. q. Prepare and perform management reporting and analysis, including analytics and metrics.

Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent before:

(1) anonymising your personal data with a view to performing analytics on anonymised/aggregated data from which you will not be identifiable; and

(2) sending you direct marketing communications to you via email. Please note that Adoreal’s contact with patients is governed by Adoreal’s terms and conditions with the patient.  Even after any termination of a contract between Adoreal and a healthcare professional/institution/clinic, Adoreal may retain patient contact details. Adoreal may continue appropriate specific marketing activities towards such patients in respect of that patient’s previous contact with Adoreal, pursuant to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be updated from time to time).

You have the right to withdraw consent to these activities at any time by contacting us at [email protected]

“Legitimate interest” means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent orare otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

“Performance of a contract” means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

“Comply with a legal obligation” means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

To achieve other purposes.

We will use your personal data:

  • To follow applicable laws and regulations;
  • To respond to requests from competent public authorities;
  • To tell you about changes to our terms, conditions and policies;
  • To exercise or defend Adoreal against potential, threatened or actual litigation;
  • To investigate and take action against illegal or harmful behaviour of users.
  • To protect Adoreal, your vital interests, or those of another person;
  • To gain insights and feedback on our services in order to correct or improve them, by analysing information from external sources such as Google, Facebook and Twitter (and others);
  • To deliver services to you via your smart device and our mobile apps; and
  • When we sell, assign or transfer all or part of our business.

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
To register you as a new customer (a) Identity
(b) Contact		 Performance of a contract with you
To manage our relationship with you which will include:
(a) Notifying you about changes to our terms or privacy policy
(b) Asking you to leave a review or take a survey		 (a) Identity
(b) Contact
(c) Marketing and Communications		 (a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To administer and protect our business and this website
(including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)		 (a) Identity
(b) Contact
(c) Technical		 (a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences (a) Technical
(b) Usage		 Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about services that may be of interest to you (a) Identity
(b) Contact
(c) Technical
(d) Usage
(e) Marketing and Communications		 Necessary for our legitimate interests (to develop our products/services and grow our business) and/or Your consent to receiving direct Marketing and Communications

Why are we allowed to collect and use your personal data?

We can collect and use your personal data when one of the following applies:

  • 1. To take steps before entering into a contract or perform a contract; 
  • 2. To follow the law, for example:
  • a. Record-keeping regulatory monitoring and reporting obligations, including those related to adverse events, product complaints and product safety; and
  • b. Complying with anti-corruption and transparency obligations;
  • c. You have specifically given us your permission when such permission is obligatory (the law calls it“consent”). You can withdraw your consent at any time. We will normally need your consent in the following circumstances:
  • i. Placing cookies on your device to find out how you use our websites so we can personalise what you see by tailoring content and notifications to the things you are interested in;
  • ii. Certain situations where you share sensitive personal data about yourself, such as your health, although GDPR does allow us to process your sensitive personal data if it is under a contract with your treating healthcare professional/institution/clinic in order to assist with the provision of medical treatment to you;
  • iii. Before we send you certain electronic marketing communications; and
  • iv. In any other situation where personal data processing relies upon your consent.
  • 3. We need to use your personal data for legitimate business purposes, for example, to enable us to run our business successfully. These include:
  • a. Sending direct marketing materials to you where you have already contacted us about your interest in exploring treatments in aesthetic/cosmetic/plastic surgery (you will always have the right to opt out of marketing and promotional communications);
  • b. Conducting audits and internal investigations and complying with internal policies on anti-bribery and conflict of interest;
  • c. Managing our IT and communications systems and networks;
  • d. Planning and improving our business activities;
  • e. Conducting training and gathering feedback for ensuring quality control;
  • f. Protecting our rights, privacy, safety or property, and/or that of our affiliates, you or others;
  • g. To provide the functionality of the services we provide you, which includes arranging access to your registered account, and providing you with related customer service;
  • h. Verifying your eligibility to access certain services and data that may be provided only to licensed healthcare professionals or otherwise conducting background checks to ensure we are not precluded from offering services to you;
  • i. Analysing or predicting your preferences to identify aggregated trends to develop, improve or modify our services and business activities;
  • j. Responding to and handling your queries or requests;
  • k. Sending administrative information to you, such as changes to our terms, conditions and policies;
  • l. Completing your transactions and providing you with related customer service; and
  • m. Reaching out to you to provide information about our services or request input on surveys relating to our services;
  • n. For the establishment, exercise or defence of legal claims or proceedings;
  • o. To protect your vital interests or those of others; and
  • p. Because it is necessary for reasons of substantial public interest, on the basis of applicable laws.

How do we protect your personal data?

We want to make sure your personal data is not shared with or used by those not allowed to see it. We use a variety of security measures and technologies to help protect your personal data.

We carefully choose service providers to work with, and check they have security measures and technologies in place to protect your personal data. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

However, there are no guarantees that adata transmission or storage system is 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us using the details at the ‘Contact information and your privacy point of contact’ section.

What are your rights regarding your personal data?

You have rights we need to make you aware of. The rights available to you depend on our reason for processing your personal data and the local law in your jurisdiction, and there are exceptions to some rights. Depending on this you may have the right to:

1. Withdraw your consent to us processing your personal data at any time for direct marketing purposes or where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you with draw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent, please contact [email protected] for further details.  This withdrawal request will need to be handled by the Adoreal data protection officer, to assess what personal data (if any) can be deleted, and if so, for what specific use. Please note that personal data that forms apart of medical records cannot be deleted as a matter of public policy;

2. Ask Adoreal about the processing of your personal data including to be provided with copies of your personal data (through a "data subject access request").;

3. Ask us to correct information you think is inaccurate or incomplete, although we may need to verify the accuracy of the new data you provide to us;

4. Ask us to delete your personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request;

5. Ask us to restrict the processing of your information.  This enables you to ask us to suspend the processing of your personal data in the following scenarios:
a.    If you want us to establish the data's accuracy;
b.    Where our use of the data is unlawful but you do not want us to erase it;
c.     Where you need us to hold the data even if we no longer require it as you need it to
d.    establish, exercise or defend legal claims; or
e.    You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.

6. Object to our processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms; 

7. Ask that we transfer information you have given us from one organisation to another, or to give it to you.  We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you; and8.    Complain to your local data protection authority.

You can find out how to get in touch with us to ask us to do any of the above by looking at the ‘Contact information and your privacy point of contact’ section.

For your protection, and to protect the privacy of others, we may need to verify your identity before completing what you have asked us to do and to ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Where we have relied upon your permission to use your personal data, and you later withdraw that permission, we may not be able to complete some of the activities described in ‘How do we use your personal data’. 

How long do we keep your personal data?

In some jurisdictions, we are legally required to keep your personal data for certain periods. How long depends on the specific legal requirements of the jurisdiction you are in when you share your information with us.

We will always keep your personal data for the period required by law and where we need to do so in connection with legal action or an investigation involving Adoreal. Otherwise, we will keep your personal data for as long as we have a relationship with you, in order to respond or process a question or request from you. Adoreal’s contact with patients is governed by Adoreal’s terms and conditions with the patient. Even after any termination of a contract between Adoreal and a healthcare professional/institution/clinic, Adoreal may retain patient contact details and Adoreal may continue appropriate specific marketing activities towards such patients in respect of that patient’s previous contact with Adoreal, pursuant to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be updated from time to time); and

We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

Insofar as the processing of personal data is based on your consent, we will delete this data if you withdraw your consent, subject to the technical ability to do so and so far as such a deletion would not require disproportionate effort on our part. This deletion request will need to be handled by the Adoreal data protection officer, to assess what personal data (if any) can be deleted, and if so, for what specific use. Please note that personal data that forms a part of medical records cannot be deleted as a matter of public policy.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.

With whom do we share your personal data?

We share your personal data on a need to know basis, and to the extent necessary to follow laws and regulations, and in the context of managing our relationship with you.

We share your personal data only with teams in our Adoreal companies and affiliates who need to see it to do their jobs. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We will also share your personal data with other entities, for example:

  • Marketing agencies working withAdoreal to improve its patient/consumer offering;
  • Technology suppliers and system administration services providers who work with us to develop and improve our websites, digital forums and apps;
  • Media services providers who work with us;
  • Any entity who may acquire us or part of our business or brands. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice;
  • Suppliers of healthcare professionals/institutions/clinics that are managing adverse event reports;
  • Local or foreign regulators, courts, governments, tax authorities and law enforcement authorities who require reporting of processing activities in certain circumstances; and
  • Professional advisors, such as insurers, bankers, auditors, accountants and lawyers.

In what instances do we transfer your personal data outside of your home country?

We work all over the world. Therefore, where your applicable law allows it, we may need to transfer and use your personal data outside of the country where we collect it from you. We implement appropriate measures to protect your personal data when we transfer your personal data outside of your home country such as data transfer agreements that incorporate standard data protection clauses. The data privacy laws in the countries we transfer it to may not be the same as the laws in your home country. Law enforcement agencies, regulatory agencies, security authorities or courts in the countries we transfer your personal data to may have the right to see your personal data.  If applicable law does not allow transfer of specific personal data outside a country, we will comply with that applicable law.

Additional information if you are based in the European Economic Area (EEA)

The European Commission recognises that some countries outside the EEA have similar data protection standards. If we transfer your personal data to a country outside the EEA that does not have similar data protection standards, we do so based on standard contract clauses adopted by the European Commission, to ensure the respective recipient protects your Personal Data adequately in accordance with this privacy notice. These enable us to make international transfers of personal data within our group of companies and meet the data protection laws of theEuropean Union and the General Data Protection Regulation (GDPR).

Information about Children

Whilst our services are not ordinarily directed to children, occasionally we may receive your child’s data, for example, if you provide that personal data to us because you are looking for a treatment for them that involves aesthetic/cosmetic/plastic surgery. We will only ever receive this with your consent. Please see ‘What personal data we collect about you’ for more information.

Cookies, Website and Application Data; Use for Analytics and Marketing

Our websites may use cookies and similar technologies. You can choose to accept or decline cookies. If you choose to decline cookies, not all elements of our websites, apps and services may function as intended, so your experience may be affected.

To the extent that your local laws consider the information collected by cookies and other technologies as personal data, we will treat that information to the standards set out in this privacy notice.

We strive to provide you with choices regarding certain personal data uses, particularly around marketing communications from us and/or the relevant company in the Adoreal Group.  You will receive marketing communications from us or the relevant company in the Adoreal Group if you have requested information from us or the relevant company in the Adoreal Group and you have not opted out of receiving that marketing.

We collect information about your computer browser type and operating system, websites you visited before and after visiting our websites, standard server log information, Internet Protocol (IP) addresses, location data, mobile phone service provider, and mobile phone operating system. We use this information to understand how our visitors use our websites and mobile applications so that we can improve them, the services we offer, and our advertising. We may also share this information with other companies within the Adoreal group and with other third parties. Some of our websites use Google Analytics, a web analytics service provided by Google, Inc.(“Google”). Google Analytics uses cookies to analyse use patterns and may collect information about your use of the website, including your IP address.More information on Google Analytics can be found here. If you would like to opt-out of having your data used by Google Analytics, you can opt out here.

We also use remarketing services offered by our advertising partners to personalise advertisements for visitors to sites of their advertising networks (i.e. websites other than Adoreal’s). On these pages, you may be shown advertisements that refer to your interactions with Adoreal previously. To turn off personalisation for advertisements served by Google click here. To turn off personalisation for advertisements served by Facebook click here. Many companies that display interest-based advertising are members of the Network Advertising Initiative ("NAI"), the DigitalAdvertising Alliance ("DAA") or the European Interactive DigitalAdvertising Alliance (“EDAA”). To opt-out of interest-based advertising by members of these initiatives, you can visit their websites athttps://optout.networkadvertising.org, https://optout.aboutads.info andhttps://www.youronlinechoices.com.

We may use the data you share with us to make decisions about your interests and preferences so we can make the marketing materials we send you more relevant. We may also combine the information we hold about you with data about your interests or demographics that third parties have collected from you online and offline, to make your experience more personalised and further tailor our marketing materials. You have certain rights in relation to this – please see 'What are your rights regarding your personal data?' above for further information.

We use Facebook custom audience tools. This allows us to provide personalised advertising to you when you use Facebook’s platforms by matching the email address we hold for you with the email addressFacebook holds for you, to show you the most relevant Adoreal advertisements. We only do this where you have given us consent. Sometimes we may also use information about you to build lookalike models. This allows us to generate similar audiences of prospective customers (who may have similar interests or demographics to you) through advertising platforms like Facebook or Google, based on data that the advertising platform holds about other people. Usually this means sharing your email address with our advertising partners. If you wish to opt out of similar audiences in Google, you can do so here.

Third Party Marketing

Adoreal does not share your personal data with any third party for marketing purposes. In the event, we wish to do so, we will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

Opting out

You can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time at [email protected].

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Notice.

Change of Purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How do we update this Privacy Notice

From time to time, we will update this Privacy Notice. Any changes become effective when we post the revised Privacy Notice on the Adoreal website. This Privacy Notice was last updated as of the“Last Updated” date shown above. If updating changes are significant, we will provide a more prominent notice to let you know what the changes are.

Our responsibility regarding websites that we do not own or control.

Our websites and applications may contain links to third party websites, plug-ins or mobile applications we do not own or control. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. Our Privacy Notice does not cover them. Please read the privacy notices on those websites and mobile applications if you would like to find out how they collect, use and share your personal data. 

Welcome to the Adoreal Privacy Notice.

Last Updated:  July 29th, 2024

Introduction

This privacy notice is intended for:

1. Users of Adoreal’s services;

2. Visitors to Adoreal’s websites;

3. Users of Adoreal’s systems and applications;

4. Members of the general public who are interested in contacting us or who may be contacted by Adoreal; and

5. Any individual who has received this notice.

Adoreal understands that privacy is important to you. We are committed to treating your personal data with care and integrity.

Our privacy notice tells you what personal data we collect and how we collect it, including any data you may provide through this website when you visit the site or inquire about a product or service or take part in an event. It explains what we use your personal data for and how we protect your personal data and keep it safe. It also informs you how long we keep your data, who we share your data with or how we otherwise process it. This privacy notice explains our general practices. However, where local laws or regulations require that we process information differently, or refrain from such processing, we will always comply with the applicable local law. This website is not intended for children, however we may collect data relating to children subject to their parent’s or guardian’s consent.

Adoreal values your privacy. Adoreal is made up of different legal companies related to us by common control or ownership (the “Adoreal Group”). This privacy notice is issued on behalf of the Adoreal Group so when we mention “Adoreal”, “we”, “us” or “our”, this is who we are referring to. Adoreal Limited (incorporated in the Republic of Ireland under number 72345090 D, whose registered office is at South Circular Road,Dublin 8, Ireland) is the controller and responsible for this website.

The terms “you”, “your” or “user” refer to you as the person interacting with Adoreal via this website or in any other capacity including as a professional adviser, employee or contractor, investor, vendor or any other entity interacting with us on behalf of another person.

It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide to you on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements other notices and privacy policies and is not intended to override them.

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

DPO Details:

DPO Centre Limited

50 Liverpool Street,

London EC2M 7PY, UK

Contact email: [email protected]

Telephone number: +44 (0) 203 797 1289

If you have any other enquiries please contact us on [email protected].

You have the right to make a complaint at any time to the data protection regulator in the country where you usually live or work, or where the alleged data protection infringement has taken place.  We would, however, appreciate the chance to deal with your concerns before you approach the applicable data protection regulator so please contact us in the first instance.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us by contacting us on [email protected].

Personal data means any information or piece of information which could identify you either directly (e.g. your name) or indirectly (e.g. a unique ID number).

In this privacy notice, we explain:

Who is the controller of your personal data?

Contact information and your privacy point of contact

What personal data do we collect about you?

How do we collect your personal data?

How do we use your personal data?

Why are we allowed to collect and use your personal data?

How do we protect your personal data?

What are your rights regarding your personal data?

With whom do we share your personal data?

In what instances do we transfer your personal data outside of your home country?

Additional information if you are in the European Economic Area (EEA)

Information about children

Marketing

Withdrawal of Consent/ Opting out of Marketing

Change of Purpose

How we update this Privacy Notice?

Our responsibility regarding websites that we do not own or control

Who is the controller of your personal data?

Adoreal  is the controller of  personal data provided by you in relation to the set up and registration for an Adoreal account (“Operational Data”)

You are the controller of  any data, such as communication messages, files, images or other contentthat you add to your Adoreal account or that is added by a third party to your account or that we otherwise process in accordance with your or the third party’s instructions (“Customer Data”).  Adoreal is a data processor in regard to Customer Data.

Contact information and your privacy point of contact

If you want to exercise your rights, have any questions about this privacy notice, need more information or would like to raise a concern or make a complaint, you can do so by contacting [email protected].

What personal data do we collect about you?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). The personal data we collect, and process may include:

Identity data – your name, surname (including prefix or title), alias, gender, age or date of birth, social security number, as well as your preferred language. Similar information about children may also be collected in very limited circumstances, see ‘Information about children’ for more information;

Contact data – information that enables us to contact you, e.g. your personal or business email, mailing address, telephone and mobile numbers and profile on a social media platform;

Booking Data – information provided for the booking of an appointment with a chosen clinic e.g. name, surname, date/time, health/ medical data;

Special Categories of personal data- information about your health, medical treatment, equality and diversity, ethnicity;

Background Check Data – information to verify the accuracy of an individual’s personal and professional history including criminal convictions and records, credit history, education;

Recruitment Data - information gathered during the hiring process including, demographic information, education and employment history, cv’s, interview notes, gender;

Employee Data - information collected for employment purposes including name, surname, gender, date of birth, contact details, dependents and next of kin information, marital status, emergency contact information, financial information, professional memberships and licenses, appraisals and disciplinary details;

Technical data and Network Activity Information – information about your device and your usage of our websites, apps and systems, including your IP address, device ID, hardware model and version, mobile network information, operating system, platform and other online identifiers, type of browser, browser plug-in types and versions, browsing history, search history, access time, pages viewed, URLs clicked on, forms submitted, time zone setting/physical location and other technology on the devices that you use to access our website;

Financial Information – your credit card, paypal account or bank details, including account name, account number and sort code if payments are made by you to Adoreal;

Usage Data – data related to your use of our services offered (including feedback), your purchase history and preferences, your interactions with us, your preferred method of communications with us, and services you may use relating to your selection of aesthetic/cosmetic/plastic surgery practitioners and institutions/clinics, your use of the 3D enhanced imaging and simulation creator including details of healthcare professional and clinic selected, surgery type information, cost ;

Health Information – your health status, current and historical health conditions and health information inferred from information that you have provided to us, including an aesthetic assessment where you would be asked questions related to any previous procedures/treatment that you have had, and your potential maximum expenditure, any medication that you are prescribed.

Feedback and Opinion Data - we will collect feedback from you regarding your feelings towards your consultation, treatment and post-surgical experience so that we can maintain and improve our service and reduce barriers in communication between you and your healthcare provider;

Marketing and Communications Data - includes your preferences for receiving marketing materials from us and your communication preferences such as via email; and

Audio Visual Data – photos, videos and voice recordings of you, if you choose to submit those to us.  These may include any 3D enhanced images or simulations that you may create using the Crisalix 3D image creator provided to you within your Adoreal account. The 3D enhanced images or simulations are created using ARKit, TrueDepth API, Camera APIs, Photo APIs, or other software for depth of facial mapping information.

Audiovisual Recording Data – audiovisual recordings of meetings held on Teams, Zoom, Google Meet that we may hold with you, including collection of information from Microsoft Outlook Calendar or Google Calendar about the meeting held. The recordings of the meetings are created using an AI tool called Fathom, which is also used to transcribe and take notes of matters discussed at the meeting we may have with you.  The transcript is shared with you.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. ‘Aggregated Data’ could be derived from your personal data but is not considered personal data as this data will not directly or indirectly reveal your identity or contain any of your persona data. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

You can choose not to give us personal data when we ask for it. If you decide not to give us your personal data, it may restrict our relationship with you. For example, we may not be able to provide you with the services that you have requested.

How do we collect your personal data?

When you visit our websites or use our services, we collect your personal data.

Directly from you when you:

Visit or use some parts of our websites and/or services we might ask you to provide personal data to us. We also collect some information about you automatically when you visit our websites or use our services, like your IP address, device type, and browser details.

Use your Adoreal account that a clinic created for you as one of their patients, or you use your own Adoreal account to update your personal details, photos and images, use it to communicate with the clinic or healthcare professional about your treatment, provide feedback or take part in surveys, use the 3D enhanced imaging or simulation to create images, or make any bookings and payments through the account, when you contact us with any queries, complaints or for IT support;

Register with us to use Adoreal’s authentication services (currently OTP via mobile phone and email);

Create an account and profile on one of our websites, or apps - as you interact with our website, we will automatically also collect Technical Data about your equipment, browsing actions and patterns subject to us obtaining your consent where this is required, for example for marketing or tracking cookies. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please also see our Cookie Notice for additional information.

We may also receive personal data including Technical Data about you if you visit our websites, apps and systems to inquire about our services:

• Book an appointment for example by using our booking widget, or through your Adoreal account;

• Share or use your social media profile to contact Adoreal;

• Sign up with Adoreal to receive promotional marketing materials and direct marketing communications;

• Get in touch for support or to provide feedback to Adoreal;

• Attend any online events that Adoreal may organise, such as a webcast;

• Respond to any self-assessment surveys that you choose to participate in; and

• Share any adverse events or medical information enquiries in your Adoreal account.

From other sources:

The majority of information that we collect, we collect directly from you. However, sometimes we may collect personal data about you from other sources, such as publicly available materials or trusted third parties like the healthcare clinics that use our product, and from marketing and research partners. We use this information to supplement the personal data we already hold about you, in order to better inform, personalise and improve our services. Where a clinic creates an Adoreal account for you as a patient – therefore the clinic that you have contacted for treatment provides personal data about you to Adoreal to create your Adoreal account;

When you talk about us online, for example when you mention an Adoreal product in a Tweet or on other social media, we may collect your personal data from the third-party, such as social media handles and other personal data you make available. If you connect your social media account to our websites, or apps, certain personal data from your social media account will be shared with us. This may include, amongst other personal data, your name, email address, photos, list of social media contacts, and any other accessible information;

How do we use your personal data?

We use your personal data for the purposes we have described below in this privacy notice, or for purposes which are reasonably compatible to the ones described.

Legal Bases

“Consent” means that the individual has given clear permission for their personal data to be processed for a specific purpose. Consent must be freely given, specific, informed and unambiguous  indication. Of the individual's wishes by which he or she. By clear affirmative action. Shows agreement to the processing of personal data relating to him or her.

“Legitimate interest” means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

“Performance of a contract” means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

“Comply with a legal obligation” means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

“Vital Interest” means processing your personal data in a life or death circumstance. Where the processing is vital to the individual’s survival and where they need emergency medical care and  are incapable of giving consent.

Practical application  

We have set out below, in a table format, a description of the ways we may use your personal data, for what purposes, and the applicable legal bases we rely on to do so.

We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data on more than one lawful basis depending on the specific purpose for which we are processing your data.

Purpose Personal Data Type Lawful Basis for Processing
To register you as a new customer Identity Data, Contact Data Performance of Contract
To manage our relationship with you. This can include:
(a) administration of your account where you are a patient/consumer;
(b) notifying you about updates to our terms, policies and products.		 Identity Data, Contact Data Legitimate Interest
Provide our product and services to you as a patient/consumer, including the use of the 3D enhanced imaging and simulation service using AI. Provide online services to you as a patient/consumer such as online booking of appointments and treatments with third-party clinics/healthcare professionals and institutions, including via the booking widget, making payments for treatments. Identity Data, Contact Data, Financial Data, Booking Data, Technical Data and Network Activity information Performance of Contract, Consent
To respond to your enquiries and provide you with information when you request it or when we believe our services may be of interest to you. Identity Data, Contact Data Legitimate Interest
Invite you to provide feedback, participate in research, surveys or attend events. Identity Data, Contact Data, Feedback and Opinion Data, Marketing and Communications Data Consent, Legitimate Interest
Identify you and authenticate your access rights to our websites, systems and apps. Identity Data, Contact Data, Technical Data and Network Activity information Legitimate Interest, Performance of Contract
To deliver services to you via your smart device and our mobile apps. Identity Data, Technical Data and Network Activity information Performance of Contract
To provide marketing communications, events and advertising and to ask you to participate in a feedback panel or take a survey. Identity Data, Contact Data, Feedback and Opinion Data, Marketing and Communications Data Consent, Legitimate Interest
To personalise and measure the effectiveness of and improve our marketing and advertising by identifying your interests and to determine how you engaged with our marketing and advertising. Identity Data, Contact Data, Feedback and Opinion Data, Marketing and Communications Data Consent, Legitimate Interest
To send direct marketing communications to you via email. Identity Data, Contact Data, Marketing and Communications Data Consent, Legitimate Interest
Perform analytics, market research and segmentation to understand your preferences, improve our products and services and our communications to you. Identity Data, Usage Data, Technical Data and Network Activity information, Marketing and Communications Data Legitimate Interest
Monitor and analyse trends, usage and activities in connection with our services to understand which parts of our services are of the most interest and to improve them accordingly. Identity Data, Usage Data, Technical Data and Network Activity information Legitimate Interest
To gain insights and feedback on our services in order to correct or improve them, by analysing information from external sources such as Google, Facebook and Twitter (and others). Identity Data, Contact Data, Feedback and Opinion Data, Marketing and Communications Data Legitimate Interest
Prepare and perform management reporting and analysis, including analytics and metrics, for example for pricing, reoccurrence of services, how busy a doctor is, if someone booked a consultation and then converted into a service. Usage Data, Technical Data and Network Activity information Legitimate Interest
Management of our workforce. Identity Data, Contact Data, Financial Information, Employee Data, Recruitment Data Performance of Contract, Legal Obligation, Legitimate Interest
Manage recruitment and selection of prospective employees and contractors. Identity Data, Contact Data, Special Category Data, Recruitment Data, Background Check Data Consent, Legitimate Interest, Legal Obligation, Performance of Contract
Respond to you if you report adverse events to us – adverse events from your treatment should be reported to the healthcare professional/institution/clinic who treated you, so that medical assessment can be made. Identity Data, Contact Data, Special Categories of Data, Health Information, Audio Visual Data Performance of Contract
Perform data analyses, auditing and research to help us deliver and improve our Adoreal digital platforms, content and services. Usage Data, Technical Data and Network Activity information Legitimate Interest
Respond to reports you make on your account, of a possible side effect associated with your treatment, communicating with you to advise you to return to the healthcare professional/institution/clinic that treated you. Identity Data, Contact Data, Special Categories of Data, Health Information, Audio Visual Data Performance of Contract
To investigate and take action against illegal or harmful behaviour of users. Identity Data, Contact Data, Usage Data, Technical Data and Network Activity information Legitimate Interest, Legal Obligation
Keep records related to our relationship with healthcare professionals. Identity Data, Contact Data, Special Categories of Data, Audio Visual Data, Health Data Legal Obligation, Legitimate Interest
Manage our network and information systems security. Usage Data, Technical Data and Network Activity information Legitimate Interest
To comply with our legal obligations, such as: complying with our obligations under tax laws and companies legislation, such as the Irish Companies Act 2014 (as amended); complying with requests to provide data to law enforcement agencies in relation to an investigation and to respond to requests from other competent public authorities. Identity Data, Contact Data, Special Categories of Data, Health Information, Usage Data, Technical Data and Network Activity information, Financial Data Legal Obligation
To exercise or defend against potential, threatened or actual litigation. Identity Data, Contact Data, Special Categories of Data, Health Information, Usage Data, Technical Data and Network Activity information, Financial Data, Marketing and Communications Data, Audio Visual Data Legal Obligation
To protect your vital interests, or those of another person. Identity Data, Contact Data, Special Categories of Data, Health Information, Audio Visual Data Vital Interests
To use an AI tool to create audiovisual recordings of meetings, including minutes, tasks and notes following an online meeting held via Teams, Zoom, Google Meet (Microsoft Outlook Calendar or Google Calendar). Audiovisual Recording Data, Contact Data Consent

Generally, we do not rely on consent as a legal basis for processing your personal data except as set out above, where we are obliged to obtain your consent prior to undertaking any specific activities where we must seek your consent, including our use of an AI tool for audiovisual recordings and transcripts, your use of the 3D imaging service, marketing activities and carrying out of any background checks where we will seek to obtain your explicit consent prior to processing of your data.

Where you have provided your consent to receive direct marketing communications from Adoreal via email, we draw your attention to the fact that Adoreal may continue to send appropriate specific marketing communications to you even in the event that you are no longer a consumer or hold an account with Adoreal provided that you have not withdrawn your consent to receive such marketing communications or you have previously purchased an Adoreal product, which marketing communication may be provided to you pursuant to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)(as may be updated from time to time).

You have the right to withdraw consent to these marketing activities at any time by contacting us at [email protected].

How do we protect your personal data?

The security of your data is important to us. We implement technical and organisational measures designed to ensure a level of security for the personal data which is appropriate to the risks to you, our consumers and customers that may result from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the personal data.

Adoreal carefully choose the third-party service providers we work with and carry out necessary due diligence to ensure that they have appropriate security, technical and organisational measures and technologies in place to protect your personal data. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and are subject to a duty of confidentiality. We have robust procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.  All data is encrypted in transit and at rest.

A disciplinary policy is enforced to prevent unauthorized access.

However, there are no guarantees that a data transmission or storage system is 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us using the details at the ‘Contact information and your privacy point of contact’ section above.

What are your rights regarding your personal data?

You have rights relating to your personal data. Depending on the applicable data privacy law, you may have the right to direct Adoreal to take certain actions related to your personal data. You may have the right to request confirmation as to whether Adoreal is processing your personal data. Depending on this you may have the right to:

1. Withdraw your consent for processing of your personal data at any time for direct marketing purposes or where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.,

2. Request information relating to the categories of personal data involved, purposes of processing, recipients of your data, retention periods/criteria, and your rights as a Data Subject.

3. Ask Adoreal to access any of your personal data that Adoreal is processing and to be provided with copies of your personal data.

4. Ask Adoreal to correct information you think is inaccurate or incomplete, although we may need to verify the accuracy of the new data you provide to us.

5. Ask Adoreal to delete your personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note however, that we may not always be able to comply with your request of erasure due to specific legal exceptions which will be notified to you, if applicable, at the time of your request.

6. Ask Adoreal to restrict the processing of your information.  This enables you to ask us to suspend the processing of your personal data in the following scenarios:

   a.    If you want us to establish the data's accuracy;

   b.    Where our use of the data is unlawful, but you do not want us to erase it;

   c.     Where you need us to hold the data even if we no longer require it as    you need it to establish, exercise or defend legal claims; or

   d.    You have objected to our use of your data, but we need to verify whether    we have overriding legitimate grounds to use it.

7. Object to Adoreal processing of your personal data where we are relying on legitimate interest as the lawful basis for processing. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes, that includes profiling that is related to direct marketing and upon receipt of this objection Adoreal will stop processing your personal data for this purpose.

8. Ask that Adoreal transfer your personal data that you have given to us to another organisation, or to give it to you.  We will provide the personal data to you, or a third party you have chosen, in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you; and

9. Right to complain to your local Data Protection Authority or Supervisory Authority.

To exercise any of these rights described above, please email [email protected] with a description of your request.

For your protection, and to protect the privacy of others, we may need to verify your identity before completing what you have asked us to do and to ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We will respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Where we have relied upon your consent to use your personal data, and you later withdraw that consent, we may not be able to complete some of the activities described in ‘How do we use your personal data’.

How long do we keep your personal data?

In some jurisdictions, we are legally required to keep your personal data for certain periods. How long depends on the specific applicable laws within a specific jurisdiction.

We will retain your personal data only for as long as is necessary for the purposes set out in this Privacy Policy in line with our Retention Policy and Schedule. To determine the appropriate retention period for personal data, we consider various criteria including the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. Where it is necessary to retain personal data to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies or otherwise establish, defend or exercise legal claims, then we will do so.

Once specific retention timelines have passed and we have no further specific reason to retain that personal data, the relevant personal data will be erased or adapted so that it no longer is personal data.

In some circumstances, you can ask us to delete your data. See ‘What are your rights regarding your personal data?’ section above for information on your data protection rights. You also have the right to object to our processing of personal data for direct marketing purposes (though where you do so, we will retain sufficient information to make sure we don’t send you direct marketing messages in the future).

With whom do we share your personal data?

There will be times when we need to share your personal data with third parties. We may share your personal data within the Adoreal Group of companies and any third-party service providers that we may use to provide supporting services to us. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.  We ensure that we have contractual agreements in place with our third-party service providers.

We may disclose your personal data to:

   a. Other Adoreal Group companies;

   b. Third party service providers providing support services such as    technology suppliers and system administration services providers assist with the    development and improvement of our websites, digital forums and    apps etc such as Amazon Web Services, Microsoft, Google, Slack, Figma, GoDaddy,    JetBrains, GitHub, Chameleon, Vumetric, DataDog Miro, Webflow,    Lokalise, Tramco Cloud, Crisalix and Hypersonix, Fathom AI, Facebook, LinkedIn.

   c. Marketing agencies working with us to market or promote our product and    services to you where you have consented to receive marketing    communications and materials from us;

   d. Media services providers;

   e. Any entity making enquiries in connection with an actual or proposed    purchase, merger or acquisition of any part of our business or brands. If a    change happens to our business, then the new owners may use your    personal data in the same way as set out in this privacy notice;

   f. Suppliers of healthcare professionals/institutions/clinics that are managing    adverse event reports;

   g. Local or foreign regulators, courts, government agencies, tax authorities    and law enforcement authorities and other third parties where we think it’s    necessary to comply with applicable laws or regulations, or to exercise,    establish or defend our legal rights and where we have an obligation to    report certain processing activities. Where possible and appropriate, we will    notify you of this type of disclosure; and

   h. Professional advisors, such as insurers, bankers, auditors, accountants    and lawyers;

   i. Other entities or individuals where we have your consent to share your    personal data.

In what instances do we transfer your personal data outside of your home country?

Adoreal adheres to all relevant Data Privacy Regulations in the jurisdictions in which we operate. We are a global company and therefore when we share your personal data, it may be transferred to, and processed in, countries other than the country you live in, for example to the United States or Costa Rica. These countries may have laws different to the one you are resident in. Where we disclose personal data to a third-party in another country, we put safeguards in place to ensure your personal data remains secure and protected.

We implement appropriate measures to protect your personal data when we transfer your personal data outside of your home country such as execution of data transfer agreements with service providers that incorporate the EU Standard Contractual Clauses or UK Addendum ot the EU Standard Contractual Clauses.

Law enforcement agencies, regulatory agencies, security authorities or courts in the countries we transfer your personal data to may have the right to see your personal data.  If applicable law does not allow transfer of specific personal data outside a country, we will comply with that applicable law.

If you have any questions about where and how your personal data may be transferred, please contact us on [email protected].

Additional information if you are based in the European Economic Area (EEA) or UK

For individuals in the European Economic Area (EEA), or in the United Kingdom (UK) this means that your data may be transferred outside of the EEA/UK, for example to the United States. The European Commission recognises that some countries outside the EEA/ European Union or United Kingdom have similar data protection standards. If we transfer your personal data to a country outside the EEA / European Union or United Kingdom (UK) that does not have similar data protection standards, or to a third party we will ensure that we have an approved transfer mechanisms in place to protect your personal data, for example we do so based on EU Standard Contract Clauses adopted by the European Commission or the UK Addendum to the European Standard Contractual Clauses, to ensure the respective recipient protects your Personal Data adequately. These enable us to make international transfers of personal data within our group of companies and meet the data protection laws of the European Union and the General Data Protection Regulation (GDPR). We will also comply with other requirements, such as completing appropriate transfer risk assessments as required.

Information about Children

Whilst our services are not directed at children, occasionally we may receive a child’s data, for example, if you, as the child’s parent or legal guardian provide that personal data to us because you are looking for a treatment for them that involves aesthetic/cosmetic/plastic surgery. We will only ever collect children’s personal data with the parent’s or legal guardian’s consent. Please see ‘What personal data we collect about you’ for more information.

Marketing

You will only receive marketing communications from us or any other company in the Adoreal Group if you have either provided consent to receive marketing communication or you are one of clients that has purchased our product and has not opted out of receiving such marketing communications.

We may use the data you share with us to make decisions about your interests and preferences so we can make the marketing materials we send you more relevant. We may also combine the information we hold about you with data about your interests or demographics that we have obtained from third parties, to make your experience more personalised and further tailor our marketing materials. You have certain rights in relation to this – please see 'What are your rights regarding your personal data?' above for further information.

Sometimes we may also use information about you to build lookalike models. This allows us to generate similar audiences of prospective customers (who may have similar interests or demographics to you) through advertising platforms like Facebook or Google, based on data that the advertising platform holds about other people. Usually this means sharing your email address with our advertising partners. If you wish to opt out of similar audiences and you do not want us to use your personal data in this way please contact us on [email protected].

We use Facebook custom audience tools. This allows us to provide personalised advertising to you when you use Facebook’s platforms by matching the email address we hold for you with the email address Facebook holds for you, to show you the most relevant Adoreal advertisements. We only do this where you have given us your consent.

We use remarketing services offered by our advertising partners, such as, Google and Facebook to personalise advertisements for visitors to sites of their advertising networks (i.e. websites other than Adoreal’s). On these pages, you may be shown advertisements that refer to your interactions with Adoreal.

Many companies that display interest-based advertising are members of the Network Advertising Initiative ("NAI"), the Digital Advertising Alliance ("DAA") or the European Interactive Digital Advertising Alliance (“EDAA”). To opt-out of interest-based advertising by members of these initiatives, you can visit their websites athttps://optout.networkadvertising.org, https://optout.aboutads.info andhttps://www.youronlinechoices.com.

Withdrawal of Consent/ Opting out of Marketing

You can withdraw your consent to receive marketing communication or opt-out of receiving any marketing communication from us at any time, by either following the opt-out links in any marketing communication sent to you or by contacting us at any time at [email protected].

Change of Purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How do we update this Privacy Notice

From time to time, we will update this Privacy Notice. Any changes become effective when we post the revised Privacy Notice on the Adoreal website. This Privacy Notice was last updated as of the “Last Updated” date shown at the top of the Privacy Notice. If updating changes are significant, we will provide a more prominent notice to let you know what the changes are.

Our responsibility regarding websites that we do not own or control.

Our websites and applications may contain links to third party websites, plug-ins or mobile applications we do not own or control. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. Our Privacy Notice does not cover them. Please read the privacy notices on those websites and mobile applications if you would like to find out how they collect, use and share your personal data.

Welcome to the Adoreal Privacy Notice.

Introduction
This privacy notice is intended for:

  • users of Adoreal’s services;
  • visitors to Adoreal’s websites;
  • users of Adoreal’s systems and applications; 
  • members of the general public who are interested in contacting or are being contacted by Adoreal; and
  • any individual who has received this notice.

Adoreal understands that privacy is important to you. We are committed to treating your personal data with care and integrity.

Our privacy notice tells you what personal data we collect and how we collect it, including any data you may provide through this website when you visit the site or inquire about a product or service or take part in an event. It explains what we use your personal data for and how we protect your personal data and keep it safe. This privacy notice explains our general practices. However, where local laws or regulations require that we process information differently, or refrain from such processing, we will always comply with the applicable local law. This website is not intended for children and we do not knowingly collect data relating to children.

Adoreal values your privacy. Adoreal is made up of different legal companies related to us by common control or ownership (the “Adoreal Group”). This privacy notice is issued on behalf of the Adoreal Group so when we mention “Adoreal”, “we”, “us” or “our”, this is who we are referring to. Adoreal Limited (incorporated in the Republic of Ireland under number 72345090 D, whose registered office is at South Circular Road,Dublin 8, Ireland) is the controller and responsible for this website.

It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements other notices and privacy policies and is not intended to override them.

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

Contact details ([email protected])

If you have any questions about this privacy notice or our privacy practices, please contact our DPO in the following ways:
Full name of legal entity: Adoreal Limited
Email address: [email protected]

You have the right to make a complaint at any time to the data protection regulator in the country where you usually live or work, or where the alleged data protection infringement has taken place.  We would, however, appreciate the chance to deal with your concerns before you approach the applicable data protection regulator so please contact us in the first instance.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Personal data means any information or piece of information which could identify you either directly (e.g. your name) or indirectly (e.g. a unique ID number).

In this privacy notice, we explain:

  • Who is the controller of your personal data?
  • Contact information and your privacy point of contact
  • What personal data do we collect about you?
  • How do we collect your personal data?
  • How do we use your personal data?
  • Why are we allowed to collect and use your personal data?
  • How do we protect your personal data?
  • What are your rights regarding your personal data?
  • With whom do we share your personal data?
  • In what instances do we transfer your personal data outside of your home country?
  • Additional information if you are in the European Economic Area (EEA)
  • Information about children
  • Cookies, Website and Application Data; Use for Analytics and Marketing
  • Third Party Marketing
  • Opting out
  • Change of Purpose
  • How we update this Privacy Notice?
  • Our responsibility regarding websites that we do not own or control

Who is the controller of your personal data?

Adoreal Limited (incorporated in theRepublic of Ireland under number 72345090 D, whose registered office is at South Circular Road, Dublin 8, Ireland) (“Adoreal”) together with the local Adoreal company which has a relationship with you, are the controllers of your personal data.

Contact information and your privacy point of contact

If you want to exercise your rights, have any questions about this privacy notice, need more information or would like to raise a concern, each local privacy point of contact’s details can be found by contacting [email protected].

What personal data do we collect about you?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). The personal data we collect, and process, may include:

  • Identity data – your name, surname (including prefix or title), alias, gender, age or date of birth, social security number, as well as your preferred language. Similar information about children may also be collected in very limited circumstances, see ‘Information about children’ for more information; 
  • Contact data – information that enables us to contact you, e.g. your personal or business email, mailing address, telephone numbers and profile on a social media platform; 
  • Special Categories of personal data- information about your health, medical treatment;
  • Technical data and network activity information – information about your device and your usage of our websites, apps and systems, including your IP address, device ID, hardware model and version, mobile network information, operating system, platform and other online identifiers, type of browser, browser plug-in types and versions, browsing history, search history, access time, pages viewed, URLs clicked on, forms submitted, time zone setting/physical location and other technology on the devices that you use to access our website;
  • Financial information –your credit card, paypal account or bank details, including account name, account number and sort code if payments are made by you to Adoreal;
  • Usage data – data related to your use of our services offered (including feedback), your purchase history and preferences, your interactions with us, your preferred method of communications with us, and services you may use relating to your selection of aesthetic/cosmetic/plastic surgery practitioners and institutions/clinics;
  • Health information – your health status, health conditions you are experiencing and health information inferred from information that you have provided to us, including an aesthetic assessment where you would be asked questions related to any previous procedures/treatment that you have had, and your potential maximum expenditure. We will also collect feedback from you on your feelings towards your consultation, treatment and post-surgical experience so that we can maintain and improve our service and reduce barriers in communication between you and your healthcare provider;
  • Marketing and Communications Data - includes your preferences in receiving marketing from us and your communication preferences; and
  • Audio visual – photos, videos and voice recordings of you, if you submit those to us.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

You can choose not to give us personal data when we ask you for it. If you decide not to give us your personal data, it may restrict our relationship with you. For example, we may not be able to provide you with the services that you have requested.

How do we collect your personal data?

Directly from you when you:

  • Create an account and profile on one of our websites, or apps - As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our Cookie Notice;
  • A clinic creates an account for you as a patient with Adoreal – therefore the clinic that you have contacted may proceed to then create your Adoreal account with Adoreal on your behalf; 
  • Register with us to use Adoreal’s authentication services (currently OTP via mobile phone and email); 
  • Use our websites, apps and systems to inquire about our services;
  • Share or use your social media profile to contact Adoreal; 
  • Sign up with us to receive promotional material;
  • Get in touch for support or to provide feedback;
  • Attend future online events that Adoreal may organise, such as a webcast;
  • Respond to any self-assessment surveys that you may choose to participate in; and
  • Share adverse events or medical information enquiries with us.

From other sources:

  • When you talk about us online, like when you mention Adoreal product in a Tweet or other social media.  If you connect your social media account to our websites, or apps, you will share certain personal data from your social media account with us. This may include your name, email address, photo, list of social media contacts, and any other information you make accessible to us when you connect your social media account to our websites, or apps; and
  • We will receive personal data about you from various third parties, for example, analytics providers such as Google based outside the UK.

How do we use your personal data?

When the law allows us to, we use your personal data for the purposes we have described below in this privacy notice, or for purposes which are reasonably compatible to the ones described:

  1. 1. Purposes -
  2. a. We will receive personal data about you from various third parties, for example, analytics providers such as Google based outside the UK.
  3. b. To perform the contract (for services to you if are a patient/consumer, or the employment contract if you are an employee of Adoreal) that we are about to enter into or have entered into with you, or where it is necessary for our legitimate interests (see below), or those of a third party and your interests and fundamental rights do not override those interests. If you are a patient, Adoreal aims to use your personal data in order to reduce barriers in communication with your healthcare professional/institution/clinic;
  4. c. Where we need to comply with a legal obligation (see below); or
  5. d. To manage and improve Adoreal’s processes and our business operations.
  1. 2. Practically - this means that we will use your personal data to:
  2. a. Provide our products andservices to you;
  3. b. Provide online services to you if you are a patient/consumer –
  4. c. Provide employment opportunities if you are not a patient, but you are interested in applying to be an employee of Adoreal;
  5. e. Identify you and authenticate your access rights to our websites, systems and apps;
  6. f.  To respond to your queries and provide you with information when you request it or when we believe our services may be of interest to you. If we intend to share electronic marketing with you, we will ask for your consent where required and you can opt out at any time;
  7. g. Invite you to provide feedback, participate in research, surveys or attend events;
  8. h. Personalise your experience when interacting with Adoreal;
  9. i. Respond to you if you report adverse events to us – adverse events from your treatment should be reported to the healthcare professional/institution/clinic who treated you, so that medical assessment can be made; and
  10. j. Perform analytics, market research and segmentation to understand your preferences, improve our products and services and our communications to you.
  11. k. Manage our network and information systems security; 
  12. l. Manage our workforce effectively;
  13. m. Respond to reports you make of a possible side effect associated with your treatment by asking you to return to the healthcare professional/institution/clinic that treated you;
  14. n. Keep records related to our relationship with healthcare professionals;
  15. o. Perform data analyses, auditing and research to help us deliver and improve our Adoreal digital platforms, content and services;
  16. p. Monitor and analyse trends, usage and activities in connection with our services to understand which parts of our services are of the most interest and to improve them accordingly; and
  17. q. Prepare and perform management reporting and analysis, including analytics and metrics.

Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent before:

(1) anonymising your personal data with a view to performing analytics on anonymised/aggregated data from which you will not be identifiable; and

(2) sending you direct marketing communications to you via email. Please note that Adoreal’s contact with patients is governed by Adoreal’s terms and conditions with the patient.  Even after any termination of a contract between Adoreal and a healthcare professional/institution/clinic, Adoreal may retain patient contact details. Adoreal may continue appropriate specific marketing activities towards such patients in respect of that patient’s previous contact with Adoreal, pursuant to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be updated from time to time).

You have the right to withdraw consent to these activities at any time by contacting us at [email protected]

“Legitimate interest” means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent orare otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

“Performance of a contract” means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

“Comply with a legal obligation” means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

To achieve other purposes.

We will use your personal data:

  • To follow applicable laws and regulations;
  • To respond to requests from competent public authorities;
  • To tell you about changes to our terms, conditions and policies;
  • To exercise or defend Adoreal against potential, threatened or actual litigation;
  • To investigate and take action against illegal or harmful behaviour of users.
  • To protect Adoreal, your vital interests, or those of another person;
  • To gain insights and feedback on our services in order to correct or improve them, by analysing information from external sources such as Google, Facebook and Twitter (and others);
  • To deliver services to you via your smart device and our mobile apps; and
  • When we sell, assign or transfer all or part of our business.

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
To register you as a new customer (a) Identity
(b) Contact		 Performance of a contract with you
To manage our relationship with you which will include:
(a) Notifying you about changes to our terms or privacy policy
(b) Asking you to leave a review or take a survey		 (a) Identity
(b) Contact
(c) Marketing and Communications		 (a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To administer and protect our business and this website
(including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)		 (a) Identity
(b) Contact
(c) Technical		 (a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences (a) Technical
(b) Usage		 Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about services that may be of interest to you (a) Identity
(b) Contact
(c) Technical
(d) Usage
(e) Marketing and Communications		 Necessary for our legitimate interests (to develop our products/services and grow our business) and/or Your consent to receiving direct Marketing and Communications

Why are we allowed to collect and use your personal data?

We can collect and use your personal data when one of the following applies:

  • 1. To take steps before entering into a contract or perform a contract; 
  • 2. To follow the law, for example:
  • a. Record-keeping regulatory monitoring and reporting obligations, including those related to adverse events, product complaints and product safety; and
  • b. Complying with anti-corruption and transparency obligations;
  • c. You have specifically given us your permission when such permission is obligatory (the law calls it“consent”). You can withdraw your consent at any time. We will normally need your consent in the following circumstances:
  • i. Placing cookies on your device to find out how you use our websites so we can personalise what you see by tailoring content and notifications to the things you are interested in;
  • ii. Certain situations where you share sensitive personal data about yourself, such as your health, although GDPR does allow us to process your sensitive personal data if it is under a contract with your treating healthcare professional/institution/clinic in order to assist with the provision of medical treatment to you;
  • iii. Before we send you certain electronic marketing communications; and
  • iv. In any other situation where personal data processing relies upon your consent.
  • 3. We need to use your personal data for legitimate business purposes, for example, to enable us to run our business successfully. These include:
  • a. Sending direct marketing materials to you where you have already contacted us about your interest in exploring treatments in aesthetic/cosmetic/plastic surgery (you will always have the right to opt out of marketing and promotional communications);
  • b. Conducting audits and internal investigations and complying with internal policies on anti-bribery and conflict of interest;
  • c. Managing our IT and communications systems and networks;
  • d. Planning and improving our business activities;
  • e. Conducting training and gathering feedback for ensuring quality control;
  • f. Protecting our rights, privacy, safety or property, and/or that of our affiliates, you or others;
  • g. To provide the functionality of the services we provide you, which includes arranging access to your registered account, and providing you with related customer service;
  • h. Verifying your eligibility to access certain services and data that may be provided only to licensed healthcare professionals or otherwise conducting background checks to ensure we are not precluded from offering services to you;
  • i. Analysing or predicting your preferences to identify aggregated trends to develop, improve or modify our services and business activities;
  • j. Responding to and handling your queries or requests;
  • k. Sending administrative information to you, such as changes to our terms, conditions and policies;
  • l. Completing your transactions and providing you with related customer service; and
  • m. Reaching out to you to provide information about our services or request input on surveys relating to our services;
  • n. For the establishment, exercise or defence of legal claims or proceedings;
  • o. To protect your vital interests or those of others; and
  • p. Because it is necessary for reasons of substantial public interest, on the basis of applicable laws.

How do we protect your personal data?

We want to make sure your personal data is not shared with or used by those not allowed to see it. We use a variety of security measures and technologies to help protect your personal data.

We carefully choose service providers to work with, and check they have security measures and technologies in place to protect your personal data. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

However, there are no guarantees that adata transmission or storage system is 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us using the details at the ‘Contact information and your privacy point of contact’ section.

What are your rights regarding your personal data?

You have rights we need to make you aware of. The rights available to you depend on our reason for processing your personal data and the local law in your jurisdiction, and there are exceptions to some rights. Depending on this you may have the right to:

1. Withdraw your consent to us processing your personal data at any time for direct marketing purposes or where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you with draw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent, please contact [email protected] for further details.  This withdrawal request will need to be handled by the Adoreal data protection officer, to assess what personal data (if any) can be deleted, and if so, for what specific use. Please note that personal data that forms apart of medical records cannot be deleted as a matter of public policy;

2. Ask Adoreal about the processing of your personal data including to be provided with copies of your personal data (through a "data subject access request").;

3. Ask us to correct information you think is inaccurate or incomplete, although we may need to verify the accuracy of the new data you provide to us;

4. Ask us to delete your personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request;

5. Ask us to restrict the processing of your information.  This enables you to ask us to suspend the processing of your personal data in the following scenarios:
a.    If you want us to establish the data's accuracy;
b.    Where our use of the data is unlawful but you do not want us to erase it;
c.     Where you need us to hold the data even if we no longer require it as you need it to
d.    establish, exercise or defend legal claims; or
e.    You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.

6. Object to our processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms; 

7. Ask that we transfer information you have given us from one organisation to another, or to give it to you.  We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you; and8.    Complain to your local data protection authority.

You can find out how to get in touch with us to ask us to do any of the above by looking at the ‘Contact information and your privacy point of contact’ section.

For your protection, and to protect the privacy of others, we may need to verify your identity before completing what you have asked us to do and to ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Where we have relied upon your permission to use your personal data, and you later withdraw that permission, we may not be able to complete some of the activities described in ‘How do we use your personal data’. 

How long do we keep your personal data?

In some jurisdictions, we are legally required to keep your personal data for certain periods. How long depends on the specific legal requirements of the jurisdiction you are in when you share your information with us.

We will always keep your personal data for the period required by law and where we need to do so in connection with legal action or an investigation involving Adoreal. Otherwise, we will keep your personal data for as long as we have a relationship with you, in order to respond or process a question or request from you. Adoreal’s contact with patients is governed by Adoreal’s terms and conditions with the patient. Even after any termination of a contract between Adoreal and a healthcare professional/institution/clinic, Adoreal may retain patient contact details and Adoreal may continue appropriate specific marketing activities towards such patients in respect of that patient’s previous contact with Adoreal, pursuant to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be updated from time to time); and

We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

Insofar as the processing of personal data is based on your consent, we will delete this data if you withdraw your consent, subject to the technical ability to do so and so far as such a deletion would not require disproportionate effort on our part. This deletion request will need to be handled by the Adoreal data protection officer, to assess what personal data (if any) can be deleted, and if so, for what specific use. Please note that personal data that forms a part of medical records cannot be deleted as a matter of public policy.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.

With whom do we share your personal data?

We share your personal data on a need to know basis, and to the extent necessary to follow laws and regulations, and in the context of managing our relationship with you.

We share your personal data only with teams in our Adoreal companies and affiliates who need to see it to do their jobs. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We will also share your personal data with other entities, for example:

  • Marketing agencies working withAdoreal to improve its patient/consumer offering;
  • Technology suppliers and system administration services providers who work with us to develop and improve our websites, digital forums and apps;
  • Media services providers who work with us;
  • Any entity who may acquire us or part of our business or brands. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice;
  • Suppliers of healthcare professionals/institutions/clinics that are managing adverse event reports;
  • Local or foreign regulators, courts, governments, tax authorities and law enforcement authorities who require reporting of processing activities in certain circumstances; and
  • Professional advisors, such as insurers, bankers, auditors, accountants and lawyers.

In what instances do we transfer your personal data outside of your home country?

We work all over the world. Therefore, where your applicable law allows it, we may need to transfer and use your personal data outside of the country where we collect it from you. We implement appropriate measures to protect your personal data when we transfer your personal data outside of your home country such as data transfer agreements that incorporate standard data protection clauses. The data privacy laws in the countries we transfer it to may not be the same as the laws in your home country. Law enforcement agencies, regulatory agencies, security authorities or courts in the countries we transfer your personal data to may have the right to see your personal data.  If applicable law does not allow transfer of specific personal data outside a country, we will comply with that applicable law.

Additional information if you are based in the European Economic Area (EEA)

The European Commission recognises that some countries outside the EEA have similar data protection standards. If we transfer your personal data to a country outside the EEA that does not have similar data protection standards, we do so based on standard contract clauses adopted by the European Commission, to ensure the respective recipient protects your Personal Data adequately in accordance with this privacy notice. These enable us to make international transfers of personal data within our group of companies and meet the data protection laws of theEuropean Union and the General Data Protection Regulation (GDPR).

Information about Children

Whilst our services are not ordinarily directed to children, occasionally we may receive your child’s data, for example, if you provide that personal data to us because you are looking for a treatment for them that involves aesthetic/cosmetic/plastic surgery. We will only ever receive this with your consent. Please see ‘What personal data we collect about you’ for more information.

Cookies, Website and Application Data; Use for Analytics and Marketing

Our websites may use cookies and similar technologies. You can choose to accept or decline cookies. If you choose to decline cookies, not all elements of our websites, apps and services may function as intended, so your experience may be affected.

To the extent that your local laws consider the information collected by cookies and other technologies as personal data, we will treat that information to the standards set out in this privacy notice.

We strive to provide you with choices regarding certain personal data uses, particularly around marketing communications from us and/or the relevant company in the Adoreal Group.  You will receive marketing communications from us or the relevant company in the Adoreal Group if you have requested information from us or the relevant company in the Adoreal Group and you have not opted out of receiving that marketing.

We collect information about your computer browser type and operating system, websites you visited before and after visiting our websites, standard server log information, Internet Protocol (IP) addresses, location data, mobile phone service provider, and mobile phone operating system. We use this information to understand how our visitors use our websites and mobile applications so that we can improve them, the services we offer, and our advertising. We may also share this information with other companies within the Adoreal group and with other third parties. Some of our websites use Google Analytics, a web analytics service provided by Google, Inc.(“Google”). Google Analytics uses cookies to analyse use patterns and may collect information about your use of the website, including your IP address.More information on Google Analytics can be found here. If you would like to opt-out of having your data used by Google Analytics, you can opt out here.

We also use remarketing services offered by our advertising partners to personalise advertisements for visitors to sites of their advertising networks (i.e. websites other than Adoreal’s). On these pages, you may be shown advertisements that refer to your interactions with Adoreal previously. To turn off personalisation for advertisements served by Google click here. To turn off personalisation for advertisements served by Facebook click here. Many companies that display interest-based advertising are members of the Network Advertising Initiative ("NAI"), the DigitalAdvertising Alliance ("DAA") or the European Interactive DigitalAdvertising Alliance (“EDAA”). To opt-out of interest-based advertising by members of these initiatives, you can visit their websites athttps://optout.networkadvertising.org, https://optout.aboutads.info andhttps://www.youronlinechoices.com.

We may use the data you share with us to make decisions about your interests and preferences so we can make the marketing materials we send you more relevant. We may also combine the information we hold about you with data about your interests or demographics that third parties have collected from you online and offline, to make your experience more personalised and further tailor our marketing materials. You have certain rights in relation to this – please see 'What are your rights regarding your personal data?' above for further information.

We use Facebook custom audience tools. This allows us to provide personalised advertising to you when you use Facebook’s platforms by matching the email address we hold for you with the email addressFacebook holds for you, to show you the most relevant Adoreal advertisements. We only do this where you have given us consent. Sometimes we may also use information about you to build lookalike models. This allows us to generate similar audiences of prospective customers (who may have similar interests or demographics to you) through advertising platforms like Facebook or Google, based on data that the advertising platform holds about other people. Usually this means sharing your email address with our advertising partners. If you wish to opt out of similar audiences in Google, you can do so here.

Third Party Marketing

Adoreal does not share your personal data with any third party for marketing purposes. In the event, we wish to do so, we will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

Opting out

You can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time at [email protected].

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Notice.

Change of Purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How do we update this Privacy Notice

From time to time, we will update this Privacy Notice. Any changes become effective when we post the revised Privacy Notice on the Adoreal website. This Privacy Notice was last updated as of the“Last Updated” date shown above. If updating changes are significant, we will provide a more prominent notice to let you know what the changes are.

Our responsibility regarding websites that we do not own or control.

Our websites and applications may contain links to third party websites, plug-ins or mobile applications we do not own or control. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. Our Privacy Notice does not cover them. Please read the privacy notices on those websites and mobile applications if you would like to find out how they collect, use and share your personal data.