Privacy Policy

Effective Date: 11 July 2025

Version 1.3 | Last Updated: 11 June 2026

1. Introduction and Scope

PixioDoc includes a mobile application, a paid-plan web application, and the pixiodoc.com marketing website. Together, these tools help healthcare professionals capture, organize, and compare patient progress photos securely.

We are committed to protecting your privacy and handling your personal and medical information in line with applicable data protection laws.

PixioDoc is operated by LM TECH LABS, LDA, a company incorporated in Portugal (NIPC: 519341023), with registered office at Estrada Nacional 221 - Poente, 54, 5225-104 Sendim, Portugal.

This Privacy Policy describes how we process personal data when you use our apps, website, and related services.

Geographic Scope: This policy applies to users where our services are available.

Relationship to Terms: This Privacy Policy should be read in conjunction with our Terms & Conditions, which govern your use of PixioDoc. In the event of a conflict between this Privacy Policy and the Terms & Conditions, the Terms & Conditions shall prevail.

Policy scope: This Policy describes our current data practices and is provided for transparency. Service features, limits, retention periods, and support processes may change as set out in our Terms & Conditions. Security and operational descriptions reflect measures we generally apply; they are not warranties or guaranteed service levels unless separately agreed in writing.

2. Roles and Key Terms

LM TECH LABS, LDA acts as Data Controller for account, billing, support, and usage data. For patient content you upload, you are the Data Controller and we act as Data Processor. Capitalised terms not defined here have the meaning given in applicable law or our Terms & Conditions.

3. Information We Collect

3.1 Personal Information

We collect personal information that you provide directly to us:

  • Account Information: Name, email address, password (encrypted)
  • Profile Information: Profile photo (optional), professional bio
  • Billing Information: Handled by RevenueCat - we do NOT store credit card numbers or payment details

3.2 Patient and Clinical Content

Content you upload may include patient identifiers, clinical notes, medical images and videos, annotations, and related metadata. Plan limits are described in our Terms & Conditions.

3.3 Technical Data

We also collect device, connection, usage, diagnostic, and authentication data needed to operate and secure the Service.

3.5 Website and prospect data

When you interact with the pixiodoc.com marketing website, we may collect:

  • Teams contact form: Name, email, practice details, and message submitted via the Teams plan contact modal
  • Analytics: Usage data collected via Google Analytics where you have consented to non-essential cookies

3.4 Storage Location

Primary clinical data is hosted in the EU/EEA. Limited data may be processed elsewhere by sub-processors (Section 7), subject to appropriate safeguards.

4. How We Use Information

We use information to provide and operate the Service, authenticate users, process subscriptions, support users, send service communications, maintain security, comply with law, and improve the Service (including through anonymized, aggregated usage data where permitted).

Depending on context, we rely on one or more of: performance of a contract, consent (including for special-category health data where required), legal obligation, vital interests, and legitimate interests (such as security and service improvement), balanced against your rights.

If you practise in the United States, you remain responsible for HIPAA and other applicable obligations toward your patients. PixioDoc does not act as a HIPAA Business Associate and does not sign Business Associate Agreements.

6. Security

We use technical and organisational measures appropriate to the risk. We encrypt personal data in transit and at rest, and apply further measures that may include access controls, authentication, activity logging, and monitoring. Details of specific features are described in our Terms & Conditions. No method of transmission or storage is completely secure.

If we become aware of a personal data breach likely to affect your rights, we will assess it and, where required by applicable law, notify supervisory authorities and affected users without undue delay.

7. Sharing and Sub-processors

We do not sell personal or patient data. We may disclose information: (a) to healthcare professionals you authorise through the Service; (b) to sub-processors that help us operate the Service, under contract; (c) where required by law; or (d) to protect rights, safety, or the security of the Service.

Current sub-processors include hosting and database (Supabase, EU), payments (RevenueCat), push notifications (Firebase), and transactional email (ZeptoMail). For the marketing website, we also use Netlify (Teams contact form submissions), and Google Analytics (website analytics, consent-gated where required). A more detailed list is in our DPA.

Our standard practice is not to use patient data for advertising or to train AI models on identifiable patient data. We may use anonymized, aggregated usage data to improve the Service. Authorised personnel may access Content where reasonably necessary to operate the Service, respond to your requests, comply with law, or investigate suspected misuse of the Service, without advance notice where appropriate.

8. International Transfers

Where personal data is transferred outside the EU/EEA or UK, we use appropriate safeguards such as Standard Contractual Clauses or other mechanisms recognised by applicable law.

Our online Data Processing Agreement applies when you use the Service and is available at /dpa. A counter-signed copy is available only to Teams plan subscribers — contact support@pixiodoc.com.

9. Retention

We retain data while your account is active and for periods needed for backups, legal obligations, dispute resolution, and security. When you delete your account, your data enters a 30-day grace period during which it may still be recoverable by contacting support; after that period, deletion becomes permanent and irreversible. Deleted content may remain in backups for a limited period before permanent removal. What happens to your data when a subscription changes is described in our Terms & Conditions. You are responsible for exporting data you wish to keep before deleting your account.

10. Your Rights

Where applicable law grants them, you may have rights to access, rectify, erase, restrict, object to, or port your personal data, and to withdraw consent. Contact support@pixiodoc.com to exercise these rights. You may also lodge a complaint with a supervisory authority.

Export: Metadata may be exported via Profile → Privacy & Security → Export Data where available. Photo and video files are generally not included; request them at support@pixiodoc.com. We will respond within a reasonable period, subject to verification and operational constraints.

11. Children

The Service is not intended for individuals under 18. If you believe a child has provided us personal information, contact support@pixiodoc.com.

12. Cookies

Our website and app may use essential cookies and similar technologies for authentication, security, and core functionality. The marketing website uses Google Analytics, a non-essential analytics cookie, to understand how visitors use pixiodoc.com. Google Analytics is subject to your consent where required by law.

13. Changes to This Policy

We may update this Policy from time to time. Where practicable, we aim to provide notice of material changes. Continued use after the effective date constitutes acceptance unless applicable law requires otherwise.

14. Contact

If you have any questions about this Privacy Policy, our privacy practices, or wish to exercise your privacy rights, please contact us:

PixioDoc Privacy Team
LM TECH LABS, LDA
NIPC: 519341023
Estrada Nacional 221 - Poente, 54
5225-104 Sendim, Portugal
General Support: support@pixiodoc.com
We aim to respond to privacy and support requests within a reasonable period.

Supervisory Authorities (for complaints):
• Swiss users: Swiss Federal Data Protection and Information Commissioner (FDPIC)
• EU users: You may contact your national data protection authority, and in particular the Comissão Nacional de Proteção de Dados (CNPD) in Portugal (www.cnpd.pt), where LM TECH LABS, LDA is established.

Related Legal Documents: