Privacy Policy
Dupital Patient Privacy Notice (UK)
Last updated: 7 October 2025
This notice explains how your personal data is processed when you use Dupital-powered photo simulations via a clinic in the UK.
Layered summary (for quick read)
- Purpose: To generate an illustrative, non-predictive simulation for you and your chosen clinic.
- Roles: Your clinic is the Data Controller. Dupital LTD is the Data Processor acting on the clinic’s instructions.
- Legal basis: Your explicit consent for image processing (including any sensitive information) and the clinic’s legitimate interests in handling your enquiry.
- What we process: Your uploaded photo(s), name/contact details you provide, age confirmation, consent records, and minimal technical logs.
- Retention: Images are retained for up to 30 days, then permanently deleted. You may request earlier deletion or withdraw consent at any time.
- Sharing: With necessary sub‑processors to run the service (see https://dupital.com/subprocessors) and where required by law. We do not sell your data.
- Transfers: If data is transferred outside the UK/EEA, approved safeguards are used (UK IDTA/Addendum or EU SCCs, as applicable).
- Your rights: Contact your clinic to access, delete, or withdraw consent. You can also contact Dupital, and we’ll support your clinic in responding. You may complain to the ICO.
- Safety: Images are encrypted in transit and at rest. Access is restricted. No system is 100% secure.
- Children: Service is for 18+ only.
- Important: Simulations are illustrative only. They are not medical advice or guarantees of outcome.
Full notice
1) Who is responsible for your data
- Controller: Your clinic (the provider you submitted your image to). They decide why and how your data is processed.
- Processor: Dupital LTD (“Dupital”), which provides the simulation technology on the clinic’s behalf.
• Dupital LTD, 178 New Road Side, Horsforth, Leeds, LS18 4DP, England
• Contact: hello@dupital.com
2) What we collect and from whom
- Patient-provided data: Your uploaded image(s), name/contact details you submit, age confirmation, and your consent tickbox selections (including the exact wording shown and timestamp).
- Technical data: Minimal device/browser information, simulation IDs, and event timestamps needed to deliver the simulation and maintain an audit trail.
- Special category data: Your image may reveal health/biometric information. The clinic is responsible for having a valid lawful basis; Dupital processes such data only under the clinic’s instructions and your explicit consent.
3) Purposes of processing
- Generate, deliver, and display an illustrative (non-predictive) simulation to you and your clinic.
- Log consent and maintain a compliance/audit trail.
- Secure the service, prevent abuse, and ensure reliability.
- Provide support to the clinic in handling your enquiry.
We do not use your images for model training or marketing unless you provide separate, explicit opt‑in consent (from both you and the clinic, where required).
4) Legal bases (UK GDPR)
- Patients: Explicit consent for processing images and related personal data; the clinic’s legitimate interests to respond to your enquiry and handle consultation steps. Dupital acts only on the clinic’s documented instructions.
- Clinics: Contract and legitimate interests for their account, billing, and platform administration (see Dupital’s Clinic Privacy Notice).
5) Sharing and recipients
- Sub‑processors used to host, process, and secure the service (e.g., hosting, image handling, AI providers, payments for the clinic’s account). Current list: https://dupital.com/subprocessors
- Professional advisors, auditors, or authorities where required by law.
- We do not sell your personal data.
6) International data transfers
- If your data is transferred outside the UK/EEA, Dupital ensures appropriate safeguards are in place (UK IDTA/Addendum and/or EU Standard Contractual Clauses, as applicable), plus supplementary measures where needed.
7) Retention
- Patient images: Retained for up to 30 days to allow the clinic to manage your enquiry, then permanently deleted.
- Earlier deletion/withdrawal: You may withdraw consent or request earlier deletion via your clinic or by contacting Dupital; we will act without undue delay, coordinating with the clinic.
- Consent/audit logs and minimal technical records: Retained only as necessary for compliance, security, and service continuity.
8) Your rights
- You have rights to access, rectification, erasure, restriction, portability, and to withdraw consent at any time. Because your clinic is the Controller, please contact your clinic first. You may also contact Dupital at hello@dupital.com; we will support the clinic in responding.
- You can lodge a complaint with the UK Information Commissioner’s Office (ICO) if you are unhappy with how your data is handled.
9) Children
- The service is for individuals aged 18 or over. Clinics are responsible for verifying age before enabling uploads.
10) Security
- We apply reasonable technical and organisational measures, including encryption in transit and at rest, access controls, monitoring, and regular reviews. No system is completely secure.
11) Automated decision-making
- We do not conduct solely automated decision-making that produces legal or similarly significant effects. Simulations are illustrative only and are not used for clinical decisions without a human professional.
12) Important notices on simulations and POM advertising
- Simulations are illustrative and not a guarantee of results, diagnosis, or medical advice.
- Where a simulation relates to a prescription-only medicine (POM), clinics may only share such simulations privately as part of a consultation, not publicly (in line with UK MHRA/ASA rules).
13) Contact
- Controller (your clinic): See the clinic’s privacy notice or website for contact details.
- Processor (Dupital): hello@dupital.com, Dupital LTD, 178 New Road Side, Horsforth, Leeds, LS18 4DP, England.
14) Changes to this notice
- We may update this notice from time to time. Material changes will be communicated via the clinic or within the service interface.