Terms of Service
Dupital Clinic Terms of Service (UK) + Data Processing Addendum
Last updated: 7 October 2025
These Terms govern your use of Dupital’s services (the “Services”). By creating an account or using the Services, you agree to these Terms.
1) Who we are
“Dupital”, “we”, “us” means Dupital LTD, 178 New Road Side, Horsforth, Leeds, LS18 4DP, England.
We provide AI-powered simulation tools for clinics and licensed professionals.
2) Business use only; accounts
- You warrant your act in the course of business and are authorised to bind your organisation.
- Keep credentials confidential; you are responsible for activity under your account.
3) Clinic responsibilities
- Compliance: You are solely responsible for compliance with medical, advertising (including ASA/CAP and MHRA rules on POMs), consumer, privacy, and record-keeping laws.
- Patient consent: Obtain valid, documented consent (including age 18+ confirmation and image processing) before uploading or enabling uploads.
- Transparency: Present a clear patient-facing privacy notice at the point of upload/collection that identifies your clinic as Controller and Dupital as Processor (or link to Dupital’s Patient Privacy Notice) and explains the illustrative nature of simulations.
- No guarantees: Inform patients that outputs are illustrative simulations only, not medical advice or guaranteed outcomes.
- POM gating: Do not use simulations that imply effects of POMs (e.g., botulinum toxin, weight-loss injectables) in public advertising. Restrict such simulations to private consultation flows only.
- On‑image disclaimer: Do not remove/obscure the on‑image notice (e.g., “Illustrative simulation. Actual results will vary.”) in any context.
- Prohibited content: No unlawful, harmful, infringing, non‑consensual, or under‑18 content.
4) Use of Services
- Internal use only; no resale, sublicensing, scraping, or reverse engineering.
- We may apply technical limits and may update, suspend, or discontinue features to manage risk, with reasonable notice when practicable.
5) Payments, simulations, refunds
- Plans may be subscription‑based and/or simulation‑based. Billed via our payment processor. Taxes/VAT may apply.
- When a simulation is “used”: when an output is successfully generated and delivered (regardless of subjective satisfaction). Auto‑retry on failure due to the Service.
- Refunds: No refunds for used simulations; unused simulation refunds at our discretion. Subscription periods are non‑refundable unless required by law.
6) Intellectual property
- The Services, software, and documentation belong to Dupital and its licensors. You retain rights in your marks, content, and patient data. You grant us a limited licence to process your content solely to provide the Services.
7) Medical & AI disclaimers; not a medical device
- Outputs are AI‑generated illustrative simulations; not medical advice, diagnosis, treatment, or a medical device output. You remain solely responsible for clinical judgment, patient communication, informed consent, and outcomes.
8) Privacy & roles
- For patient data: you are Data Controller; Dupital is Data Processor under the DPA.
- For your account, billing, and website data: Dupital is Data Controller (see Dupital Privacy Notice).
- We do not train models on patient images without explicit opt‑in consent from both clinic and patient.
9) Warranties; availability
- Services are provided “as is” and “as available.” We disclaim all warranties to the maximum extent permitted by law.
10) Liability cap
- To the maximum extent permitted by law: neither party is liable for indirect or consequential damages. Dupital’s aggregate liability is capped at fees you paid in the 12 months before the claim.
11) Indemnity
- You will indemnify Dupital against claims arising from your unlawful use, breach of these Terms, failure to obtain valid patient consents, or use of simulations in contravention of ASA/CAP/MHRA rules.
12) Suspension; termination
- We may suspend/terminate for breach, non‑payment, or legal risk. You may cancel anytime; cancellation takes effect at the end of the billing period. On termination, data is handled under the DPA/Privacy Notice.
13) Governing law; venue
- These Terms are governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction.
14) Changes
- We may update these Terms; material changes will be notified. Continued use after the effective date constitutes acceptance.
Data Processing Addendum (DPA) – UK GDPR
This DPA forms part of the Terms and applies where Dupital processes Patient Personal Data on your behalf.
A) Roles
- Controller: Clinic
- Processor: Dupital LTD
B) Subject matter, duration, purpose
- Subject matter: Patient photos, age confirmations, consent records, minimal identifiers, and technical logs necessary to generate and deliver simulations.
- Duration: While your account is active. Patient images are retained for up to 30 days, then deleted (or earlier upon your documented instruction).
- Purpose: Secure intake, AI simulation, delivery, consent logging, deletion, support, and security/abuse prevention.
C) Categories of data & data subjects
- Data subjects: Patients/prospective patients.
- Data: Photos (may reveal special category data), minimal identifiers (as configured by you), consent wording + timestamp, technical logs.
D) Processor obligations
Dupital will:
- Process data only on documented instructions and as necessary to provide the Services;
- Ensure personnel with access are bound by confidentiality;
- Maintain appropriate technical and organisational measures (encryption in transit/at rest, access controls, monitoring);
- Assist you, where feasible, with data subject requests, DPIAs, breach notifications, and consultations with supervisory authorities;
- Delete or return personal data upon termination or your instruction, unless retention is required by law; and
- Provide information reasonably necessary to demonstrate compliance and allow reasonable audits (subject to confidentiality and security).
E) Sub‑processors
- You authorise Dupital to use sub‑processors (e.g., hosting, image handling, AI providers, support, payments). Current list: https://dupital.com/subprocessors. Dupital remains responsible for sub‑processors’ obligations. You may object on reasonable grounds within 10 days of notice of a material change.
F) International transfers
- Where data is transferred outside the UK/EEA, Dupital will implement appropriate safeguards (UK IDTA/Addendum and/or EU SCCs) and supplementary measures as needed.
G) Deletion and retention
- Patient images: deleted within 30 days of upload by default. You may instruct earlier deletion for specific records.
- Logs/backups: may persist briefly for security and continuity, then purged according to our retention schedule.
H) Security incidents
- Dupital will notify you without undue delay and within 72 hours upon becoming aware of a personal data breach affecting patient data, providing information to enable you to meet your legal obligations.
I) POM and public advertising (compliance support)
- Dupital may provide technical controls to restrict simulations that imply POM effects from public widgets. You remain responsible for ensuring public marketing does not promote POMs and that simulations are used with appropriate disclaimers and in private consultation contexts where required.