Privacy Policy
1. Who we are
Documenti is provided by Apavai Ltd, a UK-based company (Company No. 17036797), registered office 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. We are committed to protecting your privacy and handling personal data responsibly.
This policy explains how we collect and use personal data when you visit our website (documenti.co.uk), request early access, contact us, or use the Documenti clinic management platform (the "Platform"). It is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Depending on the context, we act as a data controller (for our website, marketing, and our relationship with clinic customers) or as a data processor (when we process patient data on behalf of clinics using the Platform). Our processor role is described in our Data Processing Agreement.
2. What data we collect
We collect data in different contexts. It is important to understand your role in data protection:
2.1 Website visitors and early access
When you visit our website or request early access, we may collect:
- Email address and name (if provided on signup or contact forms)
- Correspondence you send us
- Usage data: pages visited, referral source, browser type, and device information
- IP address (anonymised where possible for analytics)
- Cookie data — see section 9
2.2 Clinic customers (our customers)
When you subscribe to Documenti as a clinic, we collect:
- Your name, email address, and account credentials
- Clinic name, location, and contact details
- Billing contact information and subscription details
- Payment records and invoices (card payments are processed by Stripe; we do not store full card numbers)
- Usage data: features used, login times, IP address, and support communications
2.3 Patient data (processed on your behalf)
When your patients' data is entered into Documenti, we process personal data on your behalf. You remain the data controller and we are your data processor. This data may include special category health data under UK GDPR, such as:
- Patient identity and contact details
- Medical history, clinical notes, and treatment records
- Treatment map data (injection points, products, units, session history)
- Digital consent forms, signatures, and audit trails
- Before and after photographs
- Staff notes and clinical documentation you record in the Platform
You are responsible for informing patients and obtaining any consents required before entering their data into Documenti.
3. Lawful basis for processing
We process personal data on the following lawful bases:
- Contract: Processing necessary to provide the Documenti service, manage your subscription, and support your account
- Legitimate interests: Improving our service, securing the Platform, preventing fraud, and understanding website usage (balanced against your rights)
- Consent: Marketing communications and non-essential analytics cookies on our website (you can withdraw consent at any time)
- Legal obligation: Compliance with UK tax, accounting, and regulatory requirements
For patient health data processed on your behalf, you as controller must identify the appropriate lawful basis under UK GDPR (including Article 9 where applicable). We process that data only on your instructions as processor.
4. How we use your data
We use personal data to:
- Provide, maintain, and improve the Documenti Platform and website
- Process subscriptions and manage billing through Stripe
- Respond to early access requests, enquiries, and support requests
- Send service notifications and important account updates
- Monitor security, prevent fraud, and maintain audit logs
- Analyse website usage to improve our marketing site (with consent where required)
- Send marketing communications about Documenti (with your consent)
- Comply with legal and regulatory obligations
5. Who we share your data with
We do not sell personal data. We share data with carefully selected service providers who process data on our behalf, bound by data protection agreements:
5.1 Platform and infrastructure
- Google Cloud Platform (Google LLC): Application hosting, database, file storage, and backups for the Platform in the
europe-west1region (Belgium). Our marketing website is also hosted on Google Cloud Run in the EU. Google Privacy Policy
5.2 Payments
- Stripe (Stripe Payments Europe, Limited): Subscription billing and payment processing. Stripe handles cardholder data; we do not store full card numbers on our servers. Stripe may process payment data in the United States and other countries under appropriate safeguards. Stripe Privacy Policy
5.3 Website and communications
- Mailchimp (Intuit Inc.): Early access signups and marketing email communications. Data may be processed in the United States under Standard Contractual Clauses. Mailchimp Privacy Policy
- Google Analytics (Google LLC): Website analytics when you accept cookies on our marketing site. IP addresses are anonymised. Data may be processed in the United States under appropriate safeguards. Google Privacy Policy
5.4 Legal requirements
We may disclose data when required by law (for example court orders, regulatory requests, or fraud investigations). We will notify you of such requests unless prohibited by law.
6. International data transfers
Patient and clinic data on the Platform is hosted in the EU (europe-west1, Belgium) on Google Cloud Platform. Subscription payments are processed by Stripe, which may process billing data outside the UK and EEA. Some website and marketing service providers may also process data outside the UK and EEA. Where this occurs, we ensure appropriate safeguards are in place, including:
- UK International Data Transfer Agreement and/or UK Addendum to the EU Standard Contractual Clauses
- Standard Contractual Clauses with processors where applicable
- Your explicit consent where required (for example non-essential cookies)
7. Data retention
We retain personal data only as long as necessary:
- Active clinic accounts: Patient and clinic data retained while your subscription is active
- After subscription cancellation: Data available for export for 30 days, then securely deleted unless a legal hold applies
- Payment and billing records: Retained for up to 6 years for UK tax and accounting requirements
- Early access and marketing emails: Retained until you unsubscribe or are onboarded as a customer
- Website analytics: Google Analytics data retained for 14 months
- Support correspondence: Retained for up to 2 years unless a longer period is required by law
You may request deletion of your data at any time, subject to legal retention requirements.
8. Your rights
Under UK GDPR, you have the following rights regarding personal data we control:
- Right of access: Request a copy of your personal data
- Right to rectification: Correct inaccurate data
- Right to erasure: Request deletion (subject to exceptions)
- Right to restrict processing: Limit how we use your data in certain circumstances
- Right to data portability: Receive your data in a portable format
- Right to object: Object to processing based on legitimate interests or for marketing
- Right to withdraw consent: Where we rely on consent, you may withdraw it at any time
Patient data rights requests should generally be directed to the clinic (data controller). We will assist our clinic customers as processor, as described in our Data Processing Agreement.
To exercise your rights, contact us. We will respond within one month.
9. Cookies
Cookies are small text files stored on your device when you visit our website. We use cookies in compliance with UK PECR (Privacy and Electronic Communications Regulations 2003).
Essential cookies
These cookies are necessary for the website and Platform to function. They include session and authentication cookies, security tokens, and cookie consent preferences. They cannot be switched off.
Analytics cookies (optional)
If you choose Accept in our cookie banner on the marketing website, we may load Google Analytics to understand how visitors use documenti.co.uk. Analytics cookies are not required for the Platform to work and are not enabled on clinical workspace pages without your consent.
Marketing cookies
Mailchimp may set cookies when you submit forms on our website to track signups and email engagement.
Payment cookies
When you subscribe or update billing details, Stripe may set cookies or similar technologies to process payments securely and prevent fraud.
Your cookie choices
When you first visit our marketing website, a banner lets you choose Essential only or Accept. You can change your choice by clearing site data in your browser or contacting us. See also our Cookie Policy in the Terms & Conditions.
10. Children's data
Documenti is designed for use by clinics and their staff. Our website and accounts are not intended for children under 18. Patient records may include data about minors treated at clinics; in that case the clinic is responsible for lawful processing and appropriate consents.
11. Data security
We implement technical and organisational measures to protect personal data, including:
- HTTPS/TLS encryption for all data in transit
- Encryption at rest on our cloud infrastructure
- Access controls and authentication for Platform accounts
- Logical separation between clinic tenants on the Platform
- Regular backups and monitoring
- Incident response procedures for suspected data breaches
No system is completely risk-free. You are responsible for keeping your account credentials confidential and managing staff access within your clinic.
12. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or a prominent notice on our website. Continued use of the service after changes take effect constitutes acceptance of the updated policy.
13. Contact and complaints
If you have questions about this policy or your data:
- Contact us via our website
- Write to: Apavai Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
If you are unhappy with how we handle your data, you may lodge a complaint with the Information Commissioner's Office (ICO):