TNB Skin Retail
Home
Products
PricingAboutContact
Book Your Demo

Privacy Policy

Effective date: September 25, 2025

Entity: KEYNETAI LIMITED (Irish registered company) t/a TNB SKIN RETAIL ("TNB", "we", "us", "our")

Contact: privacy@keynetai.com

Hosting location: European Union (Ireland, AWS EU-West)

This Privacy Policy describes how TNB processes personal data when providing our software-as-a-service platform, white-label widgets, and APIs to clinics / retailers and aesthetic practices (the "Services"). It covers personal data processed when a clinic / retailer embeds our chat assistant on its website, and personal data processed for clinic / retailer customer admins who use our console. This policy does not apply to the TNB Skincare consumer app, which has its own privacy policy.

Controller vs Processor (Scope & Roles)

For clinic / retailer website visitors' data processed through a clinic / retailer's white-label experience, the clinic / retailer is the controller and TNB is the processor (Art. 28 GDPR). We act solely on the clinic / retailer's documented instructions.

For TNB customer admin/billing/support and visitors to tnbskinretail.com, TNB acts as controller.

Clinics / retailers are responsible for providing their own privacy notices to their visitors/patients and for obtaining any required consents. Our Data Processing Addendum (DPA) forms part of the SaaS agreement.

1) What we process and why

A. Processor role (on behalf of clinics / retailers)

Categories (processed under the clinic / retailer's instructions):

End-User Content Data: Chat messages and any information a visitor chooses to share during the conversation (e.g., skincare goals, preferences, or questions).

Lead/Contact Data: Name, email/phone and messages when a visitor submits an enquiry for a clinic / retailer; preferred contact time; country/region.

Consent & Preference Records: Timestamps, consent flags, version of consent text shown, opt-in/opt-out preferences.

Technical/Security Data: Timestamps, device/browser type, IP-derived region, session identifiers, event/audit logs necessary to operate, secure, and troubleshoot the clinic / retailer's instance.

Derived/Output Data: AI-generated responses, routing tags, and conversation metadata produced from chat messages (e.g., topic categories, suggested next steps).

Integration Data: Data exchanged with systems configured by the clinic / retailer (e.g., CRM/EMR/marketing tools).

Purposes (under clinic / retailer instructions):

  • Provide the chat experience and respond to visitor questions; present responses to the visitor.
  • Capture and route leads/consultation requests to the clinic / retailer.
  • Apply clinic / retailer branding/configuration; maintain availability, security, support, and auditability.
  • Integrate with clinic / retailer systems as configured.

Legal bases:

The clinic / retailer (controller) determines the lawful basis (commonly consent; contract or legitimate interests for responding to enquiries and providing the chat experience). Where special-category data may be implicated (e.g., health information shared in chat), clinics / retailers ensure an appropriate Art. 9 GDPR basis (often explicit consent under Art. 9(2)(a)). TNB processes solely on the clinic / retailer's instructions and the DPA.

Important clarifications:

  • No biometric identification. We do not use chat content to identify a person or to build identification databases.
  • Non-diagnostic use. Outputs are informational support only (see Medical Disclaimer).

B. Controller role (TNB's own operations)

Categories:

Customer Admin/Account Data: Clinic staff name, work email, role, authentication and audit logs, preferences, timezone.

Billing/Contract Data: Invoicing contact, billing address, VAT number, plan details (payment tokens handled by PCI-compliant providers).

Support & Communications: Tickets, email threads, optional call recordings.

Service Analytics (minimised/pseudonymised where feasible): Performance, reliability, and security telemetry for operating and improving the Services.

Purposes & legal bases:

  • Provide, secure, and improve the Services (Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests; analytics minimised/pseudonymised with LI balancing test).
  • Billing & compliance (Art. 6(1)(c) legal obligation; Art. 6(1)(b) contract).
  • B2B communications/marketing to admins (Art. 6(1)(f) or consent Art. 6(1)(a) where required). You can object/opt out at any time.

2) Retention

Processor role (clinic / retailer visitor data)

TNB retains End-User Content & Lead Data only for as long as the clinic / retailer (controller) keeps it. We will retain and process such data until the clinic / retailer deletes it or instructs us to delete it, or until the Services terminate (see "Return/Deletion upon termination"). TNB does not impose an independent retention period or automatic deletion schedule for clinic / retailer data. Upon receiving a clinic / retailer's deletion instruction, TNB will implement it without undue delay.

Backups. Deletions propagate to active systems promptly. Point-in-time backups and disaster-recovery copies (encrypted, access-restricted) may persist for up to 90 days and are then cycled out; backup data is not returned to active use except for incident recovery, after which deletions are re-applied.

Controller role (TNB admin/billing/support)

  • Account, contract, and billing records are kept for the term of the agreement and as required by law (typically up to 7 years after the relevant financial year).
  • Service/security logs are typically retained for 12 months unless required longer for security/legal reasons.
  • Marketing preferences are retained until you opt out, after which a suppression record is kept solely to honour your choice.

3) Children / Age

The chat assistant is not directed to individuals under 18. Clinics / retailers must implement 18+ age-gating and any consents required by local law.

Report under-18 mechanism: If you believe under-18 data has been processed, please notify the clinic / retailer or privacy@keynetai.com with details (date/time, clinic / retailer, any identifiers). Action: upon clinic / retailer instruction or credible notice, TNB will investigate and delete the data within 10 days, subject to security and legal constraints.

4) Security

We maintain appropriate administrative, technical, and organisational measures, including:

  • Encryption in transit and at rest;
  • Role-based access, MFA, least-privilege, audit logging;
  • Network segregation, secret management;
  • Secure SDLC, code review, vulnerability scanning; independent penetration testing at least annually;
  • Vendor due-diligence reviewed at onboarding and at least annually thereafter (including DPAs/SCCs and security posture);
  • Backups/DR; staff confidentiality and security training.

We will notify affected Customers without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information/co-operation as required by GDPR/UK-GDPR.

5) International transfers & sub-processors

We host Customer Personal Data in the EU (Ireland). We engage vetted sub-processors (e.g., cloud hosting, email delivery, observability). Where support or a sub-processor involves processing outside the EEA/UK, we apply appropriate transfer safeguards (EU Standard Contractual Clauses/UK IDTA) plus supplementary measures and documented TIAs. We maintain a current sub-processor list and provide notice of material changes as set out in the DPA.

6) Do we train AI on Customer Data?

No, by default. TNB does not use Customer Personal Data (including visitor chat content) to train or retrain models unless a clinic / retailer opts in to a separate Model Improvement Program with appropriate consent, de-identification, and governance. We may use aggregated, de-identified telemetry to maintain and secure the Services (Art. 6(1)(f) GDPR).

7) Cookies (short statement)

We use essential cookies to operate the chat assistant and admin console securely (e.g., session, fraud prevention). With consent where required, we may use privacy-friendly analytics on our own site/console to improve reliability. TNB's clinic / retailer widgets use only storage that is strictly necessary unless a clinic / retailer enables optional analytics with appropriate consent tooling. See our Cookie Policy for details and controls.

8) Data subject rights

Clinic website visitors: Please contact your clinic / retailer (controller) to exercise your rights (access, deletion, etc.). TNB supports the clinic / retailer in responding.

TNB customer admins/tnbskinretail.com visitors: Contact privacy@keynetai.com to exercise your rights under GDPR/UK-GDPR.

Timelines: We will acknowledge your request within 7 working days and provide a substantive response within one month of receipt (extendable as permitted by law for complex requests). We may need to verify your identity before acting. You may also lodge a complaint with the Data Protection Commission (Ireland) or your local supervisory authority.

Where processing relies on consent, you may withdraw consent at any time (this does not affect prior lawful processing).

9) Marketing (B2B)

We may send service notices and administrative emails to customer admins. For B2B marketing, we rely on legitimate interests or consent where required. You can opt out at any time via the link in our emails or by contacting privacy@keynetai.com. We do not market to clinic / retailer end-users through the widgets.

10) Medical & use disclaimer

The Services are non-diagnostic informational and decision-support tools. They are not intended to diagnose, treat, cure, or prevent any disease, and should not be used to make medical decisions. Clinical judgement remains with qualified professionals. Clinics / retailers are responsible for appropriate disclosures and consent.

11) Changes to this Policy

We may update this Policy from time to time. Material changes (those that significantly affect how we process personal data or your rights) will be notified at least 30 days in advance to Customer admins (e.g., email and/or console banner), and the updated Policy will be published with a revised effective date. Continued use of the Services after the effective date constitutes acceptance.

12) How to contact us

Email: privacy@keynetai.com
Location: KEYNETAI LIMITED t/a TNB SKIN RETAIL, Cork, Ireland

13) Key commitments reflected in our DPA (summary)

  • 72-hour breach notice: Notify without undue delay and, where feasible, within 72 hours.
  • Return/Deletion upon termination: On written instruction, return Customer Personal Data and delete remaining copies within 30 days, unless retention is legally required (then data is securely isolated). Requests: privacy@keynetai.com.
  • Data locality: Host Customer Personal Data in the EU (Ireland); apply SCCs/IDTA and TIAs for any necessary non-EU/UK access.
  • No training on Customer Data (unless opt-in): Training/re-training only under a separate, consented opt-in program with strict controls.

Version 1.0.0 • Published September 25, 2025

TNB Skin Retail

Advanced AI-powered skincare technology for retail businesses. Developed with data securely managed in Ireland, EU.

+353 (0)21 212 3626

hello@tnbskinretail.com

Cork, Ireland • Galway, Ireland • Montpellier, France

COMPANY

About Us

Contact

LEGAL & COMPLIANCE

GDPR Compliant

EU AI Act

Privacy Policy

Terms of Use

Customer Support

Data Protection

Cookie Policy

Cookie Preferences

TNB
TNB Group
For ConsumersTNB Skin Care - For Consumers

AI-powered skin analysis and personalized skincare guidance apps for everyone

For Beauty Brands / Retailers
TNB Skin Retail - For Beauty Brands

Enterprise AI solutions for personalized e-commerce experiences at scale

For Skin ClinicsTNB Skin Clinic - For Clinics

Professional-grade AI analysis tools for dermatology and aesthetic practices

© 2025 TNB Skin Retail, KeynetAI Ltd. An Irish Registered Company.

Designed & Developed in Cork, Ireland, EU