Privacy Policy

Business name: Diguct (Diguct Alliance)
Contact email: [email protected]
Operational HQ / Legal base: Netherlands

This Privacy Policy explains in detail how Diguct collects, uses, stores, shares and protects personal data in connection with our services for injection aesthetic clinics and related business clients. It describes your rights under EU law (including the General Data Protection Regulation — GDPR) and Dutch practice, how to exercise those rights, and the practical steps we take to minimise risk and maximise transparency.
Short summary (plain English): We collect only the information needed to deliver our services (contact details, business info, commercial metrics like CLV/CAC, and technical data for analytics). We use that data to deliver consulting, run campaigns, process payments and to meet legal obligations. We do not sell personal data. We store EU client data on EEA-compliant infrastructure, use contractual safeguards (SCCs) for transfers, and offer clear GDPR rights (access, correction, deletion, portability). If you have concerns, email [email protected].1. Scope & Who this Policy Covers
This Policy applies to:
Individuals who use, subscribe to or inquire about Diguct services (prospective clients), and
Employees, contractors and representatives of business clients (for the purposes of providing Services).
It applies to data collected via our website, landing pages, onboarding forms, emails, calls, analytics, CRM integrations and during service delivery. It does not replace specific Data Processing Agreements (DPAs) or clauses in a signed Statement of Work (SOW) — those documents set out operational details between Diguct and each client.2. Types of Personal Data We Collect (Detailed)
We collect categories of information necessary to provide services and operate the business. Examples and typical uses are listed.
A. Identity & Contact Data (PII)
Full name, title, job role and relationship to the clinic/business
Business email, personal email (if supplied), telephone / mobile number
Business address and billing address
Use: communications, invoicing, onboarding, verification, GDPR rights requests.
B. Business & Commercial Data
Clinic name, company registration / VAT number, ownership structure
Financial metrics (revenue ranges, SDE, EBITDA benchmarks), pricing, invoices
Marketing performance data: CLV, CAC, churn rate, conversion rates and channel-level attribution
CRM records related to leads and customers (when shared by the Client)
Use: designing growth strategies, calculating Guarantee metrics, valuation discussions, acquisitions, reporting.
C. Technical & Usage Data
IP address, device type, operating system, browser, timestamps of website access
Analytics data (e.g., page views, session duration) collected by services such as Google Analytics, server logs
Cookies, pixels (Meta Pixel/LinkedIn/TikTok) and CRM tracking identifiers
Use: platform security, analytics, optimisation of the website and marketing funnels.
D. Payment & Transaction Data
Payment method (e.g., Wise, Stripe, PayPal identifiers), transaction records, billing history
Use: invoicing, fraud prevention, refunds and accounting.
E. Notes on Sensitive Data
We do not intentionally collect “special categories” of personal data under GDPR (such as health, sexual orientation, biometric data or political opinions). If, in exceptional circumstances, such data is ever provided, we will notify you and seek explicit consent before processing it (unless another lawful basis applies).3. How We Collect Data
We obtain personal data in the following ways:
Directly from you (contact forms, proposal signings, onboarding questionnaires, emails and calls).
From your authorised representatives (consultants, legal counsel, accounting staff).
Through integrations and third-party platforms you authorise (CRM systems, payment processors, analytics tools).
Publicly available sources and business directories when needed to verify company details.
Where practical, we will endeavour to inform the data subject at the point of collection about the purposes and legal basis for processing.4. Legal Bases for Processing(GDPR)
We rely on lawful bases in GDPR to process data, depending on the activity:
Contractual necessity: Processing necessary to perform the services in a SOW or to take steps at your request prior to entering a contract (e.g., onboarding, invoicing).
Legitimate interests: For reasonable business administration, fraud prevention, analytics, service improvement and enforcing our terms — provided those interests are not overridden by your rights. We perform balancing tests for each legitimate interest use.
Consent: Where required (e.g., marketing newsletters, non-essential tracking cookies), we ask for clear opt-in consent which may be withdrawn at any time.
Legal obligation: For compliance with tax, corporate, accounting or regulatory obligations (e.g., accounting retention rules).
Vital interests: Only in rare emergency situations (e.g., to protect someone’s life) would we rely on vital interests.
For information on GDPR basics and rights, see the official regulation.5. How We Use the Data — Purposes & Examples
We process personal data for these primary purposes:
Service delivery & onboarding: configure tools (CRM, analytics), create offers, run campaigns, deliver workshops and reports.
Guarantee measurement & reporting: calculate baseline CLV, CAC and the CLV:CAC uplift needed under our Performance Guarantee and produce Measurement Reports.
Payments & refunds: issue invoices, reconcile payments, refund where due.
Communications: service notices, contract fulfilment, support, scheduling.
Compliance & legal: tax reporting, statutory obligations, responding to lawful requests.
Security & fraud prevention: protect accounts, detect and investigate fraud.
Improvement & analytics: anonymised performance analysis to improve our services (where practical we use aggregated/anonymised data).
We will only use personal data for new purposes after informing you and, where necessary, obtaining consent.6. Cookies & Tracking Technologies
We use cookies and similar technologies for essential site functions, analytics and marketing. On first visit you will receive a cookie banner that explains cookie categories and allows consent for non-essential cookies. You can withdraw cookie consents via your browser settings or our cookie management interface.
Typical categories:
Strictly necessary cookies (required for site operation).
Performance & analytics cookies (Google Analytics etc.).
Marketing cookies (used for remarketing across ad networks).
If you opt out, we will not load non-essential trackers for your browser session.7. Data Sharing & Third Parties (Processors)
We engage third-party processors to operate parts of our service (examples):
Payment processors (Stripe, PayPal, Wise)
Cloud email & document platforms (Google Workspace)
CRM & productivity software (Notion, CRM providers)
Advertising platforms (Meta, LinkedIn, TikTok)
These processors are carefully chosen and contractual safeguards (Data Processing Agreements) are in place requiring them to meet GDPR-level protections.
We do not sell personal data to third parties for their own marketing purposes.
When we share information for an acquisition negotiation or due diligence (per our Guarantee clauses), that sharing is governed by a robust confidentiality and DPA framework and, where appropriate, only aggregated or anonymised data will be used until specific agreements are signed.8. International Data Transfers & Safeguards
Diguct operates from the Netherlands (legal base), and we store/transmit EU client data on EEA-compliant infrastructure where possible. Where personal data is transferred outside the EEA (for example, to US-hosted service providers), we rely on appropriate transfer mechanisms such as:
Adequacy decisions (where the recipient country benefits from an EU adequacy decision), or
Standard Contractual Clauses (SCCs) adopted by the European Commission combined with transfer-impact assessments and additional technical, contractual or organisational safeguards.
Post-Schrems II: The CJEU ruling (Schrems II) requires organisations to assess the legal environment of the destination state and implement compensating measures when needed. We perform Transfer Impact Assessments (TIAs), implement supplementary protections (encryption, data minimisation, limited access) and document our decisions. If you want copies of the SCCs or our TIA summary for your account, request them from [email protected].9. Data Retention (How long we keep your data)
We retain personal/business data only for as long as necessary for the purposes set out above, and to comply with legal obligations:
Active engagement: Data required to deliver the Services is kept for the duration of the contract and for a minimum of 12 months after contract end to allow for measurement, reporting and guarantee follow-up (unless you request earlier deletion and no legal obligation requires retention).
Accounting & tax records: We retain accounting and tax-related data for 7 years (or as required by Dutch tax law), in line with fiscal retention obligations. If a longer legal retention period applies (e.g., immovable property records), we retain for that term.
Legal claims: If there is a pending or potential legal claim or investigation, we may retain relevant data until final resolution.
Anonymised data: Aggregated or anonymised records that cannot identify individuals may be retained indefinitely for benchmarking and product improvement.
If you request deletion under GDPR Article 17, we will comply unless retention is necessary for legal claims, regulatory compliance, or legitimate overriding interests.
The Dutch data protection authority (Autoriteit Persoonsgegevens) provides guidance on balancing retention needs with data minimisation principles.10. Security Measures
We employ reasonable, industry-standard technical and organisational measures to safeguard data:
TLS/SSL encryption on websites and API connections.
Strong access controls, role-based permissions and two-factor authentication for critical admin tools (Stripe, GSuite, CRM).
Regular backups and tested restore procedures.
Vendor due diligence and DPAs with subprocessors.
Encryption at rest or in transit where appropriate, and regular security reviews.
No system is 100% secure. We review and update our controls regularly and will notify you of data breaches in line with GDPR obligations (notification to the supervisory authority within 72 hours where required and to affected individuals when there is a high risk to their rights and freedoms).11. Your GDPR Rights & How to Exercise Them
You have rights as a data subject under the GDPR. We explain the practical steps and timelines:
Right of access (Article 15): Request a copy of personal data we hold about you.
Right to rectification (Article 16): Ask us to correct inaccurate data.
Right to erasure (Article 17) — “right to be forgotten”: Request deletion where no lawful basis to retain exists.
Right to restriction of processing (Article 18): Temporarily limit processing in defined circumstances.
Right to data portability (Article 20): Request your data in a structured, commonly used, machine-readable format.
Right to object (Article 21): Object to processing based on legitimate interests or direct marketing.
Right to withdraw consent: Where processing is consent-based (e.g., marketing cookies), withdraw consent anytime.
How to make a request: Email [email protected] with subject “GDPR Rights Request” and specify the right you wish to exercise and the precise data or timeframe. To protect privacy, we will verify identity before fulfilling requests (we may request a copy of ID or other proof — redacting ID numbers where possible). We will respond within one month of receipt. If complex, we may extend by a further two months and will explain the reason.
If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch supervisory authority (Autoriteit Persoonsgegevens). See their guidance online.12. Data Breach Notification (Practical steps)
If Diguct becomes aware of a personal data breach that is likely to result in a risk to individuals’ rights and freedoms, we will:
Contain and investigate the breach.
Notify the relevant supervisory authority within 72 hours when required by GDPR (Article 33).
Notify affected data subjects without undue delay if the breach presents a high risk (Article 34).
Provide information about the nature of the breach, likely consequences, measures taken and recommended steps for individuals.13. Data Processing Agreements, Sub processors & Controller/Processor Roles
Where Diguct acts as processor (processing data on behalf of a client), we will enter a DPA that sets out processing instructions, security measures, sub processors and rights to audit.
Where Diguct acts as controller (deciding purposes/means, for example when we process our own client contact list), we ensure compliance with GDPR obligations and document lawful bases.
We keep a current list of sub processors (third-party processors) and will inform clients of any changes in advance where applicable; clients may object to new sub processors on reasonable grounds.14. Minors
Our services are not directed to persons under 18. We do not knowingly collect personal data of minors. If you believe we have inadvertently collected data about a minor, contact [email protected] and we will promptly remove it unless retention is required by law.15. Complaints & Supervisory Authority
If you are unhappy with how we handle your data or a rights request, please contact [email protected] first so we can investigate. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) — see their website for how to complain and the latest guidance.16. Updates to This Policy
We will update this Privacy Policy when practices or legal requirements change. Material changes will be communicated by email to clients and published on our website with a new effective date.17. Practical Examples & Clarifications (to reduce friction)
Marketing emails & opt-out:
If you sign up for our newsletter you can unsubscribe via the link in every email or by emailing [email protected]. Unsubscribing from marketing emails does not remove transactional emails (account notices, contractual communications).
Data portability example: If you request portability of CRM leads we will provide a CSV or JSON file of the personal data we hold that you provided, where technically feasible.
Guarantee measurement data: For CLV/CAC measurement, we request access to your ad platforms and CRM. If you decline that access, the Guarantee cannot be reliably measured and the Guarantee may not apply.18. Contact & Data Protection Officer / Privacy Contact
For privacy enquiries, to exercise rights, to request a DPA or to get a copy of our transfer impact assessment and sub processors list, contact:
Email: [email protected]
Postal (legal): Legal Officer, Diguct — Amsterdam, Netherlands.
If we appoint a Data Protection Officer (DPO), we will list their name and direct contact details here and in the DPA.19. International Practical Note — Netherlands Base & Temporary Operations
Although Diguct’s legal base and operational HQ are in the Netherlands, from time to time our team may work from other jurisdictions (e.g., temporary operations). For all EU/EEA clients, our commitments to store/process data on EEA-compliant servers and to use SCCs or other safeguards for transfers remain in force as described above.20. Legal & Limitation Notes
This Policy describes our privacy practices. It does not create contractual rights beyond any signed DPA or SOW. Where the law requires additional protections (e.g., consumer distance selling rules), the mandatory provisions supersede any conflicting terms. For a definitive legal interpretation of GDPR and local Dutch law, please consult a qualified attorney or the Autoriteit Persoonsgegevens. The GDPR text and the official EU database provide full legal wording.21. Appendices (available on request)
We can provide upon request (email [email protected]):
Our standard Data Processing Agreement (DPA).
Our current sub processor list and the locations where data is pro

Copies of Standard Contractual Clauses (SCCs) used for transfers.Key References & Guidance (selected)
GDPR (Regulation (EU) 2016/679) — official text.
European Commission guidance & Standard Contractual Clauses (SCCs) (2021).
CJEU “Schrems II” context and transfer obligations — guidance and implications.
Dutch mandatory business records / retention obligations (7 years).
Autoriteit Persoonsgegevens (Dutch Data Protection Authority) guidance on retention and rights.Final notes
This Policy is intentionally thorough and practical to help clients, prospects and regulators understand how we handle data and how we protect your rights.