Privacy Policy

Last Updated: May 18th 2026

This Privacy Policy explains how Aesthetic Vision Inc. ("Company," "we," "us," or "our") collects, uses, stores, shares, and otherwise processes personal data in connection with AVA 3D (the "App"), our related mobile applications, websites, and healthcare professional web portal (collectively, the "Services").

The Services allow adult users to create and store 3D body scans, including scans of the face and certain body areas, and to share selected scans with healthcare professionals for communication purposes.

By using the Services, you acknowledge that you have read and understood this Privacy Policy.

Controller: Aesthetic Vision Inc.
Registered in: Delaware, USA
Privacy contact: support@ava3d.app

If required under applicable law, we may designate a Data Protection Officer or other privacy contact and publish their details here.

This Privacy Policy applies to personal data we process when you:

• create and use an account;
• create, store, manage, or delete 3D scans;
• share scans with healthcare professionals through the Services;
• use our mobile app or healthcare professional web portal;
• contact us for support;
• interact with analytics, diagnostics, and security features built into the Services.

The Services process highly sensitive personal data, including special categories of personal data within the meaning of Article 9 GDPR.

In particular, this may include:

• 3D scans of your face and other body areas;
• data revealing or relating to physical characteristics;
• data revealing health-related information;
• data that may directly or indirectly identify you;
• data that constitutes biometric data within the meaning of Article 9 GDPR, even where not used for identification purposes;
• data relating to your sex, sex characteristics, or gender identity.

Due to the nature of 3D scan technology, such data may inherently allow conclusions about an individual's identity, physical condition, or characteristics.

We do not provide medical advice, diagnosis, or treatment. The Services are intended only to help users capture, manage, and share scans with healthcare professionals.

The Services are intended only for individuals who are at least 18 years old. You may not use the Services if you are under 18, unless applicable law in your jurisdiction sets a higher age threshold, in which case that higher age threshold applies.

If we learn that we have collected personal data from a person who is not eligible to use the Services in violation of this Privacy Policy, we may suspend or delete the relevant account and data, subject to applicable law.

We may collect the following categories of personal data:

A. Account and Registration Data

• full name;
• email address;
• phone number;
• password or authentication credentials;
• date of birth;
• sex;
• gender identity.

B. Scan Data and Related Content

• 3D scans and scan-derived files;
• images, meshes, geometric data, depth or surface data, measurements, and related scan outputs;
• scan metadata, such as date, time, body area, device information, scan status, and related technical parameters;
• user notes, tags, labels, and comments associated with a scan.

Because the Services allow users to create 3D scans of the face and/or other body areas, we may process face data when a user chooses to scan their face.

For purposes of this Privacy Policy, "face data" means data collected from or derived from a user's face during the scan process, including 3D facial scans, facial mesh data, facial geometry, textures, depth or surface data, measurements, scan-derived files, scan outputs, scan metadata, and, for photogrammetry-based scans, source photographs used to create the 3D model.

Photogrammetry-based processing may occur on Company servers. LiDAR-based processing occurs on the user's device. After processing, scan data may be transmitted to Company servers for encrypted storage and for sharing only with healthcare professionals selected by the user.

C. Healthcare Professional Sharing Data

• healthcare professional email address entered by the user;
• records of which healthcare professional a user invited or shared a scan with;
• timestamps of access grants and access revocations;
• records of whether a healthcare professional viewed, downloaded, or exported a scan, where available.

D. Device, Log, and Technical Data

• device type, operating system, app version, browser type;
• IP address and approximate location derived from IP;
• crash logs, diagnostics, performance data, and security logs;
• authentication and access logs.

E. Support and Communications Data

• messages sent to support;
• information you provide when contacting us.

F. Analytics Data

• in-app interaction data;
• usage metrics;
• engagement and performance data collected through analytics tools and software development kits (SDKs).

We use personal data for the following purposes:

• to create and manage user accounts;
• to enable users to capture, store, organize, and manage scans;
• to allow users to share selected scans with specific healthcare professionals chosen by the user;
• to allow healthcare professionals to access scans through the healthcare professional portal;
• to enable users to revoke portal access previously granted to a healthcare professional;
• to operate, maintain, secure, and improve the Services;
• to perform quality assurance and internal product quality control;
• to provide customer support;
• to monitor service performance and troubleshoot technical issues;
• to generate crash reports and diagnostics;
• to protect against fraud, abuse, unauthorized access, and security incidents;
• to comply with legal obligations and enforce our legal rights.

How We Use Face Data
We use face data only to provide the core functionality of the Services, including creating a 3D model from LiDAR or photogrammetry scans, storing the user's scans in the user's account, allowing the user to view, manage, delete, and share selected scans, allowing the user to share selected scans with healthcare professionals chosen by the user, and maintaining the security, integrity, and operation of the Services.

We do not use face data for facial recognition, face identification, identity verification, advertising, profiling, or sale. We do not sell face data.

We do not use user scans, face data, or scan content to train artificial intelligence or machine learning models.

Depending on your location and applicable law, we process personal data under one or more of the following legal bases:

A. Performance of a Contract
We process account, service, and operational data as necessary to provide the Services you request, including account creation, scan storage, scan sharing, access management, and support.

B. Legitimate Interests
We process certain data where necessary for our legitimate interests, including:

• service security;
• fraud prevention;
• platform administration;
• debugging;
• internal analytics;
• performance monitoring;
• quality assurance;
• enforcing our Terms.

Where we rely on legitimate interests, we consider the impact on users' rights and freedoms.

C. Consent
Where required by law, we rely on your consent, including your explicit consent for the processing of scans and other sensitive or health-related personal data.

In particular, we rely on explicit consent under Article 9(2)(a) GDPR for the processing of 3D scans and related data that constitute biometric or other special categories of personal data.

You may withdraw consent at any time. Withdrawal of consent does not affect processing carried out before withdrawal. In some cases, if you withdraw consent, some or all Services may no longer be available to you.

D. Legal Obligation
We may process personal data where necessary to comply with applicable legal obligations.

The Company acts as a data controller with respect to the operation of the Services, including user accounts, platform functionality, and the storage and management of User Content.

Healthcare professionals who receive access to personal data through the Services act as independent data controllers with respect to any processing they perform.

Where the Services are used in a professional context by healthcare professionals or clinics, the Company may act as a data processor.

The Services are designed so that scans are only shared with a healthcare professional when the user actively chooses to share them by identifying a healthcare professional through their email address or another sharing workflow we make available.

A healthcare professional may access a scan only if:

• the user has selected that healthcare professional; and
• access has been granted through the Services.

A user may revoke a healthcare professional's access to a scan within the Services. Once revoked, that healthcare professional should no longer be able to access the scan through our healthcare professional portal.

However, if a healthcare professional has already downloaded, exported, copied, screenshotted, or otherwise retained the scan or information derived from it outside our Services, we may not be able to control or delete those copies. In such cases, the healthcare professional may act as an independent controller of that data under applicable law, and the user may need to contact the healthcare professional directly regarding records retained outside our Services.

We do not sell personal data. We do not share face data, 3D scans, scan images, scan-derived files, measurements, or scan content with advertisers, data brokers, analytics providers, or third-party artificial intelligence services.

We may share personal data only with the following categories of recipients:

A. Healthcare Professionals Selected by the User
The Services are designed so that scans are shared with a healthcare professional only when the user actively chooses to share a specific scan and provides an additional informed action or consent through the Services.

We share only the scan selected by the user and related information necessary to provide access to that scan. A healthcare professional may access a scan only if the user has selected that healthcare professional and granted access through the Services.

B. Service Providers
We may share personal data with vendors and service providers that support the operation, security, maintenance, and improvement of the Services, such as:

• cloud hosting and infrastructure providers;
• analytics providers;
• crash reporting and diagnostics providers;
• security and authentication providers;
• customer support tools;
• communications providers.

These service providers may handle personal data only as necessary to provide their services to us and are not permitted to use personal data for their own independent purposes.

With respect to scan data and face data specifically, third-party cloud hosting and infrastructure providers are used only to host, store, and transmit encrypted scan data as part of the technical infrastructure of the Services.

We do not authorize these providers to view, analyze, modify, use, sell, disclose, or otherwise handle user scan data or face data for their own purposes, including advertising, profiling, analytics, artificial intelligence model training, or product improvement.

We do not share face data, 3D scans, scan images, scan-derived files, measurements, or scan content with analytics providers, crash reporting and diagnostics providers, customer support tools, communications providers, advertisers, data brokers, or third-party artificial intelligence services.

C. Sign-In and Authentication Providers
If a user chooses to sign in using Apple or Google, the relevant sign-in provider may handle authentication-related information necessary to authenticate the user.

We do not share face data, 3D scans, scan images, scan-derived files, measurements, or scan content with Apple or Google for sign-in purposes.

D. Legal and Compliance Recipients
We may disclose personal data if required by applicable law, regulation, legal process, or enforceable governmental request, or where necessary to establish, exercise, or defend legal claims or protect the rights, safety, and security of users, healthcare professionals, the Company, or others.

E. Corporate Transaction Recipients
We may disclose personal data in connection with a merger, acquisition, financing, asset sale, reorganization, bankruptcy, or similar transaction, subject to appropriate safeguards.

Because we operate worldwide, personal data may be processed in countries outside the country where you live, including outside the European Economic Area, the United Kingdom, or Switzerland.

Where required by law, we use appropriate safeguards for international transfers, such as adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms.

We use reasonable and appropriate technical and organisational measures designed to protect personal data, including measures intended to reduce the risk of unauthorized access, disclosure, alteration, or destruction.

Such measures may include, where appropriate:

• encryption in transit;
• encryption at rest;
• role-based access controls;
• access logging;
• authentication and session controls;
• infrastructure and environment security controls.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, including to provide the Services, comply with legal obligations, resolve disputes, maintain security, and enforce our agreements.

In general:

• account data is retained while the user's account remains active and for a reasonable period thereafter as necessary for legal, security, and operational purposes;
• scan data, including face data, is retained only until the user deletes the relevant scan or deletes the user account, unless longer retention is required by applicable law;
• when a user deletes a scan, the scan and associated face data are immediately and permanently deleted from Company servers and cannot be restored through the Services;
• logs, analytics, diagnostics, and security data are retained for limited periods appropriate to their purpose and do not include user scan content unless necessary to investigate a security incident or comply with legal obligations.

We do not retain face data indefinitely.

We may also retain certain data longer where required or permitted by applicable law.

Depending on your location, you may have rights regarding your personal data, including the right to:

• access personal data;
• correct inaccurate personal data;
• request deletion of personal data;
• restrict certain processing;
• object to certain processing;
• withdraw consent;
• receive a portable copy of certain personal data;
• lodge a complaint with a supervisory authority.

If you would like to exercise any of your rights, please contact us at support@ava3d.app.

We use analytics, diagnostics, and crash-reporting tools to understand how the Services are used, improve performance, identify technical issues, and maintain security and reliability.

These tools may collect identifiers, device data, usage data, and event data. These tools do not receive face data, 3D scans, scan images, scan-derived files, measurements, or scan content.

Where required by law, we will obtain consent before using non-essential tracking technologies or similar tools.

Our mobile app and healthcare professional portal may use cookies, software development kits, local storage, pixels, and similar technologies for authentication, security, preferences, analytics, and functionality.

Where legally required, we will provide notice and obtain consent for non-essential technologies.

Healthcare professionals who receive scans through the Services may have independent legal obligations regarding any medical, clinical, or professional records they create, retain, download, or export.

This Privacy Policy describes our processing as the operator of the Services. It does not fully govern the independent privacy or professional obligations of healthcare professionals.

We do not send user face data, 3D scans, scan images, scan-derived files, measurements, or any other scan content to any third-party artificial intelligence service.

The Services do not use third-party AI services to analyze, process, generate, transform, evaluate, or train on user face data or scan content.

We do not use user face data, 3D scans, or scan content to train artificial intelligence or machine learning models.

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice as required by law, such as by updating the "Last Updated" date, posting a notice in the Services, or otherwise notifying users.

If you have questions about this Privacy Policy or our data practices, contact us at:

Aesthetic Vision Inc.
support@ava3d.app