GleamConnect logoGLEAMCONNECT

GleamConnect Privacy Policy

Effective date: 18 April 2026Version: privacy-2026-04-18Privacy policy covering how Gleam Connect Ltd handles personal data across its websites, apps, APIs, and support flows.

GleamConnect Privacy Policy

Provider: Gleam Connect Ltd
Company number: [insert after incorporation]
Registered office: [insert registered office]
Country of incorporation: Ireland
Primary contacts: legal@gleamconnect.com | privacy@gleamconnect.com | support@gleamconnect.com
Last updated: 18 April 2026
Status: Draft legal pack for implementation and external solicitor review before production launch

This privacy policy explains how GleamConnect handles personal data across the official website, clinic portal, clinic tablet application, user website, user mobile application, APIs, support channels, archive controls, and related services.

This policy is drafted with reference to Regulation (EU) 2016/679 (the GDPR), the Data Protection Act 2018, and related Irish and EU privacy rules.

1. Who we are

Gleam Connect Ltd operates the GleamConnect platform. For questions about privacy, rights requests, or complaints, contact privacy@gleamconnect.com.

2. Roles: when we are controller and when we are processor

2.1 We act as controller for:

  • official website enquiries and lead forms;
  • clinic account creation and onboarding;
  • subscription billing and finance administration;
  • account security, fraud detection, abuse prevention, and service integrity;
  • product telemetry, technical logs, and security monitoring;
  • support communications;
  • archive access governance, legal hold records, and evidence bundle workflows;
  • recruitment or business communications if applicable.

2.2 We act as processor for clinics in relation to:

  • patient profiles and contact details entered by clinics;
  • appointment, booking, and schedule data;
  • intake forms, consent records, and attached files;
  • treatment administration data and clinic-entered notes;
  • clinic-defined communications sent through the services;
  • certain AI-assisted processing performed solely on the clinic’s documented instructions.

Where we act as processor, the relevant clinic is the controller and is responsible for identifying the lawful basis, issuing notices, and obtaining any consent required by law.

3. Categories of personal data

Depending on the service and role, we may process:

3.1 Identification and account data

Names, usernames, login credentials, password hashes, contact details, staff role assignments, clinic profile details, and account settings.

3.2 Booking and operational data

Appointment times, services selected, staff assignment, location, booking history, attendance status, service preferences, internal administrative notes, and communications metadata.

3.3 Patient and intake data

Data supplied by or for the clinic about a patient or user, including intake responses, declared allergies, contraindications, prior treatment details, uploaded files, e-signatures, and consent checkpoints. Some of this data may amount to special category data, including health-related data.

3.4 Billing and payment data

Subscription billing details, invoices, tax information, partial payment metadata, transaction identifiers, fraud review signals, and processor references. GleamConnect does not intentionally store full raw payment card numbers when card processing is handled by certified payment partners.

3.5 Device, usage, and security data

IP addresses, device identifiers, browser and app metadata, authentication events, session data, access logs, audit trails, crash reports, queue and system events, and abuse/fraud indicators.

3.6 Archive and evidence data

Restricted copies of booking snapshots, intake PDFs, audit logs, archive requests, legal hold flags, evidence manifest files, and access logs generated for legal compliance and service integrity.

4. Sources of personal data

We collect personal data:

  • directly from clinics, staff, patients, and end users;
  • from devices and browsers interacting with the services;
  • from payment processors, infrastructure providers, or communication tools involved in delivering the services;
  • from clinics who upload or synchronise records into the platform;
  • from support interactions and dispute workflows.

5. Purposes and lawful bases

When we act as controller, we rely on one or more of the following lawful bases under Article 6 GDPR:

5.1 Contract

To create and manage accounts, provide subscriptions, authenticate users, support bookings, and perform our contractual obligations.

5.2 Legitimate interests

To secure the platform, prevent abuse, detect fraud, monitor service health, improve reliability, maintain archive and evidence controls, defend legal claims, and run the business responsibly.

5.3 Legal obligation

To comply with tax, accounting, legal process, regulatory, data protection, and security obligations.

5.4 Consent

Where required by law, for example in relation to certain optional cookies or marketing communications.

5.5 Special category data

Where we process special category data as processor for clinics, the clinic is responsible for ensuring an appropriate Article 9 condition applies. Where GleamConnect separately processes restricted records for legal claims, security, or archive governance, processing may rely on the necessity of processing for the establishment, exercise, or defence of legal claims or other lawful grounds available under applicable law.

6. How we use data

We use personal data to:

  • operate and secure the platform;
  • authenticate users and manage permissions;
  • provide customer support and onboarding;
  • bill clinics and manage subscriptions;
  • generate documents and communications requested through the services;
  • enforce our terms and acceptable use rules;
  • investigate incidents, fraud, and misuse;
  • maintain restricted archive records and evidence bundles for legal, compliance, and integrity purposes;
  • comply with legal obligations and respond to lawful requests.

7. AI-assisted features

Where available, AI-assisted features may help summarise, route, or support operational workflows. AI outputs are assistive only and are not a substitute for professional judgement. We do not use identifiable clinic patient data to train unrelated public AI models.

8. Sharing and disclosure

We may disclose personal data to:

  • infrastructure, hosting, support, messaging, and security providers acting for us;
  • payment processors for billing and transaction handling;
  • professional advisers, insurers, auditors, or acquirers subject to confidentiality;
  • regulators, law enforcement, or courts where required;
  • the relevant clinic where the clinic is the controller and the disclosure is part of the service.

We do not sell personal data.

9. International transfers

Where data is transferred outside the EEA/UK, we use appropriate safeguards such as adequacy decisions, standard contractual clauses, supplementary measures, or another valid transfer mechanism, depending on the provider and transfer route in use at the time.

10. Retention, deletion, and archive

We keep personal data only for as long as reasonably necessary for the purposes described in this policy, unless a longer retention period is required or permitted by law.

10.1 Active records

Active records remain accessible only while operationally required for the relevant account, clinic workflow, support issue, or subscription relationship.

10.2 Restricted archive

When records are deleted from active use, we may retain selected records in a restricted archive for legal compliance, fraud prevention, system integrity, dispute resolution, and the establishment, exercise, or defence of legal claims.

Archived records:

  • are not available for ordinary operational use;
  • are access-restricted;
  • are subject to audit logging;
  • may be retained for a default baseline of 6 years from archival event unless a longer period is required by law, legal hold, insurer requirement, or regulatory request.

10.3 Legal hold

Where a dispute, complaint, regulator request, insurer request, or legal process is active or anticipated, relevant records may be held beyond standard retention until the matter is resolved and lawful deletion is permitted.

11. Your rights

Depending on your role and applicable law, you may have rights to:

  • access your personal data;
  • request rectification;
  • request erasure;
  • request restriction;
  • object to certain processing;
  • receive data portability where applicable;
  • withdraw consent where processing relies on consent;
  • lodge a complaint with the Irish Data Protection Commission or another competent supervisory authority.

Some rights are not absolute. We may refuse or limit a request where processing remains necessary for legal obligations, platform security, fraud prevention, archive integrity, or the establishment, exercise, or defence of legal claims.

Where we act only as processor for clinic-controlled data, we may direct your request to the relevant clinic.

12. Security

We use technical and organisational measures designed to protect data, including measures relating to encryption, authentication, logging, role-based access, environment controls, incident monitoring, and internal access governance. No online system is fully risk-free.

13. Children and minors

The services are not directed at children for independent use unless a clinic uses the services in a lawful manner that permits minor-related records under the clinic’s own obligations. Clinics are responsible for any parental consent or lawful basis requirements that apply to minors.

14. Complaints and contact

Contact privacy@gleamconnect.com for privacy questions or rights requests. You may also lodge a complaint with the Data Protection Commission in Ireland if you believe your data has been handled unlawfully.