Privacy Policy

GraftScan3D Ltd ("we", "us", "our") is committed to protecting your privacy and handling personal data in a transparent and secure manner. This Privacy Policy explains how we collect, use, store, and protect personal information when you use our website, services, or imaging systems.

1. Who We Are

GraftScan3D Ltd
THemistokli Dervi, 48,
306-1066, Lefkosia, Cyprus

Email: [email protected]
Operating under the Cyprus IP Box regime.

We act as the Data Controller for personal data processed through our website and for commercial enquiries. Clinics using our imaging systems may act as Data Controllers for patient data they upload or process.

2. What Data We Collect

2.1 Data You Provide Directly

• Name
• Email address
• Phone number (optional)
• Clinic or business name
• Enquiry details
• Partnership or demo request information

2.2 Technical Data

• IP address
• Browser and device information
• Site usage analytics (Cookies – see Section 9)

2.3 Imaging Data (Clinics Only)

For clinics that use our scalp or body scanning solutions:

• 3D imaging files
• Patient assessment metadata

3. How We Use Your Data

We process personal data for the following purposes:

• Responding to enquiries and demo requests
• Managing clinic partnerships or sales communication
• Providing technical support
• Operating and improving our imaging systems
• Maintaining website security
• Fulfilling legal and regulatory obligations

We never sell or rent personal data to third parties.

4. Legal Basis for Processing (GDPR)

We rely on one or more of the following lawful bases:

• Consent – when you submit a contact form or request information
• Contractual necessity – to provide services to clinics or partners
• Legitimate interest – business administration, security, and product improvement
• Legal obligation – where required under applicable laws

5. How We Store & Protect Data

We use secure, encrypted infrastructure to store and process data, including:

• Encrypted cloud hosting within the EU
• Access-controlled systems
• Firewalls and intrusion prevention
• Encrypted backups
• Strict internal security policies

We retain data only for as long as necessary for the purposes described in this policy.

6. Sharing of Data

We may share data with:

• Trusted service providers (hosting, analytics, support tools)
• Legal or regulatory authorities where required
• Clinics or partners where you have given explicit consent

We do not share data with third parties for marketing. All third-party partners are required to follow GDPR-aligned practices.

7. International Transfers

Where data is transferred outside the European Economic Area (EEA), we use:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions, or
• Equivalent GDPR-approved safeguards

8. Your Rights Under GDPR

You have the right to:

• Access your data
• Correct inaccurate information
• Request deletion ("Right to be forgotten")
• Restrict processing
• Object to processing
• Request data portability
• Withdraw consent at any time (where applicable)

To exercise your rights, contact: [email protected]

9. Cookies & Analytics

We use cookies for:

• Website functionality
• Performance monitoring
• Usage analytics

You can manage or disable cookies directly through your browser settings.

10. Retention Periods

We retain:

• Contact/enquiry data: up to 24 months
• Clinic partnership records: as contractually required
• Imaging data: only as long as the clinic maintains an active account or contract

11. Changes to This Policy

We may update this Privacy Policy periodically. Any changes will be posted on this page with an updated revision date.