GleamConnect logoGleamConnect

GDPR-Compliant | EU Focused

Privacy Policy

Effective date: 2026-01-01

GleamConnect – Privacy Policy

Last updated: 10 February 2026

Controller: Nina Marketing Ltd (Company No. 765056)

8 Moylaragh Lane, Balbriggan, Dublin, K32 T044, Ireland

Privacy contact: privacy@gleamconnect.com


This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use the GleamConnect websites, web applications, and mobile/tablet applications (the “Services”).

Where a Clinic uses GleamConnect to process patient/client information, the Clinic is typically the data controller for that information and we act as processor on the Clinic’s behalf. See Section 3 (Roles).

1. Who We Are

The Services are operated by Nina Marketing Ltd (Company No. 765056), registered office: 8 Moylaragh Lane, Balbriggan, Dublin, K32 T044, Ireland (“GleamConnect”, “we”, “us”).
Privacy contact: privacy@gleamconnect.com.

2. Key Concepts

“Personal Data” means information relating to an identified or identifiable person.

“Special Category Data” includes health data and other sensitive categories under GDPR Article 9.

“Controller” determines the purposes and means of processing personal data.

“Processor” processes personal data on behalf of a controller.

3. Roles: Controller vs Processor

3.1 When We Are a Controller

We act as a controller for:
• marketing site visitors and lead enquiries;
• platform administration (account creation for clinic owners/admins), authentication and security;
• billing/subscription management and fraud prevention;
• service communications and support; and
• internal platform analytics and performance monitoring (minimal, internal only).

3.2 When We Are a Processor

We act as a processor for Clinic Data processed through the Services, including patient/client records, bookings, staff notes, intake forms and attachments, where such data is submitted by the Clinic or its Staff users.
In these cases, the Clinic is the controller and is responsible for selecting lawful bases, providing notices, and obtaining consent where required.

4. Personal Data We Collect

4.1 Data You Provide

Account data: name, email, phone, role, clinic association.

Clinic operational data: bookings, services, staff schedules, client communications.

Address data: clinic address; client address if collected by clinic.

Support data: messages, tickets, and troubleshooting information.

4.2 Special Category Data (Health Data)

Clinics may choose to store health-related information (such as medical history, contraindications, intake responses). This may constitute Special Category Data. GleamConnect processes such data as a processor on behalf of the Clinic, subject to the DPA.

4.3 Automatically Collected Data

Device and log data: IP address, device identifiers, app version, timestamps, authentication events.

Security data: failed logins, suspicious activity indicators, audit trails.

Performance diagnostics: crash reports and error logs.

We use minimal internal analytics and diagnostics to maintain and improve service reliability. We do not use third-party behavioural tracking or marketing profiling by default (see Section 8).

5. How We Use Personal Data (Purposes)

Provide and administer the Services (account creation, authentication, core features).

Process Clinic Data on behalf of Clinics (as processor).

Maintain security, prevent fraud and abuse, and protect platform integrity.

Provide support and communicate service-related information.

Manage billing, subscriptions, invoices, and tax compliance.

Improve reliability and performance through internal analytics and diagnostics.

Comply with legal obligations and enforce our agreements.

6. Legal Bases (When We Are Controller)

Where we act as controller, we rely on one or more lawful bases under GDPR Article 6:
• Contract: to provide the Services requested by you or your Clinic.
• Legitimate interests: for security, fraud prevention, service improvement, and support (balanced against your rights).
• Legal obligation: for accounting, tax, and compliance requirements.
• Consent: for non-essential cookies or where required by law.

Where Clinics process Special Category Data, Clinics must rely on appropriate Article 9 conditions (e.g., explicit consent or other applicable condition) and remain responsible as controllers.

7. Sharing and Disclosure

7.1 Within a Clinic

Clinic users and Staff may access Clinic Data according to role-based permissions set by the Clinic. Clinics are responsible for configuring access appropriately.

7.2 Service Providers (Sub-processors)

We use third-party providers to operate the Services. They process data under contractual obligations and only for our instructions.
Our current sub-processors include:

Sub-processor

Purpose

Amazon Web Services (AWS)

Hosting, compute, storage, networking, logging

MongoDB

Database services (managed hosting or software services as configured)

Stripe

Payment processing and billing

Resend

Transactional email delivery

Vercel

Web hosting and deployment (official website and/or web apps)

Firebase

Notifications/messaging (push notifications and related services, when enabled)

7.3 Legal and Safety Disclosures

We may disclose information where required by law, to respond to lawful requests, or to protect rights, safety, and security, including investigating suspected fraud or abuse.

8. Cookies and Tracking

We use cookies and similar technologies primarily for strictly necessary purposes (authentication, security, session management). Non-essential cookies are only used with consent. See our Cookie Policy for details.

9. International Transfers

Where personal data is transferred outside the EEA, we implement appropriate safeguards such as Standard Contractual Clauses and supplementary measures where required.

10. Data Retention

Data category

Typical retention

Reason

Account and admin data

Active account + reasonable period after closure

Contract, security, support

Clinic Data (patient/client records, bookings, intake forms)

As configured by Clinic; minimum 5 years where Clinic requires

Clinic legal/regulatory and safety needs

Billing and invoicing

As required by tax/accounting laws

Legal obligation

Security logs and audit trails

Limited to operational necessity (typically months to 2 years)

Security and abuse prevention

Backups

Rolling backup retention per operational policy

Disaster recovery

Clinics are responsible for deciding retention periods for Clinic Data and ensuring compliance with storage limitation requirements. Where Clinics indicate a minimum retention period (e.g., at least 5 years for patient safety and legal reasons), we will support such retention subject to contractual terms and lawful requirements.

11. Security

We implement technical and organisational measures to protect personal data, including encryption in transit (TLS), access controls, least privilege, audit logging, secure secrets management, and incident response procedures. No system is perfectly secure; you should also take appropriate steps to protect your accounts and devices.

12. Your Rights

Depending on your relationship with the Services and applicable law, you may have rights to:
• access, rectification, erasure;
• restriction and objection;
• data portability; and
• withdraw consent (where processing is based on consent).

If you are a patient/client of a Clinic, requests relating to Clinic Data should generally be directed to the Clinic as controller. We will assist Clinics as required by our DPA.

13. Children

The Services are not directed to children for independent use. Clinics are responsible for obtaining appropriate consents where they provide services to minors and for managing related records in accordance with law and professional requirements.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version and, where changes are material, take reasonable steps to notify Clinic customers through service communications.

15. Contact and Complaints

For privacy questions, contact: privacy@gleamconnect.com.
You may also complain to the Irish Data Protection Commission (DPC). If you are located elsewhere in the EEA, you may complain to your local supervisory authority.