Legal

Privacy Policy

Last updated: May 8, 2026

Compliant with UK GDPR and EU GDPR. Written in plain language in accordance with Article 12 UK/EU GDPR.

UK GDPREU GDPRArt. 13 CompliantArt. 22 Compliant

Contents

  1. About This Platform
  2. 1. Overview
  3. 2. Data We Collect
  4. 3. How We Use Your Data
  5. 4. Legal Basis for Processing (UK & EU GDPR)
  6. 5. Automated Processing and AI Analysis
  7. 6. Data Protection by Design
  8. 7. Third-Party Data Processors
  9. 8. International Data Transfers
  10. 9. Data Retention
  11. 10. Data Security
  12. 11. Your Rights
  13. 12. Data Protection Impact Assessment
  14. 13. Cookies and Tracking
  15. 14. Children's Privacy
  16. 15. Changes to This Policy
  17. 16. Contact & Supervisory Authorities

About This Platform

Nitera is a clinic management and consultation documentation platform for licensed aesthetic medicine clinics. It assists qualified clinic staff in preparing structured consultation notes, treatment plan drafts, and client documentation using AI-assisted tooling. Nitera does not provide medical diagnoses, clinical assessments, or treatment decisions of any kind. All AI-generated content is subject to mandatory review and approval by qualified clinic staff before any use. Nitera is not a medical device and does not perform any function intended to diagnose, prevent, monitor, or treat any medical condition.

1. Overview

Nitera ("we", "us", "our") operates a B2B SaaS platform providing AI-powered skin analysis and treatment plan generation tools to aesthetic clinics ("Clinics") in the United Kingdom and European Union.

This Privacy Policy explains how we collect, use, store, and protect personal data processed through our platform. It has been written to comply with the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR 2016/679).

Two distinct privacy relationships exist within Nitera:

Nitera as controller — when we collect and process data about clinic staff who use our platform directly (names, email addresses, login activity). For this data, Nitera is the data controller and this Privacy Policy applies in full.

Nitera as processor — when clinics use our platform to process their clients' personal data (photographs, treatment plans, analysis results). For this data, the clinic is the data controller and Nitera acts as a data processor under their instruction. Clinics are responsible for providing their own privacy notices to their clients and for obtaining appropriate consent before uploading client data to Nitera.

By using Nitera, you agree to the terms of this Privacy Policy.

2. Data We Collect

We collect and process the following categories of data:

Clinic Staff Data (Nitera as controller)

·Name and email address (used for account access)
·Login credentials (stored securely using industry-standard authentication)
·IP addresses collected automatically on platform access — treated as personal data under UK/EU GDPR, used solely for security monitoring and fraud prevention
·Usage activity within the platform (pages visited, actions taken)

Client Data (Nitera as processor — on behalf of Clinics)

·Full name and contact information
·Facial and skin photographs uploaded for AI analysis
·AI-generated skin analysis results and concern assessments
·Treatment plan recommendations
·Plan approval history and audit logs
·Consultation notes and staff edits

Technical Data

·IP addresses and browser information
·Session tokens and authentication data
·Platform usage logs for security and debugging

Payment Data

·Payment processing is handled entirely by our payment provider. Nitera does not store credit card numbers, bank details, or any payment instrument data.

3. How We Use Your Data

We use collected data for the following purposes:

·Service delivery — to provide AI skin analysis, generate treatment plans, and operate the staff portal
·Account management — to authenticate users and manage clinic subscriptions
·AI processing — client photographs are transmitted to our AI analysis provider for skin analysis processing. Photographs are not retained by the AI provider beyond the duration of the analysis request and are not used for model training
·Communications — to send transactional emails (plan approvals, notifications, account alerts)
·Billing — to manage subscriptions and process payments via our payment provider
·Security and compliance — to maintain audit logs, monitor for fraudulent activity, and ensure platform integrity
·Platform improvement — aggregated, anonymised, non-identifiable usage data may be used to improve our services

We do not sell, rent, or share personal data with third parties for marketing purposes. We do not use personal data for automated profiling of individuals beyond the skin analysis function described in Section 7.

5. Automated Processing and AI Analysis

Nitera uses AI-assisted automated processing to analyse client skin photographs and generate treatment plan recommendations. We are committed to full transparency about how this works.

What the automated processing does:

·Analyses skin characteristics, concerns, and their assessed severity from client photographs
·Generates treatment recommendations based on the clinic's own service catalogue and pricing
·Produces a consultation summary and suggested script for the practitioner

What the automated processing does NOT do:

·Make final decisions about client treatment — all output is a draft recommendation only
·Diagnose medical conditions or replace clinical judgment
·Share any output with the client without explicit practitioner review and approval

Human review is always required. Every AI-generated output must be reviewed, edited if necessary, and explicitly approved by a qualified practitioner on the clinic's staff before it is used or communicated to any client. This means the processing does not constitute solely automated decision-making within the meaning of Article 22 UK/EU GDPR — a human is always in the loop.

Right to object: Clinic clients have the right to request that their photographs are not processed through automated AI analysis. In such cases, the clinic should contact us at hello@nitera.ai to discuss alternative workflows.

Important disclaimer: Nitera's AI analysis is not a medical device and does not constitute a medical diagnosis. All clinical judgments remain the sole responsibility of the qualified practitioner reviewing the output.

6. Data Protection by Design

Nitera has been built with data protection principles embedded at every level of the platform architecture, in accordance with Article 25 UK/EU GDPR:

·Data minimisation — we collect only the data strictly necessary for each purpose. No unnecessary data fields are collected or retained
·Purpose limitation — data collected for one purpose is not reused for unrelated purposes
·Storage limitation — data is retained only for the periods specified in Section 9
·Integrity and confidentiality — all data is encrypted at rest and in transit using industry-standard encryption
·Clinic data isolation — row-level security policies ensure each clinic can only access their own data. No cross-clinic data access is possible at the database level
·Audit trail — every change to a treatment plan, every approval and rejection, is permanently logged with timestamps and user identifiers, providing a complete and tamper-evident record

7. Third-Party Data Processors

We share personal data with the following categories of third-party service providers to deliver our services. All providers are engaged under data processing agreements that bind them to process data only on our instructions and to implement appropriate security measures.

Categories of sub-processors:

·Cloud database and secure file storage providers — European Union
·AI vision analysis service providers — United States (Standard Contractual Clauses apply)
·Transactional email delivery providers — United States (Standard Contractual Clauses apply)
·Payment processing providers — United States (Standard Contractual Clauses apply)
·Cloud application hosting and deployment providers — Global (Standard Contractual Clauses apply)
·Workflow automation providers — European Union / United States (Standard Contractual Clauses apply)

AI processing note: Client photographs are transmitted to our AI analysis provider solely for the purpose of generating skin analysis results. The provider does not retain photographs beyond the duration of the API request and does not use them for AI model training.

Full sub-processor list: A complete list of our current sub-processors, including their names and locations, is available upon written request to hello@nitera.ai. We will provide this information within 5 business days.

8. International Data Transfers

Some of our sub-processors are located outside the United Kingdom and European Economic Area, including in the United States.

Where we transfer personal data to countries that have not received an adequacy decision from the UK Secretary of State or the European Commission, we rely on appropriate safeguards to protect your data, including:

·UK International Data Transfer Agreements (IDTAs) — for transfers from the UK
·Standard Contractual Clauses (SCCs) approved by the European Commission — for transfers from the EEA
·Supplementary technical measures — including encryption in transit and at rest, and contractual restrictions on data use

These safeguards ensure your data receives equivalent protection to that afforded under UK/EU GDPR, regardless of where it is processed.

You may request a copy of the relevant transfer safeguards by contacting us at hello@nitera.ai.

9. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with Article 5(1)(e) UK/EU GDPR:

·Active clinic accounts — client and staff data is retained for the duration of the clinic's active subscription
·Cancelled subscriptions — data is retained for 90 days after cancellation to allow for account recovery, then permanently deleted upon written request or automatically after the retention period
·Audit logs — retained for a minimum of 12 months for compliance and dispute resolution purposes
·Payment transaction records — retained for 7 years as required by applicable financial regulations
·Client photographs — stored in encrypted cloud storage and permanently deleted upon clinic request or account termination
·Security and access logs — retained for 90 days for fraud prevention and security monitoring

Clinics may request deletion of specific client records at any time by contacting hello@nitera.ai. We will action deletion requests within 30 days.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or damage, in accordance with Article 32 UK/EU GDPR:

·Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
·Encryption at rest — all data stored in our database and file storage is encrypted at rest
·Access controls — staff access is strictly limited to their own clinic's data only, enforced at the database level
·Authentication — secure token-based authentication with automatic session expiry
·Audit logging — all plan changes and approvals are permanently logged with timestamps and user identifiers
·Clinic data isolation — it is technically impossible for one clinic to access another clinic's data

Data breach notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 UK/EU GDPR. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay.

To report a suspected security incident, please contact us immediately at hello@nitera.ai with the subject line: URGENT: Security Incident.

11. Your Rights

Under UK/EU GDPR, you have the following rights regarding your personal data. These rights apply to data for which Nitera is the controller (clinic staff data). For client data processed on behalf of clinics, please contact your clinic directly.

·Right of access (Art. 15) — you may request a copy of the personal data we hold about you
·Right to rectification (Art. 16) — you may request correction of inaccurate or incomplete data
·Right to erasure (Art. 17) — you may request deletion of your personal data where there is no legitimate reason for us to continue processing it
·Right to restriction (Art. 18) — you may request that we restrict processing of your data in certain circumstances
·Right to data portability (Art. 20) — you may request your data in a structured, machine-readable format
·Right to object (Art. 21) — you may object to processing based on legitimate interests
·Right to withdraw consent (Art. 7) — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
·Rights related to automated decision-making (Art. 22) — you have the right to request human review of any AI-generated output — see Section 5

To exercise any of these rights, please contact us at hello@nitera.ai. We will respond within 30 days. We will not charge a fee for reasonable requests. We may need to verify your identity before processing your request.

Right to lodge a complaint: If you are unsatisfied with our response, you have the right to lodge a complaint with your supervisory authority — see Section 16.

12. Data Protection Impact Assessment

Nitera processes special category data (health-related photographs and biometric skin analysis) using automated AI processing. In accordance with Article 35 UK/EU GDPR, we have conducted a Data Protection Impact Assessment (DPIA) for this processing activity.

The DPIA identified the following key risk mitigations in place:

·Explicit consent obtained before any photograph is uploaded
·Human practitioner review required before any AI output is used
·Photographs not retained by AI provider beyond the analysis request
·Data minimisation — only the photograph necessary for analysis is transmitted
·Full audit trail of all processing activities
·Clinic data isolation preventing cross-clinic access

The DPIA is reviewed annually and whenever significant changes are made to the AI processing pipeline.

13. Cookies and Tracking

Nitera uses only strictly necessary cookies required for the platform to function. No tracking, advertising, or analytics cookies are used.

Cookies we use:

·Authentication cookies — to maintain your secure login session
·Security cookies — to prevent cross-site request forgery (CSRF attacks)

What we do not use:

·Google Analytics or any third-party analytics
·Advertising or marketing tracking pixels
·Social media tracking cookies
·Third-party CDN scripts that could transmit your IP address to external parties before consent

Technical verification: We have confirmed through network analysis that no third-party scripts are loaded on nitera.ai before any user interaction. All fonts and assets are self-hosted.

As we use only strictly necessary cookies, no cookie consent banner is required under the UK Privacy and Electronic Communications Regulations (PECR) or the EU ePrivacy Directive. This position is reviewed whenever platform updates are made.

14. Children's Privacy

Nitera is a B2B platform intended exclusively for use by aesthetic clinics and their adult clients. We do not knowingly collect personal data from individuals under the age of 18.

If you believe we have inadvertently collected data relating to a minor, please contact us immediately at hello@nitera.ai and we will delete it without undue delay.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

When we make material changes, we will:

·Notify active clinic account holders by email at least 14 days before changes take effect
·Update the "Last Updated" date at the top of this page
·Where required by law, seek fresh consent for new processing activities

Continued use of the platform after changes take effect constitutes acceptance of the updated policy. If you do not agree to the changes, you may close your account by contacting us at hello@nitera.ai.

16. Contact & Supervisory Authorities

Data Controller contact:
Email: hello@nitera.ai
Website: nitera.ai
Response time: We aim to respond to all privacy-related enquiries within 5 business days.

Supervisory Authorities:

If you are located in the United Kingdom and believe your data protection rights have been violated, you may lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Telephone: 0303 123 1113

If you are located in the European Union, you may contact your national data protection authority. A full list of EU supervisory authorities is available at: edpb.europa.eu/about-edpb/about-edpb/members_en

We would, however, appreciate the opportunity to address your concerns before you approach a supervisory authority — please contact us first at hello@nitera.ai.

Questions about your data?

We are happy to answer any questions about how we handle your data.

Contact hello@nitera.ai