Privacy Policy

Last updated: 10 April 2026 · Graft Counter

This Privacy Policy explains how Graft Counter (“we”, “us”, “our”) processes personal data when you use our websites, applications, and related services (the “Service”).

Graft Counter is operated from Kosovo (Republic of Kosovo).

We take privacy seriously. If you have questions, use the contact options in the Service or those indicated below.

1. Controller

The controller responsible for processing described in this Policy is Graft Counter, established in Kosovo (Republic of Kosovo). Where we appoint a data protection officer or EU representative, their details will be provided in the Service or on our website when applicable.

2. Data we process

Depending on how you use the Service, we may process:

Account and profile data: for example name, email address, authentication identifiers, and profile fields you enter (such as clinic name).
Patient-related data you enter: if you choose to store patient names, dates, or related notes in the Service, you act as the controller for that data in relation to your patients; we process it on your instructions to provide the Service.
Content and usage data: images you upload, session markers, counts, exports, logs, device and browser information, approximate timestamps, and security-related events.
Payment data: payments are handled by payment processors (for example Stripe). We typically receive limited metadata (for example subscription status, transaction IDs, last four digits where shown), not your full card number.
Communications: messages you send to us for support or compliance.

3. Purposes and legal bases (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, we rely on one or more of the following legal bases:

Performance of a contract (Art. 6(1)(b) GDPR): providing accounts, quotas, sessions, storage, and core features.
Legitimate interests (Art. 6(1)(f) GDPR): securing the Service, preventing abuse, improving reliability, analytics that do not require consent under ePrivacy rules where applicable, and enforcing our terms.
Legal obligation (Art. 6(1)(c) GDPR): tax, accounting, or regulatory duties.
Consent (Art. 6(1)(a) GDPR): where required for non-essential cookies or marketing, or where we ask for explicit consent for specific processing.

4. Recipients and processors

We use trusted service providers to host and operate the Service, for example:

Cloud database, authentication, and file storage providers (for example Supabase or comparable infrastructure).
Payment processors (for example Stripe).
Authentication providers if you sign in with a third party (for example Google OAuth).

These providers process data only on our instructions and under appropriate contractual safeguards where required.

5. International transfers

If personal data is transferred outside the European Economic Area or the UK, we implement appropriate safeguards such as Standard Contractual Clauses approved by the European Commission or equivalent mechanisms, unless another valid transfer tool applies.

6. Retention

We retain personal data only as long as necessary for the purposes described, unless a longer period is required by law. Account data is generally kept while your account is active and for a reasonable period afterwards to resolve disputes, enforce agreements, and meet legal obligations. You may request deletion subject to legal exceptions.

7. Security

We implement technical and organisational measures appropriate to the risk, including access controls and encryption in transit where supported. No system is 100% secure; you should protect your credentials and devices.

8. Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict processing, data portability, object to certain processing, and withdraw consent where processing is consent-based. You may also lodge a complaint with a supervisory authority.

To exercise rights, contact us through the Service. We may need to verify your identity before responding.

9. Cookies and similar technologies

We use cookies or local storage as needed for authentication, security, preferences, and service functionality. Where required by law, we will obtain consent for non-essential cookies or similar technologies.

10. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have, contact us and we will take steps to delete it.

11. Changes

We may update this Privacy Policy from time to time. We will post the revised version and update the “Last updated” date. Material changes may be communicated through the Service or by email where appropriate.

12. Contact

For privacy requests, you can email us at hello@graft-counter.com, or use the contact or support options provided in the Graft Counter application or on our website. Graft Counter is operated from Kosovo.