Legal

Privacy Policy

Last updated: June 4, 2026

This Privacy Policy explains how Zovi (Bespoke IT Consultants) collects, uses, stores, and protects personal data across our marketing website, the clinic dashboard, and the white-label patient app. We are committed to full compliance with the General Data Protection Regulation (GDPR / DSGVO) and applicable European privacy law.

1. Data Controller

The controller responsible for the processing of personal data within the meaning of the GDPR is:

Bespoke IT Consultants
Grünstr. 15, 3. Stock
40212 Düsseldorf
Deutschland

E-Mail: info@zoviapp.com

For all privacy-related enquiries, including requests to exercise your data subject rights, please contact us at the above address or by email.

2. Scope of this Policy

This policy covers three distinct services operated by Zovi:

Marketing Website

zoviapp.com

zoviapp.com and all subpages, the public-facing website you are currently viewing.

Clinic Dashboard

Clinic Portal

The web-based management portal used by clinic owners and staff to operate their Zovi subscription.

Patient App

iOS & Android

The white-label iOS and Android app installed by patients of Zovi-powered clinics. The clinic is the data controller; Zovi acts as data processor.

3. Marketing Website, Data Collection

When you visit zoviapp.com, the following data is processed:

Server & access logs

Our hosting provider (Vercel Inc., 340 Pine Street Suite 900, San Francisco, CA 94104, USA) automatically records standard server log data each time you access the website. This includes: IP address (anonymised after 24 hours), browser type and version, operating system, referring URL, pages visited, date and time of access, and data volume transferred. This processing is technically necessary to deliver the website and is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in secure and reliable website operation). Vercel processes this data under Standard Contractual Clauses (SCCs) approved by the European Commission. For further details, see: vercel.com/legal/privacy-policy.

Contact & demo request form

When you submit a contact or demo request form, we collect: first name, last name, email address, clinic name (optional), phone number (optional), and your message. This data is used exclusively to respond to your enquiry and to schedule a demo call. It is not shared with third parties. Legal basis: Art. 6 para. 1 lit. b GDPR (pre-contractual measures) and Art. 6 para. 1 lit. f GDPR (legitimate interest in processing your request). Data is retained for 24 months from last contact, or for the duration of any contractual relationship.

Cookies & tracking

The Zovi marketing website does not use tracking cookies, Google Analytics, Meta Pixel, or any third-party advertising or analytics services. We do not build user profiles. Technically necessary session cookies may be set by the browser to maintain basic website functionality. No consent banner is required as no non-essential cookies are used.

4. Clinic Dashboard, Data Processing

The Zovi clinic dashboard is the web portal used by clinic owners and staff. It is hosted on Hetzner Online GmbH infrastructure in Germany (Nuremberg / Falkenstein data centres), ensuring all data remains within the European Union.

Clinic account data

When a clinic registers, we collect: business name, business address, VAT number (where applicable), contact person name and email, billing information (processed via Stripe, we do not store card details), and clinic branding assets (logo, colours). Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance).

Patient data processed on behalf of clinics

When clinics use the dashboard to manage their patient base, Zovi processes patient data as a data processor on behalf of the clinic (the data controller). This includes: patient names, contact details, appointment history, treatment records, membership status, loyalty points, and communication preferences. A Data Processing Agreement (DPA / AVV) governs this relationship. Clinics are responsible for ensuring they have a valid legal basis for collecting and using patient data, and for obtaining all necessary patient consents.

Staff & access management

Clinic staff accounts are created by the clinic owner. We process staff names and email addresses for the purpose of account management and access control. Legal basis: Art. 6 para. 1 lit. b GDPR. Staff data is deleted when the clinic account is terminated or upon request.

5. Patient App, Mobile Application

The Zovi patient app is a white-label application available on iOS (App Store) and Android (Google Play). The app is powered by Zovi technology but branded for the individual clinic. The clinic is the data controller for all patient data. Zovi acts as the data processor. All app backend infrastructure is hosted on Hetzner Online GmbH in Germany.

Data collected by the app

Account & identityFull name, email address, phone number, date of birth (for birthday rewards and age verification). Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance).
Booking & treatment historyAppointment dates, treatment types, booked services, and booking preferences. Used to deliver the booking functionality and personalise your in-app experience. Legal basis: Art. 6 para. 1 lit. b GDPR.
Membership & loyalty dataMembership tier, subscription status, points balance, reward redemptions, referral codes used, and referral activity. Legal basis: Art. 6 para. 1 lit. b GDPR.
Payment informationPayments are processed securely by Stripe Inc. and Klarna Bank AB. Zovi never stores full card numbers, bank account details, or CVV codes. Only a tokenised payment reference provided by the payment processor is retained for subscription and booking management. Legal basis: Art. 6 para. 1 lit. b GDPR.
Push notification tokenA device token generated by Apple Push Notification service (APNs) or Google Firebase Cloud Messaging (FCM) is stored to deliver push notifications you have opted into. You may withdraw consent at any time in your device notification settings. Legal basis: Art. 6 para. 1 lit. a GDPR (consent).
In-app communication preferencesYour opt-in and opt-out status for promotional messages, appointment reminders, and birthday communications. Legal basis: Art. 6 para. 1 lit. a GDPR (consent).
Device & anonymised usage dataDevice type, operating system version, app version, and anonymised usage events (e.g. which screens are opened, feature usage frequency). Used solely to fix bugs and improve the app. No individual user profiling is performed. Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in service improvement).
Location dataNot collected. The app does not request, access, or store any location data.

Account deletion & data removal

You have the right to request deletion of your patient app account and all associated personal data at any time. You can do this by: (a) contacting your clinic directly, or (b) emailing us at info@zoviapp.com. Requests are processed within 30 days. Anonymised aggregate data (e.g., total booking count) may be retained for statistical purposes and cannot be attributed to any individual.

Children's privacy

The Zovi patient app is intended for users aged 16 and over. We do not knowingly collect personal data from individuals under the age of 16. If a parent or guardian believes that a child under 16 has registered or provided personal data, please contact us immediately at info@zoviapp.com. We will verify and delete the data promptly.

6. Third-Party Services & Processors

Zovi uses the following carefully selected third-party services. Each has been assessed for GDPR compliance. Where data leaves the EU/EEA, appropriate safeguards (Standard Contractual Clauses or adequacy decisions) are in place.

Vercel Inc.USA (SCCs in place)

Website hosting (marketing site only)

Data shared: Server logs, IP addresses (anonymised)

Hetzner Online GmbHGermany (EU), Nuremberg & Falkenstein data centres

Backend infrastructure, patient app, clinic dashboard, APIs, databases

Data shared: All application data, patient records, clinic data

Stripe Inc.USA (SCCs in place)

Payment processing (clinic subscriptions & patient in-app payments)

Data shared: Payment card data (tokenised), billing address, transaction records

Klarna Bank ABSweden (EU)

Buy Now Pay Later checkout integration

Data shared: Payment and identity data processed directly by Klarna at checkout

Google Firebase (FCM)USA (SCCs in place)

Push notification delivery on Android devices

Data shared: Device push token, notification payload

Apple Inc. (APNs)USA (SCCs in place)

Push notification delivery on iOS devices

Data shared: Device push token, notification payload

7. Infrastructure & Data Security

Hosting infrastructure

The Zovi marketing website is hosted on Vercel (global CDN, US-based). All application backend services, including the patient app, clinic dashboard, APIs, and databases, are hosted exclusively on Hetzner Online GmbH servers in Germany (Nuremberg and Falkenstein data centres). This means all patient data, clinic data, and operational data never leaves the European Union.

Technical security measures

TLS 1.3 encryption for all data in transit between clients and servers.
AES-256 encryption for sensitive data at rest in databases.
All API endpoints authenticated and authorised, no public unauthenticated access to patient or clinic data.
Clinic data is logically isolated, one clinic cannot access another clinic's data.
Regular automated backups stored encrypted within the EU.
Intrusion detection and rate limiting on all public-facing services.
Dependency vulnerability scanning as part of the development pipeline.

Data breach procedure

In the event of a personal data breach, Zovi will notify the competent supervisory authority within 72 hours of becoming aware of the breach, as required by Art. 33 GDPR. Where the breach is likely to result in a high risk to individuals, affected data subjects will also be notified without undue delay in accordance with Art. 34 GDPR.

8. Storage Duration & Retention

Website contact form data

24 months from last contact, or for the duration of any contractual relationship.

Clinic account data

For the duration of the active subscription, plus 6 months after termination to allow for dispute resolution. Billing records are retained for 10 years as required by German commercial law (§ 257 HGB).

Patient app data

For the duration of the patient's active account, plus 30 days after account deletion request is processed. Anonymised aggregate statistics may be retained indefinitely.

Server & access logs

Maximum 90 days, after which they are automatically deleted or fully anonymised.

Push notification tokens

Until the user withdraws consent, uninstalls the app, or requests account deletion.

9. Your Rights as a Data Subject

Under the GDPR, you have the following rights with respect to your personal data. To exercise any of these rights, contact us at info@zoviapp.com. We will respond within 30 days.

Right of access (Art. 15)

You have the right to obtain a copy of the personal data we hold about you and information about how it is processed.

Right to rectification (Art. 16)

You can request the correction of inaccurate or incomplete personal data.

Right to erasure (Art. 17)

You can request deletion of your personal data where there is no legitimate reason for continued processing. Statutory retention obligations may limit this right.

Right to restriction (Art. 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances.

Right to data portability (Art. 20)

You can request that we provide your data in a structured, commonly used, machine-readable format, where processing is based on consent or contract.

Right to object (Art. 21)

You can object at any time to processing based on legitimate interests. You may always opt out of marketing communications.

Right to withdraw consent (Art. 7)

Where processing is based on consent, you can withdraw that consent at any time without affecting the lawfulness of prior processing.

Right to lodge a complaint (Art. 77)

You have the right to lodge a complaint with the competent data protection supervisory authority. In Germany: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Postfach 20 04 44, 40102 Düsseldorf.

10. International Data Transfers

All core application data (patient records, clinic data, booking history, memberships) is stored and processed exclusively on Hetzner Online GmbH infrastructure in Germany, entirely within the European Union. No transfers of this data to third countries occur.

For certain auxiliary services (marketing website hosting via Vercel, payment processing via Stripe, push notifications via Firebase/APNs), data may be transferred to the USA. In each case, appropriate safeguards are in place via Standard Contractual Clauses (SCCs) adopted by the European Commission under Art. 46 GDPR. These ensure an equivalent level of data protection.

11. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or best practices. Material changes will be communicated to active clinic users via email at least 14 days before they take effect. The "last updated" date at the top of this page always reflects the current version. We encourage you to review this policy periodically.

12. Contact & Data Protection Enquiries

For all privacy-related matters, including subject access requests, deletion requests, consent withdrawal, or general questions about how we handle your data, please contact us:

Bespoke IT Consultants
Grünstr. 15, 3. Stock
40212 Düsseldorf
Deutschland

E-Mail: info@zoviapp.com

We aim to respond to all privacy enquiries within 5 business days and to fulfil all data subject requests within 30 calendar days.

Zovi is a product of Bespoke IT Consultants. © 2026 All rights reserved.

Zovi, Your Patient App for Medspas & Aesthetic Clinics