Compliance

GDPR Compliance

Calyx is built for UK aesthetic clinics, which handle some of the most sensitive categories of personal data under UK GDPR: health data, biometric data, and clinical records. This page explains how our platform is structured to support your compliance obligations as a data controller.

1. Controller and processor roles

Your clinic is the data controller for all patient records and clinical information.
Calyx is the data processor acting strictly under the documented instructions of your clinic.
A comprehensive Data Processing Agreement (DPA) is fully available to subscribers. Contact hello@usecalyx.app to request a copy.

2. Lawful basis for processing patient data

Patient health data is classified as Special Category Data under Article 9 of the UK GDPR. Processing this information requires both a lawful basis under Article 6 and an explicit condition under Article 9.

For aesthetic practices, the relevant legal conditions typically include explicit patient consent (Article 9(2)(a)) or the provision of health or social care (Article 9(2)(h)).

To support your legal basis, Calyx provides:

Digital consent form capture with cryptographically secure, timestamped signatures.
Version-controlled consent templates.
Per-treatment consent check workflows.
A clear, unalterable audit trail of consent completion.

3. Data subject rights - how Calyx supports them

As a data controller, you must be able to respond to patients exercising their legal rights under UK GDPR. Calyx provides built-in mechanisms to help you fulfil these requests instantly:

Right	How Calyx supports it
Right of access	Patient records and files can be exported by clinic administrators in structured digital formats at any time.
Right to rectification	Patient demographic and contact data can be edited instantly by clinic staff, with a historical edit log maintained.
Right to erasure	Patient records can be deleted by clinic administrators and will be fully purged from all database backups within 30 days.
Right to portability	Patient data can be exported in structured, commonly used machine-readable formats.
Right to restrict	Specific patient records or clinic accounts can be temporarily suspended from active processing without data deletion.
Right to object	All automated marketing communications include a reliable, one-click opt-out unsubscribe mechanism.

4. Data minimisation

Calyx strictly collects, processes, and stores only the data fields that are absolutely required to perform clinical logging and business operations. We have no secondary processing: patient data is never sold, shared, profile-analysed, or used for advertising.

5. Technical security measures

We secure clinic and patient data using enterprise-level technical safeguards:

Row-level security (RLS): Enforced at the Supabase database engine layer. This guarantees complete data isolation between different clinics - it is structurally impossible for one clinic to view or access another's database records.
Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256.
Access controls: Granular, role-based access permissions restricting features to authorised clinic owners, practitioners, or receptionists.
Magic link authentication: Passwordless access token exchanges ensure secure client and patient portals.
Immutable audit logging: Logging of highly sensitive clinic actions, including clinical record locking, prescription authorisations, and consent agreements.

6. International data transfers

To provide specific core tools (such as billing or email notifications), we integrate with trusted third-party providers. In cases where data is transferred outside the UK (e.g., Stripe and Resend to US data centers), standard protective measures are actively enforced:

Stripe: Payment processor. Standard Contractual Clauses (SCCs) are in place.
Resend: Transactional email service. Standard Contractual Clauses (SCCs) are in place.
Supabase: Primary database. Stored exclusively in the European Union (Germany).

7. Data breach notification

In the highly unlikely event of a security breach affecting clinic or patient personal data, Calyx is committed to notifying impacted clinic owners within 72 hours of becoming aware of the breach, in accordance with Article 33 of the UK GDPR.

Clinics are responsible for evaluating the risk and notifying their respective patients or the ICO where required.

8. Data Processing Agreement

A standard DPA outlining detailed processor-controller obligations is readily available to all Calyx subscribers. Please contact our data team at hello@usecalyx.app to request a copy.

9. ICO registration

Calyx operates in strict alignment with UK data compliance standards and is registered with the Information Commissioner's Office (ICO). Registration number: [TBC].

10. Contact our data team

If you have questions regarding database security, sub-processors, or compliance audits, please contact us at hello@usecalyx.app.