Privacy Policy

Who we are

Agress Beauty SRL, registered office at B-dul Siderurgiștilor nr. 15, Bl. SD10B, Et. P, Cam. 7, 800479 Galați, județul Galați, România, Trade Register no. J2011001002179 (EUID ROONRC.J2011001002179), tax ID 28935388 (VAT RO28935388).

The 10 aBeauty Clinique locations are workpoints of the same company. When you choose a clinic, your request is routed internally to that location of the controller, not to a separate company.

What data we collect

Identification and contact data: name, email address, phone number, and the aBeauty clinic you choose.

Health data (special category): your questionnaire answers about skin type and concerns and a medical check, e.g. pregnancy or breastfeeding, oncology history, recent isotretinoin (Roaccutane) use, recent injectable treatments. See the dedicated section below.

Preference and intent data: your aesthetic goals, age band, urgency, and the recommended package.

Technical and usage data: IP address (stored as a hash), browser type (user-agent, truncated), the referring page, and campaign parameters (UTM).

Advertising identifiers (only with marketing consent): click identifiers (gclid, gbraid, wbraid, fbclid) and the _fbp/_fbc cookies, plus irreversibly hashed (SHA-256) versions of your email and phone, used to measure conversions.

Usage analytics data (only with analytics consent): via Hotjar we record how you interact with the site (mouse movements, clicks, scrolls, interaction heatmaps) to understand how it is used. Hotjar is configured to mask displayed and typed text, so questionnaire answers, including health ones, are not recorded.

Purposes and legal bases

Assessing your request and personalised recommendation: we analyse your answers to check whether a treatment is suitable for you and to generate a recommendation. Basis: your consent (Art. 6(1)(a) GDPR) and, for health data, your explicit consent (Art. 9(2)(a) GDPR).

Routing your request to the chosen clinic: we forward the request to the selected aBeauty location so it can contact you. Basis: Art. 6(1)(a) and Art. 9(2)(a) GDPR.

Recovering unfinished requests: if you enter your contact details (name, email, phone) but leave without submitting, we keep them so we can contact you about the interest you expressed. We do not send your health answers to external platforms for this purpose. Basis: our legitimate interest (Art. 6(1)(f) GDPR). You can object at any time, while filling in the form (by ticking the dedicated box) or later, by writing to the DPO.

Marketing communications by email/SMS: only if you give separate marketing consent. Basis: your consent (Art. 6(1)(a) GDPR and Art. 4(5) of Law 506/2004). You can withdraw it at any time.

Measuring campaign effectiveness (analytics and advertising): only with consent for analytics and marketing cookies respectively. Basis: your consent (Art. 6(1)(a) GDPR and Art. 4(5) of Law 506/2004).

Security, abuse prevention and technical operation: anti-bot protection and error monitoring. Basis: our legitimate interest (Art. 6(1)(f) GDPR) in keeping the platform safe and functional.

Health data

Your skin answers and the medical check are health data, a special category given extra protection by Art. 9 GDPR.

We process them solely on the basis of your explicit consent (Art. 9(2)(a) GDPR), which you give by ticking a dedicated, separate checkbox at the start of the questionnaire, before you answer the skin questions and the medical check. This consent is needed only to generate your personalised recommendation and to forward your request to the chosen clinic, it is not conditioned on marketing consent.

You can withdraw your consent at any time by writing to the DPO ([email protected]), without affecting the lawfulness of processing before withdrawal.

We do NOT send health data to advertising or analytics platforms (Meta, Google). To those we send only hashed contact identifiers and the conversion event, never your conditions or treatments.

Profiling and automated processing

To give you a relevant recommendation, our system automatically analyses your answers (skin type and concerns, aesthetic goals, age band, urgency and the chosen package) together with usage data, producing a package recommendation and an internal interest score (high/medium/low). The logic is rule-based: your answers are compared against predefined criteria, with no opaque algorithm. The score only determines the order and speed at which a human consultant contacts you; it does not affect price, eligibility for a treatment, or the medical recommendation.

This score does NOT produce an automated decision with legal effects and does not deny you any service. It is used only to personalise and prioritise how a human consultant at the clinic contacts you; any final decision about a treatment is always made by a physician after a direct conversation.

You have the right to human intervention, to express your view, to contest the outcome, and to object to processing for direct marketing, by writing to [email protected].

Who we share data with

The chosen clinic: your request reaches the selected aBeauty location (the same controller).

Processors acting strictly on our behalf and on our instructions, only within the purposes and the consent you granted: Brevo (Sendinblue), sending emails; Twilio, sending SMS; Cloudflare, anti-bot protection and site delivery; Sentry, error monitoring; Render, hosting; Hotjar (Hotjar Ltd, Malta), usage analytics via session recording and interaction heatmaps (only with analytics consent); Google (Google Workspace / Google Sheets), the responsible clinic's operational tracking of lead outcomes (this processor role is distinct from Google's independent-controller role in advertising/analytics).

Meta and Google: for advertising measurement and optimisation we send them hashed contact identifiers and the conversion event, only with marketing consent (Meta, Google Ads) or analytics consent (Google Analytics) as applicable. For this processing Meta and Google act as controllers (independent or, where applicable, joint), not as mere processors, under their own terms and privacy policies.

We do not sell your data and do not disclose it to other third parties for their own purposes. We may disclose data to authorities where the law requires it.

International data transfers

Some of our providers are in the United States (Meta Platforms Inc., Google LLC, Twilio Inc., Cloudflare Inc.). Transfers to them rely on the European Commission adequacy decision for the EU-US Data Privacy Framework, for certified organisations, and/or on the European Commission Standard Contractual Clauses (SCCs) with supplementary measures as a fallback.

Brevo, Sentry (EU region), Render and Hotjar (Hotjar Ltd, Malta) host the data within the European Union. To the extent a provider with a US parent group accesses data for technical support, that transfer is covered by the same safeguards (the EU-US Framework and/or SCCs).

You can obtain a copy of the safeguards we apply (e.g. the SCCs) or information about them by contacting the DPO at [email protected]. You can verify US providers' certification on the official list at www.dataprivacyframework.gov/list.

As with any transfer outside the EU, the possibility of access by public authorities cannot be entirely excluded; we reduce this risk by hashing contact identifiers and by never transferring health data to advertising or analytics providers.

How long we keep data

We keep your contact data and questionnaire answers (including health data) for a maximum of 12 months from when you submit the request.

We set this period using the following criteria: the usual length of the decision process for an aesthetic treatment, the need to follow up and re-contact you, and our duty to minimise the processing of sensitive data.

At the end of the period, contact data is deleted, health answers are removed, and only an anonymised record remains (statistics, with no personal data). We separately keep proof of consent (with no personal data) as a compliance record.

If you withdraw consent or request erasure earlier, we remove the data without undue delay, except where the law requires us to keep it (e.g. to establish or defend a legal claim).

Cookies and tracking technologies

We use cookies and similar technologies. Strictly necessary ones work without consent; analytics and marketing ones are enabled only with your consent via the consent banner. Full details in the Cookie Policy.

Is providing data required?

Providing data is voluntary. If you do not complete the form or do not give explicit consent for health data, we cannot generate your personalised recommendation or forward your request to a clinic, the rest of the site remains accessible.

Your rights

Under the GDPR you have the right of access, rectification, erasure (the right to be forgotten), restriction of processing, portability, objection, and the right not to be subject to a decision based solely on automated processing with significant effects.

Because our processing relies on consent, you may withdraw it at any time, as easily as you gave it: with a single click on the withdraw-and-erase link in your confirmation email (which erases your contact data and questionnaire answers), via the unsubscribe link in marketing messages, or by writing to the DPO, without affecting the lawfulness of earlier processing.

To exercise your rights, write to the DPO: Gabriel Ursan, [email protected]. We respond within one month.

If you believe the processing infringes your rights, you may lodge a complaint with the Romanian Data Protection Authority (ANSPDCP), B-dul G-ral Gheorghe Magheru no. 28-30, Sector 1, 010336 Bucharest, Romania; tel. +40 318 059 211 / +40 318 059 212; e-mail [email protected]; www.dataprotection.ro.

Data security

We apply appropriate technical and organisational measures: encryption in transit, hashing of identifiers, access control, data minimisation, and automatic removal of health data from error logs.

Minors

Aesthetic services are aimed primarily at adults. In Romania, a minor under 16 can consent to online services only with the legal guardian's agreement. For minors, the questionnaire routes to a consultation with the expert and asks for the parent/legal guardian's agreement, and minors' health data is handled exclusively in the clinic. We do not knowingly collect data from minors without it.

Changes

We may update this policy; the version in force is the one published here, with the last-updated date above. Material changes will be signalled on the site.