Last updated: 7 March 2026
Privacy Policy
This policy explains how Apex AI (“we”, “us”, “our”) collects, uses, and secures personal data. We operate under UK GDPR and the Data Protection Act 2018.
1. Who We Are
Apex AI provides AI-powered booking, payment, and admin automation for service businesses. Our platform serves two groups:
- Business clients (“Clinics”) — service businesses (medical aesthetics clinics, studios, practices) who subscribe to our platform to manage bookings, payments, and client communications.
- End consumers (“Clients”) — individuals who book appointments, make payments, or subscribe to communications through a clinic’s booking portal powered by our platform.
2. Data Controller & Processor Roles
- For clinic accounts: Apex AI is the data controller. We decide what data to collect from clinic owners and how to use it to provide our services.
- For end consumer data: Your clinic controls the data. We process it on your behalf to deliver booking, payment, and communication features. A Data Processing Agreement (DPA) governs this relationship and is available on request.
3. Data We Collect
From clinic owners (B2B)
- Account details: name, email address, phone number
- Business information: clinic name, address, services offered
- Payment information: processed via Stripe (we do not store card details)
- Usage data: login activity, feature usage, support interactions
From end consumers (via clinic portals)
- Booking details: name, email, phone number, selected treatment, appointment time
- Payment details: processed via Stripe (we do not store card details)
- Marketing preferences: email subscription consent, treatment interest
- Communication records: appointment reminders sent via SMS and email
Automatically collected
- Device and browser information via cookies and analytics
- IP address and approximate location
- Pages visited and interactions on the platform
4. How We Use Your Data
- Service delivery: processing bookings, collecting payments, sending appointment reminders, managing clinic accounts
- Communications: transactional emails (booking confirmations, reminders), marketing emails (where consented), and support
- Platform improvement: analytics, error tracking, and performance improvements
- Legal compliance: fraud prevention, dispute resolution, and regulatory obligations
5. Legal Basis for Processing
- Contract: processing necessary to deliver our services (bookings, payments, reminders)
- Consent: marketing communications, email subscriptions, and cookies
- Legitimate interest: platform security, fraud prevention, and service improvements
- Legal obligation: tax records, regulatory compliance
6. Data Sharing & Sub-Processors
We never sell personal data. We share data only with trusted providers who help run our service:
| Provider | Purpose | Location |
|---|
| Supabase | Database & authentication | EU (Frankfurt) |
| Stripe | Payment processing | US / EU |
| Vercel | Website hosting | Global CDN |
| Twilio | SMS reminders | US / EU |
| SendGrid | Transactional email | US |
| MailerLite | Marketing email | EU (Lithuania) |
| Cal.com | Calendar & scheduling | EU |
| Sentry | Error monitoring | US |
When we transfer data outside the UK/EEA, we use Standard Contractual Clauses or equivalent safeguards.
7. Data Retention
- Clinic accounts: retained for the duration of the subscription plus 12 months after cancellation
- End consumer data: retained as directed by the clinic (data controller). When a clinic closes its account, we delete customer data within 90 days
- Financial records: retained for 6 years as required by HMRC
- Marketing subscribers: retained until unsubscribed, then deleted within 30 days
8. Your Rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Erase your data (“right to be forgotten”)
- Restrict or object to processing
- Data portability
- Withdraw consent at any time
- Lodge a complaint with the ICO (ico.org.uk)
End consumers: if you booked through a clinic portal, please contact the clinic directly in the first instance. The clinic is the data controller and can action your request, or escalate to us as needed.
9. Cookies
We use essential cookies for authentication and site functionality, and analytics cookies (Vercel Analytics) to understand how the platform is used. We do not use advertising or third-party tracking cookies. You can manage cookie preferences through your browser settings.
10. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS) and at rest, access controls, regular security reviews, and row-level security on all database tables.
11. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or a notice on our website. The “Last updated” date at the top indicates the most recent revision.
See also our Terms of Service for the full terms governing use of the Apex AI platform.