1. Data controller
Acots Global Private Limited (“Acots Global”, “we”, “us”) is the controller for personal data processed through this website and our business operations in connection with patient reactivation campaigns for cosmetic clinics. Contact: hello@acotsglobal.com.
2. What we collect
Depending on how you interact with us, we may process:
- Clinic contact data — name, role, clinic name, email, phone/WhatsApp, city, and information you submit via our contact form or email.
- Patient data (on behalf of clinics) — when engaged under contract, we process patient identifiers and campaign data supplied by the clinic (e.g. name, contact details, last visit date, treatment type) solely to deliver reactivation services. The clinic remains responsible for lawful collection and consent where required.
- Technical data — IP address, browser type, approximate location derived from IP, and cookies as described in our Cookie Policy.
- Communication records — correspondence necessary to deliver services, support campaigns, or respond to enquiries.
3. How we use your data
We use personal data to:
- Respond to enquiries, schedule strategy calls, and operate our website securely.
- Onboard clinics, configure campaigns, send follow-ups under the clinic's brand, and report recovered bookings and revenue.
- Improve our services, analyse aggregate usage trends, and maintain IT security.
- Comply with legal obligations and enforce our agreements.
4. Legal bases (UK / EEA)
Where GDPR applies, we rely on appropriate bases such as: performance of a contract, legitimate interests (operating a B2B patient reactivation service, securing our systems), consent where required (e.g. certain cookies or marketing), and legal obligation. For patient data we process as a processor on behalf of clinics, the clinic determines the lawful basis; we act under a Data Processing Agreement.
5. Health & sensitive data
Campaign data may include treatment-related information supplied by clinics. We process such data only as instructed by the clinic, apply access controls and encryption in transit where standard, and design workflows with GDPR, HIPAA, and DPDP (India) principles in mind. We do not use patient data for unrelated marketing or sell it to third parties.
6. Sharing
We share data only as needed: with subprocessors who host messaging, analytics, or infrastructure under strict terms; with the engaging clinic as controller of patient data; or when required by law. We do not sell personal data.
7. International transfers
If we transfer data outside the UK, EEA, or India, we use appropriate safeguards such as standard contractual clauses or adequacy decisions, unless an exception applies.
8. Retention
We keep data only as long as necessary for the purposes above, including resolving disputes and meeting legal retention periods. Patient campaign data is deleted or returned to the clinic when the engagement ends, unless a longer period is agreed in writing or required by law.
9. Your rights
Subject to local law, you may have rights to access, rectify, erase, restrict, or port your data, and to object to certain processing. Patients should contact their clinic as primary controller; clinic contacts may email hello@acotsglobal.com to exercise rights relating to data we control directly.
10. Security
We implement technical and organisational measures appropriate to the risk, including access controls and encryption in transit where standard. No system is perfectly secure; please protect credentials shared with us.
11. Updates
We may update this policy periodically. Material changes will be reflected by updating this page and the “Last updated” date.
For cookie-specific information, see our Cookie Policy. For contractual data processing under client engagements, our Data Processing Agreement applies.