LUXXERA PRIVACY NOTICE

Last updated: May 2026

This Privacy Notice (Notice) explains how Luxxera Limited (trading as Luxxera, or we, us, our) processes personal data about individuals in connection with their use of the Luxxera website and online platform (together Platform), including when you create or use an account, make enquiries, communicate with Clinics, or otherwise interact with us.

The Platform is a technology service that enables individuals (Clients) to connect with independent clinics (Clinics) providing cosmetic treatments. Luxxera does not provide medical services, clinical advice, or consultations and does not make decisions about Clinic Services (as defined below), or your suitability for them.

This Notice should be read together with the Client Terms for additional context about how the Platform works and tells you:

• WHO ARE WE?
• WHO ARE YOU?
• WHAT DATA DO WE COLLECT?
• LEGAL BASES FOR PROCESSING YOUR DATA
• HEALTH-RELATED INFORMATION (SPECIAL CATEGORY DATA)
• AUTOMATED DECISION MAKING
• HOW WE PROTECT YOUR DATA?
• HOW LONG WE KEEP YOUR DATA?
• CHILDREN'S DATA
• DATA ACCURACY AND MINIMIZATION
• DATA LIMITATION AND PURPOSE RESTRICTION
• YOUR DATA PROTECTION RIGHTS
• CONTACT US OR MAKE A COMPLAINT
• UPDATES TO THIS NOTICE
• INTERNATIONAL DATA TRANSFERS
• THIRD-PARTY LINKS
• ANNEX A – THIRD-PARTY SERVICES, SUBPROCESSORS
• ANNEX B – PLATFORM SECURITY MEASURES

1. WHO ARE WE?

Luxxera Limited is the Data Controller responsible for processing your data in connection with the operation of the Platform.

Your data means information about you that identifies you or relates to you that we processed through your use of the Platform.

• Luxxera acts solely as the provider of the Platform (which includes the Luxxera website and related functionality).
• Clinics operate independently of Luxxera and are responsible for their own professional services and related data processing.

Luxxera's full company details are:

• Legal entity name: Luxxera Limited
• Company registration number: 15950374
• Registered office: C/O Founders Law Limited Hamilton House 1 Temple Avenue, London EC4Y 0HA, United Kingdom
• Contact email: fh@luxxera.com

You can contact us at the above address if you have any questions about this Notice, or if you would like to exercise any of your rights under data protection law including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR) and the Data Protection Act 2018 (together, Data Protection Laws), as well as applicable electronic communications and privacy laws, including the Privacy and Electronic Communications Regulations 2003 (PECR), EU ePrivacy laws and equivalent laws in relevant jurisdictions.

2. WHO ARE YOU?

In this Notice, when we refer to you or your, we mean an individual whose data we process in connection with the Platform.

This includes:

• Clients and potential Clients, who browse the Platform, create an account, submit enquiries, or communicate with Clinics through the Platform
• Website visitors, who visit or interact with our website
• Marketing contacts, where you have chosen to receive updates or communications from us; and
• Other individuals who contact us, for example by email or through support channels.

This Notice is written primarily for Clients using the Platform in a personal (consumer) capacity.

3. WHAT DATA DO WE COLLECT?

We may collect, use, store and transfer different kinds of your data, including:

• Account and identity information, such as your name, email address, phone number and login credentials, where you register for or use the Platform.
• Communications and support and technical assistance information, such as:
• where we provide you with information about the Platform and Services, for example updates or new features that are relevant to your continued use of the Platform and Services
• call transcription during a consultation. Any transcription data is processed only where you have provided consent and in accordance with the Clinic's instructions
• enquiries, and correspondence you send through the Platform or when contacting our support team for support and technical assistance
• SMS messaging we send you about appointment reminders, appointment confirmations, and account-related alerts details of which you will find in Annex A under the header Twilio.

Where required by applicable Data Protection Laws and electronic communications laws (as described in paragraph 1 of this Notice), we will ask for your explicit consent before sending SMS messages. You may withdraw your consent at any time.

• Platform usage and technical information, such as IP address, browser type, device information, login times, and pages visited, collected to operate, maintain, and secure the Platform.
• Information you choose to share with Clinics via the Platform, including messages, images, or other information relevant to your enquiry or Booking.
• Marketing information, where we specifically send you information about Luxxera or new services via your account. We will only send marketing communications where we have your consent where required by applicable law to do so, and you can opt out at any time by updating your communication preferences within your account settings.

We do not intentionally collect or maintain full medical records, diagnoses, or treatment outcomes, nor does Luxxera determine what information is required for medical purposes, or review, analyse, or make decisions based on such information. Any information you add to your account is stored only to operate the Platform and make it available to you and, where applicable, to Clinics you choose to engage with through the Platform.

Clinics operate independently of Luxxera and are responsible for collecting, using, and maintaining your medical information as part of providing Clinic Services, in accordance with their own professional obligations and privacy policies.

We may also use aggregated and anonymized information (AAI), such as statistical or demographic data, to help us operate, understand, and improve the Platform. Aggregated and anonymized information means data that does not identify you, either directly or indirectly. Although this information may be created from your data, it is not treated as personal data under Data Protection Law because you cannot be identified from it. This means this Notice does not apply to our use of AAI. For example, we may combine anonymized information about how you and many other Clients interact with different features of the Platform to understand usage trends.

If we ever combine aggregated information with your data in a way that could identify you, we treat that combined information as personal data and process it in accordance with Data Protection Laws and this Notice.

4. LEGAL BASES FOR PROCESSING DATA

We process your data only where we have a lawful basis to do so under applicable Data Protection Law. Depending on how you interact with the Platform, we rely on one or more of the following legal bases:

• Performance of a contract, where processing is necessary to provide access to the Platform, manage accounts, and enable Bookings and communications
• Legitimate interests, where processing is necessary for the operation, security and improvement of the Platform, provided those interests are not overridden by your rights and freedoms
• Legal obligation, where processing is required to comply with applicable laws or regulatory requirements; and
• Consent, where required by law, such as where you choose to receive marketing communications from us or where we drop cookies on your device. You may withdraw your consent at any time.

5. HOW LUXXERA AND CLINICS USE YOUR DATA

Luxxera provides the Platform and technology that allows Clients and Clinics to communicate and share information. Luxxera does not rely on your consent as the legal basis for running the Platform or for passing information between you and a Clinic. Instead, Luxxera processes information only to operate the Platform, enable messages and calls, and provide technical features in line with its contractual obligations and legitimate interests.

Clinics operate independently from Luxxera and are responsible for how they use your data when providing Clinic Services. This includes any information you choose to share with a Clinic through the Platform, and, where enabled, call transcripts created during consultations.

If a Clinic enables call transcription, the Clinic is responsible for explaining why transcription is used and for ensuring there is a valid legal basis to process that information. Transcription will only take place if you agree to it for the specific consultation. Luxxera does not decide when calls are transcribed or how transcripts are used and processes transcription data only on the Clinic's instructions as part of providing the Platform.

6. HEALTH-RELATED INFORMATION (SPECIAL CATEGORY DATA)

The Platform enables you to communicate directly with Clinics. As part of this process, you may choose to share your data relating to your health. Health-related information is treated as special category data (SCD) under Data Protection Law.

Luxxera does not provide consultations, medical advice, or clinical assessments and does not review, analyse, or make decisions about health-related information. Luxxera's role is limited to providing the Platform that enables information to be transmitted securely between Clients and Clinics.

Clinics act as independent Data Controllers in respect of health-related information. Clinics are responsible for determining what health-related information you need to give them, identifying an appropriate lawful basis under Article 9 UK GDPR for processing that information, and providing their own privacy notice to you. The relevant Clinic's privacy notice will also apply if you choose to provide your data, including health-related information, directly to a Clinic outside of the Platform (for example by email, telephone, or in person).

7. AUTOMATED DECISION MAKING (ADM)

We may use automated tools as part of operating and improving the Platform, for example, to support basic Platform functionality, security monitoring, or service analytics.

However, Luxxera does not use your data to make decisions that are based solely on automated processing which produce legal effects concerning you or similarly significantly affect you, within the meaning of applicable Data Protection Laws.

Luxxera does not use ADM or profiling, behavioural analysis, or automated evaluation, to assess your medical suitability, make treatment decisions, or determine access to Clinic Services.

If we introduce ADM in the future that has legal or similarly significant effects on you, we will:

• update this Notice; and
• provide you with clear information about the logic involved, the significance of the processing, and your rights.

8. HOW DO WE PROTECT YOUR DATA?

We are committed to protecting your data and take appropriate technical and organizational measures to safeguard it.

These measures include:

• access controls and role-based permissions;
• encryption and secure storage of your data; and
• internal policies designed to minimize the risk of unauthorized access, disclosure, or loss,

as set out in Annexes A and B.

Luxxera does not routinely access or review the content of your account as part of ordinary Platform operations. We will only access account information in limited circumstances, such as where you contact us for support and technical assistance so that we can help resolved an issues, where a Client or Clinic reports a concern, where access is required by law, or where it is necessary to prevent harm, misuse or abuse and protect the Platform and its users.

No system is completely secure, however we take reasonable steps to protect your data in line with applicable Data Protection Laws.

9. HOW LONG DO WE KEEP YOUR DATA?

We keep your data only for as long as is necessary to fulfil the purposes described in this Notice, including operating the Platform, complying with our legal obligations, and resolving disputes.

Your data associated with your account will generally be retained for as long as your account remains active. Where you close your account, we will retain your data only to the extent necessary to:

• comply with legal, regulatory, or accounting requirements
• maintain records relating to transactions or payments
• establish, exercise, or defend legal claims; or
• ensure the security and integrity of the Platform.

Technical and usage data may be retained for shorter periods, unless required for security, fraud prevention, or compliance purposes.

Where your data is no longer required, it is securely deleted or anonymized in accordance with our retention policies.

Retention periods may vary depending on the nature of the data and the purpose for which it is processed. Further information about retention can be obtained by contacting us using the details set out below.

10. CHILDREN'S DATA

The Platform is intended for use by individuals aged 18 and over. Luxxera does not knowingly collect personal data from children.

If we become aware that personal data relating to a child has been submitted or processed through the Platform, we will take appropriate steps to review and delete that information.

11. DATA ACCURACY AND MINIMIZATION

We take reasonable steps to ensure that the personal data we hold about you is accurate and kept up to date.

You are responsible for ensuring that your data is accurate, complete, and kept up to date. You may update certain information through your account or by contacting us.

Luxxera processes your data only to the extent necessary to operate and secure the Platform, enable communications and Bookings, and comply with applicable legal obligations.

We do not require Clients to provide health-related information in order to browse the Platform, and any such information is shared at the Client's discretion for the purpose of communicating with a chosen Clinic.

12. DATA LIMITATION AND PURPOSE RESTRICTION

Personal data is not repurposed for advertising, analytics, or decision making unrelated to the operation of the Platform. We do not review, interpret, or assess the content of Client-to-Clinic communications and do not use such content to influence outcomes, recommendations, or access to any services.

This means:

• Luxxera's use of your data is limited to technical and administrative purposes; and
• Clinics remain solely responsible for any assessment, suitability, or clinical decisions.

13. YOUR DATA PROTECTION RIGHTS

You have rights under Data Protection Laws that give you control over how your data is used when you use the Platform. These rights apply to your data that Luxxera processes in connection with operating the Platform.

Access your information

You can ask us for a copy of your data that we hold about you in connection with your use of the Platform, such as your account details or communications handled through the Platform, and receive a copy of it. You might want to do this if you want to understand what information Luxxera processes.

Correct your information

If any of your data that we hold about you for Platform purposes is inaccurate or incomplete, you can ask us to correct it. This right applies to information such as your account details.

If you want to correct information you have provided to a Clinic for medical or consultation purposes, you should contact the Clinic directly, as Luxxera does not control that information.

Delete your information

In certain circumstances, you can ask us to delete your data, for example where it is no longer needed to operate the Platform or where you have closed your account.

This does not automatically delete your data held by Clinics as part of Clinic Services. To request deletion of your clinical or health-related information, you need to contact the relevant Clinic.

Restrict how we use your information

You can ask us to temporarily limit how we use your data while a concern is being reviewed, such as if you are checking the accuracy of your data. This applies only to your data processed by Luxxera for Platform purposes.

Object to certain uses

Where we rely on legitimate interests to operate the Platform, you can object to this processing if you believe your particular situation means it should stop. We will consider your request and respond in line with Data Protection Laws.

Take your data with you

In some cases, you can ask us to provide your data that you have given to us in a structured commonly used format so that you can transfer it to another service. This applies only to data you have provided to Luxxera via the Platform.

Withdraw consent

Luxxera does not rely on consent to operate the Platform or to enable communications between Clients and Clinics.

Where you have given consent to a Clinic for specific activities, such as call transcription during a consultation, you can withdraw that consent directly with the Clinic. Withdrawing consent will not affect anything that was lawfully done before it was withdrawn.

Consent relating to cookies and similar technologies used to operate the Platform is managed separately and is governed by the cookie policy terms here.

How to exercise your rights

If you would like to exercise any of these rights, you can contact us using the details set out in paragraph 14 below.

We may need to verify your identity before responding, to protect your data. Requests are normally handled free of charge, although we may charge a reasonable fee or refuse a request if it is clearly unfounded, repetitive, or excessive.

14. CONTACT US OR MAKE A COMPLAINT

If you have any questions about this Notice or about how Luxxera processes your data, you can contact us using the contact details here.

If you have a concern or complaint about the way your data has been handled, we encourage you to contact us first so that we have the opportunity to address your concern.

You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK data protection regulator. Further information is available at www.ico.org.uk.

15. UPDATES TO THIS NOTICE

We may update this Notice from time to time to reflect changes in how the Platform operates, changes in legal or regulatory requirements, or updates to our data handling practices.

Where changes are material and affect how your data is processed, we will take reasonable steps to make those changes visible before or at the time the updated processing takes place, for example by updating this Notice on the Platform or website. The last updated will be set out on the opening page of this Notice.

The most recent version of this Notice will always be available on the Platform, and we encourage you to review it periodically so you remain informed about how your data is processed.

16. INTERNATIONAL DATA TRANSFERS

Your data may be transferred to, stored in, or accessed from locations outside the United Kingdom and/or the European Economic Area where this is necessary to operate the Platform or use Subprocessors.

Where we transfer your data internationally, we ensure that appropriate safeguards are in place to protect it, including (where applicable):

• transfers to countries that have been recognized as providing an adequate level of protection; or
• the use of approved contractual safeguards, such as the UK International Data Transfer Agreement or the EU Standard Contractual Clauses.

International transfers are carried out only where necessary to support the Platform's function and are limited to what is required for the operation of the Platform.

If you would like further information about international data transfers or the safeguards used, you can contact us using the details set out in paragraph 14 above.

17. THIRD-PARTY SERVICE PROVIDERS, SUBPROCESSORS

We use a limited number of Subprocessors to support and provide technical assistance for the operation of the Platform, including providers of:

• hosting and infrastructure
• communications and messaging tools
• payment processing; and
• analytics and security services.

These Subprocessors act on our instructions and are permitted to process your data only for the purpose of providing services to Luxxera. They are not authorized to use your data for their own independent purposes.

Luxxera does not permit Subprocessors to analyse Client-to-Clinic communications for profiling, advertising, or automated decision making.

Further information about certain Subprocessors, including links to relevant terms and privacy notices, is provided in Annex A to this Notice. These links are provided for transparency only. Luxxera does not control the content of Subprocessor terms or their privacy notices.

ANNEX A: SUBPROCESSORS

All Subprocessors used by Luxxera:

• support the technical operation of the Platform
• act on Luxxera's instructions only; and
• do not use your data for profiling, advertising, or automated decision making,

and are listed below.

For further details about how your data is processed, please refer to the main body of this Notice.

AI

Luxxera may use limited AI-enabled tools to support technical functionality, platform performance, security monitoring, or administrative processes. These tools are not used to make automated decisions about Clients, assess medical suitability, or profile individuals. Any AI services used operate under Luxxera's instructions and are subject to appropriate safeguards.

OpenAI (API usage — pending BAA)

• Privacy Policy (API/business): https://openai.com/policies/row-privacy-policy/
• DPA: https://openai.com/policies/data-processing-addendum/
• Enterprise privacy & BAA info: https://openai.com/enterprise-privacy/
• Subprocessor list: https://openai.com/policies/sub-processor-list/

ANALYTICS

Luxxera uses analytics services to understand how the Platform is used, identify technical issues, and improve functionality and user experience. Analytics data is used in aggregated or anonymized form where possible and is not used for profiling, advertising, or automated decision making about Clients.

Google Services -- Google Analytics (GA4)

• Google Privacy Policy (covers all Google services): https://policies.google.com/privacy
• Google Analytics Terms of Service: https://marketingplatform.google.com/about/analytics/terms/us/
• "How Google uses data when you use our partners' sites or apps" (required disclosure): https://policies.google.com/technologies/partner-sites
• Google Ads Data Processing Terms (the current DPA -- supersedes the old GA Data Processing Amendment): https://business.safety.google/adsprocessorterms/
• Safeguarding your data in GA: https://support.google.com/analytics/answer/6004245

Meta Pixel

• Legal: https://www.meta.com/legal

PostHog (EU instance)

• Privacy Policy: https://posthog.com/privacy
• DPA (self-serve generator): https://posthog.com/dpa
• Terms: https://posthog.com/terms

COOKIES & TRACKING

Luxxera uses cookies and similar tracking technologies to enable core website functionality, improve performance, and enhance user experience. Further information about cookies, including categories used and how preferences can be managed, is provided in the CookieYes Policy.

Clients can manage their cookie preferences and may choose to disable or restrict the use of certain cookies and similar technologies that are not strictly necessary for the provision of the Platform and Services. Information about the categories of cookies used, how preferences can be set, and how non-essential cookies can be turned off is provided in the Luxxera-provided Cookie Notice.

CookieYes

• Privacy Policy: https://www.cookieyes.com/privacy-policy/
• DPA: https://www.cookieyes.com/dpa/

CUSTOMER RELATIONSHIP MANAGEMENT (CRM) & MARKETING

Luxxera may use CRM and marketing tools to manage user communications and, where applicable, send updates or informational messages to individuals who have opted in. These tools are not used for behavioural profiling or targeted advertising based on Client-Clinic interactions.

Zoho

• Privacy Policy: https://www.zoho.com/privacy.html | https://www.zoho.com/gdpr.html
• DPA: (pending)

EMAIL & SMS

Luxxera uses email and SMS Subprocessors to send transactional communications, such as account notifications, booking confirmations, reminders, and Platform updates. These communications are operational in nature. Marketing communications are sent only where required by law and where appropriate consent has been obtained from the Client to do so.

Resend

• Privacy Policy: https://resend.com/legal/privacy-policy
• DPA: https://resend.com/legal/dpa
• Legal hub (incl. sub-processor list): https://resend.com/legal

Twilio Messaging Services

• Reference: https://www.twilio.com/docs/api/errors/30513

Luxxera uses Twilio to send transactional SMS messages to Clients who have opted in to receive them. These messages are used to support Platform functionality and efficient communication.

Purpose of SMS Messages

SMS messages may be sent to:

• confirm an account action
• confirm a Booking
• provide appointment reminders; or
• notify a Client of relevant Platform updates.

Luxxera does not send marketing SMS messages unless a Client has expressly consented in accordance with applicable law.

Consent to receive SMS messages

Where required by applicable Data Protection Laws and electronic communications laws (as described in paragraph 1 of this Notice), we will obtain your consent within the Platform before sending SMS messages. You may withdraw your consent at any time.

Opt-in for SMS messages

I'd like to receive helpful SMS updates about my Booking and account, including confirmations and reminders.

Opt-out for SMS messages

You can opt out of receiving SMS messages at any time by replying "STOP" to a message or by updating your communication preferences within your account settings.

Data Shared with Twilio

To send SMS messages, Luxxera shares limited information with Twilio, such as:

• Client's phone number; and
• SMS content of the message.

SMS content does not include medical records, diagnoses, or clinical decisions.

Twilio's Role

Twilio acts as a technical communications service provider processing data on Luxxera's instructions only. Twilio is not permitted to use your data for its own purposes and does not use the content of messages for profiling or advertising.

No Automated Decision Making

Luxxera does not use SMS communications or Twilio services for automated decision making or profiling of Clients. Messages are sent based on Client actions (such as creating an account or booking an appointment) and are not subject to behavioural analysis or automated evaluation.

INFRASTRUCTURE, HOSTING, DATABASE AND STORAGE PROVIDERS

Luxxera uses infrastructure Subprocessors to host the Platform, store application data, and ensure availability, resilience, and security. This includes cloud hosting, database, and secure storage services. These Subprocessors process your data solely to support the technical operation of the Platform and under Luxxera's instructions.

AWS (App Runner, S3, CloudFront, EventBridge)

• Privacy Notice: https://aws.amazon.com/privacy/
• GDPR DPA (part of AWS Service Terms): https://aws.amazon.com/compliance/gdpr-center/
• Subprocessors: https://aws.amazon.com/compliance/sub-processors/

MongoDB Atlas

• Privacy Policy: https://www.mongodb.com/legal/privacy-policy
• Customer DPA: https://www.mongodb.com/legal/customer-data-protection-addendum
• Subprocessors: https://www.mongodb.com/legal/subprocessor-list

MESSAGING AND VIDEO SERVICES

Luxxera may use messaging or video services to support secure communication between Clients and Clinics or to enable Platform functionality. These services are not used to analyse or monitor the content of communications for profiling, advertising, or automated decision making.

Google APIs

• Google APIs Terms of Service
• Google API Services User Data Policy

Use of Google API Data

• Luxxera's use of Google user data (which is treated as Client personal data in Luxxera's documentation) complies with the Google API Services User Data Policy, including the Limited Use requirements.
• Google Sign-In (OAuth 2.0) Google user data accessed via Google Sign-In is limited to the Client's email address, name, and profile image. This data is used solely for account authentication and initial account setup. Google Sign-In data is not used for advertising, profiling, analytics, or any secondary purposes.
• Google Calendar Integration (Clinics only) Google Calendar data is accessed only for Clinic users who explicitly connect their calendar to the Platform. Calendar data is used solely to determine appointment availability and to avoid scheduling conflicts. Calendar event data is not displayed to Clients and is not shared with any third parties.

Luxxera does not use Google user data for advertising, profiling, or automated decision making, and does not sell or share Client data for marketing purposes.

• Security of Google API Data Google user data accessed via Google APIs is protected using the same technical and organizational security measures described in this Notice, including encryption in transit and at rest, access controls, and role-based permissions. Google OAuth tokens and related metadata are stored securely and are accessible only to authorised server-side components.
• Retention of Google API Data Google-sourced account data (such as name, email address, and profile image) is retained for the duration of the Client's Luxxera account. Google Calendar data and OAuth tokens are retained only for as long as a Clinic maintains an active calendar integration.
• Deletion of Google API Data Clients may revoke Luxxera's access to their Google account at any time via their Google Account permissions page. Where access is revoked, stored OAuth tokens and associated Google Calendar data are deleted.

Clients may also delete their Luxxera account at any time, which results in the deletion of all associated personal data, including Google-sourced information, in accordance with the retention practices described in this Notice.

Google Tag Manager

• GTM Terms of Service: https://marketingplatform.google.com/about/tag-manager/terms/
• GTM Use Policy: https://marketingplatform.google.com/about/tag-manager/use-policy/
• Google Ads Data Processing Terms: https://business.safety.google/adsprocessorterms/

GetStream

• Chat and messaging solution -- transcription services: https://getstream.io/legal/

PAYMENT SERVICE PROVIDER (PSP)

Luxxera uses PSP to facilitate payments, refunds, and chargebacks through the Platform. PSP process payment information in accordance with their own privacy notices and regulatory obligations. Luxxera does not store Client's full payment card details and uses PSP solely to enable secure payment functionality.

Stripe (Payment Services)

Luxxera uses Stripe Payments Europe Limited to process payments made through the Platform. Stripe acts as a payment service provider and processes payment information in accordance with its own terms and privacy notice.

Stripe Terms of Service:

Stripe Consumer Terms of Service -- https://stripe.com/legal/consumer (last updated 16 April 2026). This is the consolidated consumer-facing agreement and covers the general Consumer Terms, Link Account Terms, Link Balance Terms, Link Agentic Terms, Financial Connections Terms, Identity Terms, Sold Through Link Terms, Purchase Terms, and Buyer Services Terms. Sub-sections bind a Client only to the extent they use the corresponding feature (for example, Link Account Terms apply only if the patient checks out via Link); the general Consumer Terms apply across the board. Country-localized mirrors are published at /{country}/legal/consumer -- the EU version for our market is https://stripe.com/en-gr/legal/consumer, and the contracting entity per locale is listed at https://stripe.com/legal/consumer/contracting-entity (Stripe Payments Europe Ltd. for EU patients).

Stripe Privacy Policy: https://stripe.com/gb/privacy

Stripe's terms include information about payment processing and applicable refund mechanics. These links are provided for transparency only. Luxxera does not control Stripe's terms and does not store full payment card details.

Information about Stripe's payment processing and relevant terms is also made available to Clients within the basket and checkout sections of the Platform prior to completing a payment.

Where payments are made via the Platform, Luxxera uses PSP to:

• process payments securely; and
• manage payment transactions in accordance with applicable law.

Luxxera does not store full payment card details.

SECURITY & CONSENT

Luxxera uses security and access control services to protect the Platform and personal data, including tools for authentication, access management, threat detection, and system monitoring. These services are used to prevent unauthorized access, detect misuse, and maintain the integrity and security of the Platform.

hCaptcha (Intuition Machines)

• Privacy Policy: https://www.hcaptcha.com/privacy
• Terms: https://www.hcaptcha.com/terms

ANNEX B: PLATFORM SECURITY MEASURES

• Personal data is logically separated by user and role.
• Trade secrets, API keys and credentials are stored using secure environment-level configurations and are never hard-coded into source code repositories.
• Role-based access control (RBAC).
• Strict separation is maintained between development, staging and production environments.
• Dependencies and infrastructure are monitored for vulnerabilities and updates are applied in a timely manner.
• Secure authentication mechanisms are implemented for all users, including strong password requirements and support for Subprocessors where applicable.
• Session management and token-based authentication are used to prevent unauthorized access.
• All data transmitted between Client, servers, Subprocessors, and to Clinics is encrypted using HTTPS/TLS.
• Media and document uploads are stored in secured object storage with restricted access policies.
• Messaging uses GetStream which is SOC2, ISO 27001, HIPAA, and UK and EU GDPR-compliant.