PRIVACY POLICY


Last updated: April 23, 2026

This Privacy Policy explains how Mathias Systems LLC ("Estetis", "we", "us", "our") collects, uses, shares, and protects personal data when you use our website at https://www.estetis.app and the Estetis application (together, the "Service").

We comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Irish Data Protection Act 2018, and the Polish Act on the Protection of Personal Data of 10 May 2018.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Who we are (Data Controller)

The data controller responsible for your personal data is:

Mathias Systems LLC
1209 Mountain Road Pl NE, Ste N
Albuquerque, New Mexico 87110, USA
Email: matt@estetis.app

An EU representative under Article 27 GDPR will be appointed prior to wider EU rollout. In the meantime, EU data subjects may contact us directly at matt@estetis.app for any privacy matter.


2. Definitions

  • Personal Data — any information relating to an identified or identifiable natural person.

  • Processing — any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.).

  • Controller — the entity that determines the purposes and means of processing personal data.

  • Processor — the entity that processes personal data on behalf of a controller.

  • Clinic User — a business (e.g., aesthetic clinic, salon, wellness studio) that subscribes to the Service.

  • End Customer — an individual whose data is entered into the Service by a Clinic User for loyalty, rewards, or membership purposes.

  • Service Provider / Sub-processor — a third party we engage to process personal data on our behalf.

3. Our role: Controller and Processor

Estetis operates a B2B2C platform. Our role under GDPR depends on whose data is being processed:

We act as Controller for:

  • Clinic User account data (name, email, phone, billing information)

  • Website visitor data

  • Data generated through your interactions with our Service, support, and marketing

We act as Processor for:

  • End Customer data uploaded, entered, or generated within the Service by Clinic Users (names, contact details, dates of birth, loyalty activity)

When acting as Processor, the Clinic User is the Controller and determines the purposes of processing. End Customers should contact the relevant Clinic User for any privacy request concerning their data. A Data Processing Agreement (DPA) governs our relationship with Clinic Users.

4. What personal data we collect
From Clinic Users (we are Controller)

  • Identity: first name, last name

  • Contact: email address, phone number

  • Billing: all payment card information is collected, processed, and stored directly by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. We do not have access to, store, or process your full card details. We receive only limited transaction metadata (e.g., last 4 digits, transaction ID, status) from Stripe for accounting and support purposes. Stripe's own privacy policy applies to its processing of your payment data and is available at https://stripe.com/privacy.

  • Account activity: login timestamps, features used, subscription status

  • Support communications: messages you send via email or Intercom

From End Customers (we are Processor, on behalf of the Clinic User)

  • First name, last name

  • Email address

  • Phone number

  • Date of birth

  • Loyalty/membership activity (points, rewards, transactions) within a Clinic's account

Collected automatically from all users

  • Usage Data: IP address, browser type and version, operating system, device identifiers, pages visited, time and date of visits, referral URL, diagnostic data.

  • Cookies and similar technologies: see Section 10.

We do not knowingly collect special-category data (e.g., health data, biometric data). Clinic Users are contractually prohibited from entering such data into the Service.

5. Legal bases for processing (GDPR Article 6)

We only process personal data when we have a lawful basis to do so:

Purpose Legal basis Creating and managing Clinic User accounts Performance of a contract (Art. 6(1)(b)) Processing payments via Stripe Performance of a contract (Art. 6(1)(b)) Providing customer support Performance of a contract / legitimate interests (Art. 6(1)(b)/(f)) Sending service and security notifications Legitimate interests / legal obligation (Art. 6(1)(f)/(c)) Sending marketing emails and newsletters Consent (Art. 6(1)(a)); withdrawable at any time Sending push notifications to End Customers Processed on behalf of Clinic User Analyzing and improving the Service Legitimate interests (Art. 6(1)(f)) Preventing fraud and abuse Legitimate interests (Art. 6(1)(f)) Complying with legal, tax, and accounting obligations Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we have carried out a balancing test to ensure your rights and freedoms are not overridden.

6. How we use your personal data

We use personal data to:

  • Provide, operate, maintain, and improve the Service

  • Authenticate users and secure accounts

  • Process subscription payments and issue invoices

  • Respond to support requests and communications

  • Send transactional emails (account activity, billing, security)

  • Send marketing communications where you have consented (you can unsubscribe at any time via the link in each email or by emailing matt@estetis.app)

  • Send push notifications to End Customers, on behalf of Clinic Users, for loyalty and membership purposes

  • Monitor usage patterns to detect problems, abuse, and improve features

  • Comply with legal obligations, including tax and accounting record-keeping

7. Sharing your personal data with third parties

We share personal data only with parties that need it to help us operate the Service, and only under appropriate contractual and technical safeguards. Our current sub-processors include:

Sub-processor Purpose Location Stripe, Inc. Payment processing USA (SCCs + DPF) Intercom R&D Unlimited Company Customer support and messaging Ireland / USA [Hosting provider — to be added] Application hosting and infrastructure [To be added] [Transactional email provider — to be added] Sending service emails [To be added]

We maintain an up-to-date list of sub-processors and will update this Privacy Policy as they change.

We may also disclose personal data to:

  • Professional advisers (lawyers, accountants, auditors) under confidentiality

  • Public authorities, courts, or regulators where legally required

  • A buyer or successor in the event of a merger, acquisition, or sale of assets (with prior notice to affected users)

We do not sell your personal data.

8. International transfers of personal data

Because Mathias Systems LLC is established in the United States, and some of our sub-processors are located outside the European Economic Area (EEA), your personal data may be transferred to, and processed in, countries that do not provide the same level of data protection as the EEA.

When we transfer personal data outside the EEA, we rely on one of the following safeguards under Chapter V GDPR:

  • The EU–U.S. Data Privacy Framework (where the recipient is certified, e.g., Stripe)

  • Standard Contractual Clauses adopted by the European Commission (Decision (EU) 2021/914)

  • Other lawful transfer mechanisms where applicable

A copy of the relevant safeguards can be obtained by emailing matt@estetis.app.

9. How long we keep your personal data

We retain personal data only as long as necessary for the purposes described in this Policy, or as required by law:

Data category Retention period Clinic User account data For the duration of the account + 12 months after closure End Customer data (as Processor) Per Clinic User instructions; deleted within 90 days of contract termination unless legally required otherwise Billing and tax records 6 years (US tax / EU accounting requirements) Support communications 3 years from last interaction Marketing consent records Until consent is withdrawn + 12 months (to evidence consent) Usage data / server logs 12 months Cookie data As set out in Section 10

After the retention period, data is deleted or irreversibly anonymized.

10. Cookies and similar technologies

We use cookies and similar technologies to provide and improve the Service.

Types of cookies we use:

  • Strictly necessary cookies — required for the Service to function (login sessions, fraud prevention via Stripe). These do not require consent.

  • Functional cookies — remember your preferences (e.g., language). Set only with your consent.

  • Analytics and marketing cookies — we do not currently use these. If we introduce them, we will update this Policy and request your consent via a cookie banner.

You can manage cookie preferences through your browser settings or, where available, our cookie banner. Refusing non-essential cookies will not prevent you from using the core Service.

For users in Poland, we comply with the Polish Telecommunications Law (Article 173) requirement of prior informed consent for non-essential cookies.

11. Your rights under GDPR

If you are located in the EU/EEA, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — obtain a copy of the personal data we hold about you

  • Right to rectification (Art. 16) — correct inaccurate or incomplete data

  • Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data

  • Right to restriction of processing (Art. 18)

  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format

  • Right to object (Art. 21) — including to direct marketing and to processing based on legitimate interests

  • Right to withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of prior processing

  • Right not to be subject to automated decision-making (Art. 22) — we do not carry out such decision-making

How to exercise your rights: email us at matt@estetis.app. We will respond within one month (extendable by two further months for complex requests, as permitted by Art. 12(3) GDPR). There is no fee unless requests are manifestly unfounded or excessive.

If you are an End Customer whose data was entered into the Service by a Clinic, please direct your request to that Clinic, which is the Controller of your data. We will assist the Clinic in responding as required.

Right to lodge a complaint:
You have the right to lodge a complaint with a supervisory authority, in particular:

  • Ireland — Data Protection Commission (DPC), 21 Fitzwilliam Square South, Dublin 2, D02 RD28 — www.dataprotection.ie

  • Poland — Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa — www.uodo.gov.pl

  • Or the supervisory authority of your EU country of residence.

We would, however, appreciate the chance to address your concerns directly before you approach a regulator.

12. Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS), access controls, authentication, and regular security reviews of our sub-processors.

No method of transmission or storage is 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, inform affected individuals without undue delay, in accordance with Articles 33 and 34 GDPR.

13. Children's privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe a child has provided us with personal data, please contact matt@estetis.app and we will take appropriate steps to delete it.

14. Links to third-party websites

The Service may contain links to third-party websites not operated by us. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies.


15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified to you by email and/or a prominent notice on the Service before they take effect. The "Last updated" date at the top of this Policy indicates when it was last revised.


16. Contact

For any questions, requests, or complaints regarding this Privacy Policy or your personal data, contact:

Mathias Systems LLC
Email: matt@estetis.app


Log in

Build my app

Product

Affiliates

Help

Contact

Log in

Build my app

Product

Product

Affiliates

Help

Legal

Privacy Policy

Terms

DPA