PRIVACY POLICY

Figaro Shield Field — iOS & iPadOS App

Apple App Store privacy notice for the Figaro Shield Field iOS / iPadOS application, its App Clip surface and the chargeback-defence and incident-pack share links it generates.

Document: Figaro Shield Field — Privacy Policy

Application: Figaro Shield Field (iOS / iPadOS) · App Clip · Chargeback Defence and Incident Pack share links

Issuing controller: ML Consulting MB · legal entity code 306991112

Version: 1.0

Effective from: 1 June 2026

Last updated: 19 May 2026

Privacy contact: support+figaroshield@mlconsulting.lt

Lead supervisory authority: Valstybinė duomenų apsaugos inspekcija (VDAI), Vilnius

Backend data residency: European Union

Distribution: Apple App Store

Subscriber profile: Business User (B2B) — salons, aesthetic clinics, medspas, multi-branch beauty groups, franchise chains

NOT MEDICAL, NOT CARD-SCHEME, NOT INSURANCE ADVICE Figaro Shield Field is an operational evidence-capture and revenue-protection tool. It is NOT a medical device, a clinical informed-consent system, a substitute for clinical judgement, an insurance product, a payment processor, an acquirer, a card-scheme certification authority, or an authority of Visa, Mastercard, American Express, Discover, JCB, UnionPay or any other card scheme or acquirer. Outputs — including Chargeback Defence Packs, Aesthetic Consent records, Insurance-Aligned Incident Packs and Repeat-Offender Risk indicators — are operational records only.

Read together with the Figaro Shield Field Terms and Conditions (Master Terms + Schedule A) published by ML Consulting MB.

AT A GLANCE What you should know in 60 seconds. We do not sell your personal data and we never will. Figaro Shield Field is offline-first: Event Captures, Aesthetic Consent records, Apple Pencil signatures, before / after photographs, voice memos and audit-log entries are stored on your iPhone or iPad and synced to our EU-resident backend when connectivity returns. The Figaro Shield Field backend is hosted in the European Union. Personal data is encrypted in transit and at rest. We do not run advertising in the App, and we do not embed third-party advertising or tracking SDKs. The App is declared “Data Not Used to Track You” in the App Store. Figaro Shield Field is sold exclusively under a written Order Form (Direct Channel) — no App Store auto-renewable subscription is offered by default. We never see your payment-card data. Apple Pencil-signed Aesthetic Consent records, deposit acknowledgements and similar captures are operational acknowledgements only — they are NOT Qualified or Advanced Electronic Signatures under eIDAS Regulation (EU) 910/2014, and they are NOT a complete or sufficient informed medical consent under any national medical-consent regime. Data captured about aesthetic procedures (including before / after photographs) is Article 9 GDPR special-category health data. The Subscribing Customer is responsible for establishing a valid Article 9(2) GDPR lawful basis — typically explicit consent — and for any national cosmetovigilance or medical-device incident-reporting obligation. Card-scheme names and dispute frameworks (Visa Compelling Evidence 3.0, Mastercard Compelling Evidence, etc.) and booking-platform names (Treatwell, Fresha, Booksy, Phorest, Timely, Boulevard) appear in the App as descriptive layout / integration labels only. None of those card schemes, acquirers or booking platforms endorses, certifies or warrants the App or any Pack. The Repeat-Offender Risk Engine is workspace-internal, advisory only, and must NEVER be used as the sole basis for refusing service, demanding pre-payment, forfeiting a deposit, blacklisting a client or any other material decision affecting an individual. AI helpers (on-device CoreML product-lot OCR, on-device CoreML photo-quality check, on-device Speech / backend Whisper voice transcription, backend Claude-class Pack narrative drafts) are opt-in, off by default, never autonomous, raw input always retained, with a “Draft — review before submitting” watermark on AI-drafted narratives. You can exercise the full set of EU GDPR rights at any time by writing to support+figaroshield@mlconsulting.lt. Our lead supervisory authority is the Lithuanian State Data Protection Inspectorate (VDAI) in Vilnius. Figaro Shield Field is intended for business users only (B2B).

1. About this Privacy Policy

ML Consulting MB (“ML Consulting”, “we”, “us”, “our”) is the publisher of the Figaro Shield Field iOS / iPadOS application (the “App”), distributed through the Apple App Store. This Privacy Policy explains what personal data the App and its related surfaces — the App Clip Check-In surface used by walk-in clients at the counter, and the browser-accessible Chargeback Defence Pack and Insurance-Aligned Incident Pack share links — process when you download, install, sign in to, subscribe to, capture an Event, sign an Aesthetic Consent, generate a Chargeback Defence Pack, open an App Clip Check-In session or otherwise use the App, why we process it, the legal bases on which we rely, with whom we share it, for how long we keep it, and the rights you have under the GDPR and other applicable privacy laws.

This Policy is written to satisfy Articles 12 to 14 of Regulation (EU) 2016/679 (the “GDPR”) and the Lithuanian Law on Legal Protection of Personal Data of the Republic of Lithuania, which implements the GDPR in Lithuania. It is also designed to be consistent with the App Privacy details (the App Store privacy “nutrition label”) and the Privacy Manifest (PrivacyInfo.xcprivacy) published with the Figaro Shield Field App.

Figaro Shield Field is enterprise software intended for business users (B2B) — salons, aesthetic clinics, medspas, multi-branch beauty groups and franchise chains, and the front-desk staff, practitioners, managers, owners and compliance officers they invite. Clients, patients, App Clip walk-ins and the banks, card schemes, acquirers and insurers who receive evidence packs interact with the App as third parties of the Subscribing Customer. This Policy should be read together with the Figaro Shield Field Terms and Conditions (Master Terms + Schedule A) and, where ML Consulting acts as processor, the Master Data Processing Agreement (“Master DPA”) concluded with the Subscribing Customer.

1.1 Read first — what Figaro Shield Field is not

NOT MEDICAL, NOT CARD-SCHEME, NOT INSURANCE Aesthetic procedures (including Botox, hyaluronic-acid fillers, laser, IPL, microneedling and similar) are regulated medical procedures in many jurisdictions. Figaro Shield Field is NOT a substitute for informed medical consent compliance, clinical judgement or qualified-practitioner regulation. An Aesthetic Consent record in the App does not, by itself, satisfy any national medical, dental, dermatological, surgical or cosmetic-procedure consent regime. Figaro Shield Field is NOT a payment processor, NOT a card scheme and NOT a chargeback adjudicator. References in the App to Visa, Mastercard, American Express, Discover, JCB, UnionPay, Visa Compelling Evidence 3.0, Mastercard Compelling Evidence or any other card scheme or dispute framework are descriptive layout labels only. Figaro Shield Field is NOT an insurer, NOT a broker and NOT a claims adjuster. Insurance-Aligned Incident Packs are operational records only. Booking-platform names (Treatwell, Fresha, Booksy, Phorest, Timely, Boulevard) appear in the App as descriptive integration labels only. None of those platforms endorses, certifies or warrants the App.

2. Controller identification

We are the data controller for the processing described as “we act as controller” in section 4 of this Policy. Our identification details are set out below.

Legal name: ML Consulting MB

Legal form: Mažoji bendrija (small partnership) governed by the law of the Republic of Lithuania

Legal entity code: 306991112 (Centre of Registers of the Republic of Lithuania)

Website: https://mlconsulting.lt

Privacy contact: support+figaroshield@mlconsulting.lt

ML Consulting MB has not designated a Data Protection Officer because its current processing does not meet the criteria in Article 37(1) GDPR. The privacy contact above handles all data-protection enquiries. If our processing activities change such that a DPO becomes mandatory, we will appoint one and publish their contact details in this Policy.

Our lead supervisory authority for the purposes of the GDPR’s one-stop-shop mechanism (Article 56 GDPR) is the Lithuanian State Data Protection Inspectorate — Valstybinė duomenų apsaugos inspekcija (“VDAI”) — at L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania, telephone +370 5 271 2804, email ada@ada.lt, website vdai.lrv.lt.

3. Scope of this Policy

This Privacy Policy applies to:

the Figaro Shield Field iOS / iPadOS application published by ML Consulting MB on the Apple App Store;

the App Clip Check-In surface used by a walk-in client to scan a QR code at the counter and acknowledge cancellation, deposit and (where applicable) consent disclosures before signing on the receptionist iPad;

the browser-accessible Chargeback Defence Pack and Insurance-Aligned Incident Pack share links issued by the App;

user accounts, Salons / Clinics, branches, subscriptions, trials, pilots, onboarding sessions, support channels, billing operations and authentication services that we operate in connection with the App;

the App’s landing pages, help articles and documentation hosted on mlconsulting.lt that describe Figaro Shield Field; and

email, in-application and other communications you exchange with us about the App.

Where Apple Inc. or its subsidiaries, or any other independent third party, processes personal data on its own account in connection with the App — for example, the Apple App Store, Sign in with Apple, App Clip experience hosting, APNs push, ActivityKit, iCloud, or a payment-card network — that party acts as a separate controller and its own privacy policy applies in addition to this Policy.

4. Our two privacy roles — controller and processor

4.1 We act as controller

We determine the purposes and means of processing for the following categories, which is why this Policy applies to them directly:

account and authentication data we collect to identify you and operate your user account;

device, technical, telemetry and security-event data the App generates during normal use;

communications and support correspondence about the App; and

billing and payment data we collect from Direct-Channel Subscribing Customers (all paid Figaro Shield Field tiers, add-ons and onboarding).

4.2 We act as processor

Figaro Shield Field operates on a Salon / Clinic / Workspace model. The Subscribing Customer — a salon, aesthetic clinic, medspa, multi-branch beauty group or franchise chain — uses the App to capture Events, signed Aesthetic Consents, before / after photographs, Product Lot Tracking entries, Chargeback Defence Packs and Insurance-Aligned Incident Packs. For that Customer Data — including front-desk-staff personal data, practitioner personal data, client and patient personal data (including Article 9 GDPR special-category health data relating to aesthetic procedures and including any minor client or patient — see sections 11 and 19), App Clip walk-in session data, Booking-Platform Integration data and biometric-gated audit-log entries within the meaning of Schedule A of the Terms and Conditions — the Subscribing Customer is the data controller and ML Consulting acts as a processor under the Master DPA, which meets the requirements of Article 28 GDPR.

In that role we process Customer Data only on the documented instructions of the Subscribing Customer, except where we are required to act otherwise by EU or Lithuanian law. If you are a front-desk staff member, practitioner, manager, owner, compliance officer, client, patient, App Clip walk-in or other individual whose personal data has been uploaded to Figaro Shield Field by a Subscribing Customer, that organisation is the controller and you should approach it first with any data-protection request. We will redirect any request we receive on its behalf without undue delay (see section 17.4).

5. Apple App Store and iOS platform context

Because the App is delivered through the Apple App Store and runs on Apple’s iOS / iPadOS platform, several aspects of how your personal data is handled are inherited from Apple’s platform. This section makes the most relevant ones explicit.

5.1 App Privacy details on the App Store

Apple requires every application on the App Store to publish a structured summary of the data it collects (the “App Privacy details”, commonly described as the App Store privacy “nutrition label”). The App Privacy details for Figaro Shield Field are kept consistent with this Policy. Indicatively, they declare Contact Info (the email addresses of clients, patients and external Pack recipients you invite, and your own account email), User Content (Event Captures, Aesthetic Consent records, Apple Pencil signatures, before / after photographs, Product Lot Tracking entries, voice memos and watermarked Pack PDFs), Sensitive Info (special-category health data relating to aesthetic procedures, captured by the Subscribing Customer under Article 9(2) GDPR) and, where opted-in, Diagnostics and anonymous Usage Data. Tracking is declared as None.

5.2 App Tracking Transparency

Figaro Shield Field does not track you across other companies’ applications and websites within the meaning of Apple’s App Tracking Transparency framework. We do not request the App Tracking Transparency permission and we do not use the iOS Identifier for Advertisers (IDFA). The App’s App Store declaration is set to “Data Not Used to Track You”.

5.3 Privacy Manifest

Figaro Shield Field ships an Apple-required Privacy Manifest (PrivacyInfo.xcprivacy) declaring the data categories the App collects, the reasons for any use of “required reason” iOS APIs and the third-party SDKs the App depends on. The Privacy Manifest is the machine-readable counterpart of this Policy.

5.4 iOS sandbox and Data Protection

On-device application data is held inside the iOS application sandbox and benefits from Apple’s default Data Protection (typically the “Complete Until First User Authentication” class), which encrypts that data at rest using a key derived from your device passcode. Where the App needs to retain a small secret value (for example, a session token), we use Apple’s Keychain Services rather than handling secrets ourselves. Given the sensitivity of the Customer Data Figaro Shield Field handles (in particular Article 9 GDPR special-category health data), the App configures Data Protection at a heightened level wherever the operating system supports it.

5.5 Sign in with Apple and email magic-link

The App offers Sign in with Apple in line with Apple’s App Store Review Guidelines § 4.8. When you choose this option, Apple supplies us with a stable Apple Account identifier and either your real email address or an Apple-generated relay address (“Hide My Email”). The App also supports email magic-link authentication: you receive a one-time signed link by email, and we never store a password. We never receive your Apple Account password.

5.6 Biometric gates, Apple Pencil signatures — not eIDAS, not informed medical consent

High-consequence operations — finalising an Aesthetic Consent record, generating a Chargeback Defence Pack, issuing an Insurance-Aligned Incident Pack, accessing the audit log — can be gated by Face ID / Touch ID through Apple’s LocalAuthentication framework. Biometric data never leaves the device; Apple does not provide us with your biometric template. The App stores only the verified / not-verified outcome and the authentication-type metadata.

Aesthetic Consent records are typically captured on an iPad using a PencilKit-rendered Apple Pencil signature stroke, with biometric Face ID verification of the practitioner. As clauses A5 and A10 of Schedule A make clear, these are operational acknowledgements that a defined consent template was presented to the client / patient and that the client / patient signed in the App at a specific time. They are NOT Qualified Electronic Signatures, Advanced Electronic Signatures or any other formally defined electronic signature under Regulation (EU) 910/2014 (eIDAS), and they are NOT a complete or sufficient informed medical consent under any national medical, dental, dermatological, surgical or cosmetic-procedure consent regime. The practitioner remains solely responsible for delivering a face-to-face informed consent process consistent with applicable national law.

5.7 App Clip Check-In (walk-in clients)

Figaro Shield Field uses Apple’s App Clip framework. A walk-in client at the counter may scan a QR code, open the App Clip Check-In surface and acknowledge cancellation / deposit / consent disclosures without installing the full App. App Clip code, App Clip experience hosting and the App Clip lifecycle (including the iOS-enforced binary cap and limited entitlements) are governed by Apple’s App Clip platform. App Clip Check-In sessions are scoped to a single branch and a single visit, and are tracked under an AppClipSession record (branch, walk-in identifier supplied by Apple’s App Clip flow, session start and end timestamps, acknowledgements performed).

5.8 APNs Time-Sensitive, ActivityKit and EventKit

Figaro Shield Field relies on a number of Apple frameworks and platform services, each governed by Apple’s privacy terms in addition to this Policy: APNs Time-Sensitive (chargeback dispute deadline alerts at Day-7, Day-3 and Day-1; repeat-offender check-in alerts; consent-expired alerts; product write-off threshold alerts; sync-conflict alerts); ActivityKit Live Activities (chargeback dispute deadline countdowns on the Dynamic Island and Lock Screen); EventKit (optional writes of chargeback-dispute deadlines and aesthetic follow-up appointments to your Apple Calendar); AVFoundation (camera and microphone capture for before / after photographs, Product Lot Tracking photos and voice memos); Speech (on-device first-pass voice transcription); PencilKit (Apple Pencil Aesthetic Consent signature stroke and annotation on iPad); PDFKit (watermarked Pack rendering); BGTaskScheduler (background sync); StoreKit 2 (preserved for any future App Store IAP path — currently not the default channel). The App can optionally use Apple’s Guided Access framework in self-service flows.

5.9 App Privacy Report

iOS 15.2 and later provide an in-operating-system App Privacy Report (Settings → Privacy & Security → App Privacy Report) that lets you inspect the sensors, data categories and network domains the App has accessed. Figaro Shield Field is designed so that this report shows the Apple platform domains used by the features above, plus ML Consulting’s EU-resident backend and the AI sub-processor endpoint where the backend AI add-on has been enabled by the Subscribing Customer (see section 14).

6. Key terms used in this Policy

Personal data — any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.

Processing — any operation performed on personal data, including collection, recording, organisation, storage, use, disclosure and erasure.

Controller — the person who determines the purposes and means of processing.

Processor — a person who processes personal data on behalf of a controller.

Subscribing Customer — the business customer (a salon, aesthetic clinic, medspa, multi-branch beauty group or franchise chain) that signed the Order Form and uses Figaro Shield Field. The term “Subscribing Customer” is used throughout in place of more generic terms such as workspace owner.

Customer Data — all data submitted by, or generated for, the Subscribing Customer through the App, App Clip surface or share links, including Event Captures, Aesthetic Consent records, before / after photographs, Product Lot Tracking entries, Chargeback Defence Packs, Insurance-Aligned Incident Packs, Repeat-Offender Risk indicators, Revenue Leakage Scores, exports and the append-only audit log.

Event Capture — a structured front-desk record of a missed-revenue event (no-show, late cancellation, deposit dispute, chargeback, walk-out or similar).

Aesthetic Consent — an Apple Pencil-signed record on iPad of a client’s acknowledgement of a pre-procedure consent template. Operational only — not an eIDAS e-signature and not a complete informed medical consent.

Before / After Photographs — photographic records captured in-App of a client / patient before and after a procedure. Article 9 GDPR special-category health data.

Product Lot Tracking — a record of a treatment-product container, vial, ampoule or supplier batch with lot number, expiry, supplier and optional on-device CoreML lot-number OCR.

Chargeback Defence Pack — a watermarked PDF assembling Event Capture, policy snapshot at booking time, deposit transaction record, voice transcript, audit-log entries and a card-scheme-aligned audit footer.

Insurance-Aligned Incident Pack — a watermarked PDF combining the Aesthetic Consent record, procedure protocol, Before / After Photographs, Product Lot Tracking and practitioner-identity verification for a defined incident scope.

Repeat-Offender Risk Engine — a workspace-internal advisory engine that produces risk indicators based on saved Event Capture history. Advisory only; never a sole basis for material decisions (see section 11.4).

App Clip Check-In — a short-lived authenticated session that allows a walk-in client to scan a QR code at the counter and acknowledge cancellation, deposit and (where applicable) consent disclosures.

Booking-Platform Integration — an integration that imports bookings, cancellations or deposit data from a third-party booking platform (for example, Treatwell, Fresha, Booksy, Phorest, Timely or Boulevard). Descriptive only — no endorsement implied.

On-device — data stored or processed locally on the user’s iPhone or iPad inside the iOS application sandbox; it does not leave the device unless this Policy says otherwise.

Backend — Figaro Shield Field’s EU-resident server-side service, to which on-device records are synced and from which share links, Packs and (where enabled) AI narrative drafts are served.

Sub-processor — a third-party service provider that processes personal data on our behalf or that supports a feature of the App.

EEA — the European Economic Area, comprising the EU Member States, Iceland, Liechtenstein and Norway.

VDAI — Valstybinė duomenų apsaugos inspekcija, the Lithuanian State Data Protection Inspectorate, our lead supervisory authority.

7. Personal data we process

We collect only the data we reasonably need to operate, secure, support and improve the App. The categories below describe what Figaro Shield Field processes; not every Subscribing Customer, user account or branch will involve every category.

Account and authentication data: Name, email address, account identifier, authentication method (Sign in with Apple or email magic-link), Apple-issued relay address where you used “Hide My Email”, Workspace membership, role (front-desk staff, practitioner, manager, owner, compliance officer, external viewer) and permissions. We do not store passwords; magic-link authentication uses one-time signed links.

Device, technical and telemetry data: IP address (typically truncated for analytics), device model and operating-system version, App version, language and timezone, pseudonymised interaction events (screens viewed, features used, capture-duration metrics), crash reports, performance traces and security-relevant events such as failed log-ins and biometric gate attempts.

Communications and support data: The content and metadata of any email, support ticket, in-app help message, demo request, onboarding call note or other correspondence with us, including any attachments you choose to send.

Billing and payment data (Direct Channel — all tiers and add-ons): Invoicing entity name, registered address, VAT identifier, signatory contact, Order Form record (Plan, term, fees, user / branch / chair / location limits, add-ons), payment-status data, bank-transfer reference and the last four digits of the payment card where card payment is used. We do not store full payment-card numbers.

Customer Data — front-desk operational records: Event Captures (no-show, late cancellation, deposit dispute, chargeback, walk-out) with policy snapshot at booking time, retention value, voice memo, voice transcript and audit-log entries; deposit transaction records; cancellation-policy snapshots; chargeback dispute records; Chargeback Defence Pack PDFs; Revenue Leakage Scores; append-only audit log.

Customer Data — aesthetic clinic / medspa operational records: Aesthetic Consent records (Apple Pencil signature on iPad + biometric Face ID), procedure templates configured by the Subscribing Customer, before / after photographs with anatomical region tags and lighting metadata, Product Lot Tracking records (lot number, expiry, manufacturer, optional on-device CoreML lot-number OCR), reconstitution timing logs, practitioner-identity verification records, Insurance-Aligned Incident Pack PDFs and the append-only audit log.

Front-desk-staff and practitioner personal data: Where the Subscribing Customer invites front-desk staff, practitioners, managers, owners or compliance officers as authorised users: the worker’s name, email, role, Workspace identifier, the timestamp of their acknowledgment of the Workspace privacy notice, and the records they capture (including Apple Pencil signatures, biometric verifications, voice memos and any photograph in which they are identifiable). Where the Subscribing Customer enables Revenue Leakage Score reporting, staff-level operational metrics are also processed. See section 11.

Client and patient personal data: Where the Subscribing Customer enters client / patient data: identity (name, contact details, booking reference), policy-acknowledgement timestamps, Event Capture history, Aesthetic Consent records, before / after photographs, voice transcripts and any associated Insurance-Aligned Incident Pack content. Where a minor is referenced, the carve-outs in section 11.5 apply. Treated as Customer Data on behalf of the Subscribing Customer.

Article 9 GDPR special-category health data: Personal data relating to aesthetic procedures (Botox, hyaluronic-acid fillers, laser, IPL, microneedling and similar) and any data revealing health status or condition — for example, before / after photographs in which a condition is identifiable, contraindication acknowledgements, after-care notes. This is Article 9 GDPR special-category data. The Subscribing Customer is the controller and is responsible for an Article 9(2) GDPR lawful basis (typically explicit consent under Article 9(2)(a), or processing for the provision of health or social care under Article 9(2)(h)) and for any national medical-confidentiality, patient-rights and sector-specific rule (including cosmetovigilance under Regulation (EC) 1223/2009 and medical-device incident reporting under Regulation (EU) 2017/745).

App Clip Check-In session data (walk-ins): Where a walk-in client opens the App Clip Check-In at the counter: an AppClipSession record (branch, walk-in identifier supplied by Apple’s App Clip flow, session start and end timestamps, acknowledgements performed). Treated as Customer Data on behalf of the Subscribing Customer.

Booking-Platform Integration data: Where the Subscribing Customer enables a Booking-Platform Integration (Treatwell, Fresha, Booksy, Phorest, Timely, Boulevard or similar), the read-only sync of upcoming bookings, cancellations, deposit data and client-contact data exchanged via the integration under the Subscribing Customer’s contract with the booking platform. References to those platforms in the App are descriptive only.

Camera, microphone and on-device file data: Before / after photographs and Product Lot photographs (AVFoundation), voice memos (AVFoundation + on-device Speech framework first-pass transcript), PencilKit Apple Pencil signature strokes on iPad. Camera, photo-library, microphone and Speech-recognition access are controlled by the iOS permission prompts and may be revoked at any time in iOS Settings.

Location data (CoreLocation, optional, event-based): Where the Subscribing Customer enables it, optional venue / branch GPS at the moment you save a record (the iOS “When In Use” permission). The App does not perform continuous background tracking.

Apple Calendar (EventKit) integration: Where the Subscribing Customer enables it, the App writes chargeback dispute deadlines (Day-7, Day-3, Day-1) and aesthetic follow-up reminders to the Apple Calendar of the relevant authorised user. We do not read or transmit your wider Calendar contents.

Notification preferences and tokens: Push-notification cadence toggles (new chargeback received, dispute deadline countdown, repeat-offender check-in, aesthetic consent expired, product write-off threshold, sync-conflict); iOS notification permission state; APNs device push token; ActivityKit Live Activity state.

On-device CoreML inference outputs: Where enabled: the output of the on-device CoreML product-lot OCR (vial barcode → lot number, expiry, manufacturer) and the on-device CoreML photo-quality check, stored alongside the raw photograph. CoreML inference runs locally on your device.

Backend AI helper inputs and outputs (paid opt-in add-on): Where the Subscribing Customer has enabled the backend AI add-on: the audio clip sent for Whisper-class voice transcription and the structured-text input sent for Claude-class Chargeback Defence Pack and Insurance-Aligned Incident Pack narrative drafting, plus the generated draft outputs. Raw input is always retained alongside any AI-structured output; see section 14.

Repeat-Offender Risk Engine data and Revenue Leakage Score: Workspace-internal advisory indicators computed deterministically from saved Event Capture history (Repeat-Offender Risk Engine) and from Event Captures plus policy-enforcement records (Revenue Leakage Score). Confidential to the Subscribing Customer; not exposed to third-party scoring, credit-rating or blacklisting services. See section 11.4.

Application-generated data: Outputs of the deterministic Event Capture pipeline, the Chargeback Defence Pack generator, the Aesthetic Consent workflow, the Repeat-Offender Risk Engine, the audit log, capture-duration telemetry and similar computed values.

7.1 Article 9 GDPR special-category data — explicit treatment

Figaro Shield Field is designed to handle health-related personal data that the Subscribing Customer captures in the course of aesthetic procedures — in particular Aesthetic Consent records, before / after photographs, contraindication acknowledgements, after-care notes and any data revealing health status or condition. This is Article 9 GDPR special-category data.

The Subscribing Customer is the controller for that data and is responsible for establishing and documenting a valid Article 9(2) GDPR lawful basis — typically explicit consent under Article 9(2)(a), or processing for the provision of health or social care or treatment by or under the responsibility of a qualified professional under Article 9(2)(h) — and for complying with any national medical-confidentiality, patient-rights, cosmetovigilance (Regulation (EC) 1223/2009), medical-device incident-reporting (Regulation (EU) 2017/745) or sector-specific rule applicable to the procedure and the jurisdiction. ML Consulting acts as processor and stores this data on a heightened-protection basis as set out in section 16.

7.2 What we do not collect

To remove ambiguity, Figaro Shield Field does not collect:

the contents of your Apple Contacts, the wider Apple Calendar, your photo library beyond images you actively capture or attach, or any HealthKit / HomeKit data;

behavioural-advertising identifiers; we do not run advertising, do not use the IDFA and do not share data with advertising networks;

analytics, attribution or crash-reporting data through any third-party SDK that has not been disclosed in this Policy and in the App’s Privacy Manifest;

continuous background-location data; location capture (where enabled) is event-based only and requires only the iOS “When In Use” permission.

8. How we collect personal data

We collect personal data in three ways:

Directly from you — when you create an account, complete a form, install or use the App on iPhone or iPad, open an App Clip Check-In session at the counter, capture an Event, sign an Aesthetic Consent on iPad, attach a before / after photograph or voice memo, scan a product vial, generate a Pack, contact support or subscribe to a communication.

Automatically through your use of the App — when the App generates technical, telemetry, security or computational data (capture-duration metrics, Repeat-Offender Risk Engine outputs, Revenue Leakage Score computation, append-only audit-log entries) necessary to deliver, secure or improve the service, and when Apple platform services (APNs, ActivityKit, CoreML, AVFoundation, PencilKit) supply data linked to your action.

From third parties — when Apple supplies us with the result of Sign in with Apple, when a Subscribing Customer administrator invites you to a Workspace, when a Booking-Platform Integration delivers a read-only sync of bookings / cancellations / deposits to the Workspace, when a payment provider confirms a payment, or when an authority lawfully provides information in connection with a regulatory matter.

9. Why we process personal data and our legal bases

For each processing activity we rely on a lawful basis under Article 6(1) GDPR. Where we process Article 9 GDPR special-category health data on behalf of the Subscribing Customer, the Subscribing Customer (as controller) relies on an additional Article 9(2) GDPR basis. The table below sets the bases out for the categories of processing covered by this Policy.

Purpose: Provide and operate the App, App Clip Check-In and share-link surfaces, including authentication, Workspaces, Event Capture, Aesthetic Consent capture, before / after photography, Product Lot Tracking, Pack assembly, audit history, exports and sync.

Data used: Account and authentication data; device, technical and telemetry data; Customer Data and operational records; front-desk-staff, practitioner, client / patient, App Clip walk-in personal data (as processor).

Legal basis: Performance of a contract with you (or pre-contractual steps at your request). Article 9 GDPR data on behalf of the Subscribing Customer under its Article 9(2) lawful basis.

GDPR ref.: Art. 6(1)(b); Art. 9(2) for special-category data

Purpose: Process payments and manage billing for Direct-Channel Subscribing Customers; comply with statutory accounting and tax retention.

Data used: Billing and payment data; account data.

Legal basis: Performance of a contract; compliance with a legal obligation under Lithuanian accounting and tax law.

GDPR ref.: Art. 6(1)(b); Art. 6(1)(c)

Purpose: Camera, microphone, AVFoundation photo and on-device Speech features.

Data used: Camera and microphone input (in memory); captured stills and voice clips (only when you save them); on-device Speech first-pass transcript.

Legal basis: Performance of a contract; consent for camera, microphone, photo-library and Speech-recognition access via the iOS prompts.

GDPR ref.: Art. 6(1)(b); Art. 6(1)(a)

Purpose: Apple Pencil-signed Aesthetic Consent capture on iPad with biometric Face ID verification.

Data used: PencilKit signature stroke; LocalAuthentication verified / not-verified outcome and authentication-type metadata; timestamp; audit-log entry. Operational acknowledgement only — not an eIDAS e-signature and not a complete informed medical consent.

Legal basis: Performance of a contract (between the Subscribing Customer and the client / patient, supported evidentially by the App). Article 9 GDPR special-category basis is set by the Subscribing Customer.

GDPR ref.: Art. 6(1)(b); Art. 9(2)

Purpose: On-device CoreML — product-lot OCR and photo-quality check.

Data used: Photograph attached to a Product Lot Tracking entry or Before / After record; CoreML output stored alongside.

Legal basis: Performance of a contract. No data leaves the device.

GDPR ref.: Art. 6(1)(b)

Purpose: Optional venue / branch identification at the moment of save.

Data used: Location data via the iOS “When In Use” location prompt.

Legal basis: Consent via the iOS prompt.

GDPR ref.: Art. 6(1)(a)

Purpose: APNs Time-Sensitive push, ActivityKit Live Activity countdowns and configurable notification cadence (chargeback dispute deadlines, repeat-offender check-in, consent expired, product write-off threshold, sync-conflict).

Data used: Notification preferences; APNs push token; application-generated alerts; ActivityKit Live Activity state.

Legal basis: Consent (granted via the iOS notification prompt and the App’s Settings).

GDPR ref.: Art. 6(1)(a)

Purpose: Optional EventKit writes of chargeback dispute deadlines and aesthetic follow-up reminders to Apple Calendar.

Data used: Calendar event metadata for chargeback deadlines and aesthetic follow-ups.

Legal basis: Consent via the iOS Calendar prompt.

GDPR ref.: Art. 6(1)(a)

Purpose: Backend AI helpers — Whisper-class voice transcription and Claude-class Pack-narrative drafts (paid opt-in add-on).

Data used: Audio clip or structured-text inputs; generated draft outputs.

Legal basis: Performance of a contract; consent (Subscribing Customer admin add-on enablement).

GDPR ref.: Art. 6(1)(b); Art. 6(1)(a)

Purpose: Compute workspace-internal Repeat-Offender Risk Engine indicators and Revenue Leakage Scores for operational use, with meaningful human review.

Data used: Saved Event Capture history, policy-enforcement records and similar data within the Subscribing Customer’s Workspace.

Legal basis: Performance of a contract; legitimate interests of the Subscribing Customer in revenue protection, subject to the discipline in section 11.4 (no sole-basis decisions).

GDPR ref.: Art. 6(1)(b); Art. 6(1)(f)

Purpose: Read-only sync from Booking-Platform Integrations (Treatwell, Fresha, Booksy, Phorest, Timely, Boulevard) where enabled.

Data used: Upcoming bookings, cancellations, deposit data and client-contact data exchanged under the Subscribing Customer’s contract with the booking platform.

Legal basis: Performance of a contract.

GDPR ref.: Art. 6(1)(b)

Purpose: Issue, serve and revoke Chargeback Defence Pack and Insurance-Aligned Incident Pack share links.

Data used: Recipient contact data; share-link scope and expiry; activity log.

Legal basis: Performance of a contract.

GDPR ref.: Art. 6(1)(b)

Purpose: Secure the App; prevent fraud, abuse, evidence tampering, share-link forging, signature forgery and unauthorised access.

Data used: Authentication data; device, technical and telemetry data; security-relevant events; append-only audit log; biometric gate state.

Legal basis: Legitimate interests in protecting the integrity, availability and confidentiality of the App and the evidentiary integrity of Packs and Aesthetic Consent records.

GDPR ref.: Art. 6(1)(f)

Purpose: Improve the App; conduct privacy-respecting product analytics (opt-in).

Data used: Pseudonymised telemetry; aggregated usage statistics.

Legal basis: Legitimate interests in understanding how the App is used. Where required, consent.

GDPR ref.: Art. 6(1)(f); Art. 6(1)(a)

Purpose: Provide customer support and respond to enquiries.

Data used: Communications and support data; account data.

Legal basis: Performance of a contract; legitimate interests for general or pre-contractual enquiries.

GDPR ref.: Art. 6(1)(b); Art. 6(1)(f)

Purpose: Respond to data-subject requests and operate the GDPR rights workflow.

Data used: All categories relevant to the request.

Legal basis: Compliance with a legal obligation under the GDPR.

GDPR ref.: Art. 6(1)(c); Arts. 12 to 22

Purpose: Send service messages (security, billing, material change notices, chargeback dispute deadline notices).

Data used: Account data; communications data.

Legal basis: Performance of a contract.

GDPR ref.: Art. 6(1)(b)

Purpose: Defend or pursue legal claims.

Data used: Data relevant to the claim.

Legal basis: Legitimate interests in establishing, exercising or defending legal claims.

GDPR ref.: Art. 6(1)(f)

Purpose: Comply with legal, regulatory and tax obligations and respond to lawful requests.

Data used: Data required by law (typically account, billing, audit and security logs).

Legal basis: Compliance with a legal obligation.

GDPR ref.: Art. 6(1)(c); Art. 23

Where we rely on legitimate interests under Article 6(1)(f) GDPR, we have carried out and documented a balancing assessment that concluded our interests are not overridden by your fundamental rights and freedoms. Where we rely on consent under Article 6(1)(a) GDPR, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.

10. Offline-first architecture, on-device storage and EU-resident backend

Figaro Shield Field is offline-first. Event Captures, Aesthetic Consent records, Apple Pencil signatures, before / after photographs, voice memos and audit-log entries are written first to on-device storage (SwiftData) inside the iOS application sandbox. Records sync to the Figaro Shield Field backend when connectivity returns. If you delete the App, reset your device or fail to maintain a backup before sync, locally-held but unsynced data may be lost.

The backend is hosted in the European Union. Personal data is encrypted in transit (TLS 1.2 or higher) and at rest. Records and files are isolated per Workspace using row-level security and signed-URL access. Given the sensitivity of the Customer Data — in particular Article 9 GDPR special-category health data and Apple Pencil-signed Aesthetic Consent records — the backend applies heightened access controls and audit logging. Background sync uses Apple’s BGTaskScheduler when iOS schedules it; this is best-effort and depends on device state.

11. Subscribing Customers, workers, clients, patients and walk-ins

Figaro Shield Field is operated on a Salon / Clinic / Workspace model. The Subscribing Customer’s administrator may invite front-desk staff, practitioners, managers, owners, compliance officers and external viewers; configure roles and branch assignments; view activity inside the Workspace; capture Events; sign Aesthetic Consents on iPad; generate Chargeback Defence Packs and Insurance-Aligned Incident Packs; issue share links; and configure retention. The administrator is responsible for ensuring that invited users, clients / patients (including any minor client or patient) and App Clip walk-ins receive an appropriate privacy notice and that the organisation has a valid lawful basis for processing their personal data.

For these features we act as processor of Customer Data on behalf of the Subscribing Customer under the Master DPA. Subscribing Customers must rely on their own privacy notice for the substantive obligation under Articles 13 to 14 GDPR; this Policy applies in addition to that notice in respect of data we process as controller (account, telemetry, support, billing and similar data).

11.1 Worker monitoring under Article 88 GDPR

Because Apple Pencil signatures, biometric verifications, voice memos, Revenue Leakage Score reporting and audit-log entries can constitute employee monitoring in many EU jurisdictions, the Subscribing Customer is responsible — under clause A4 of Schedule A — for satisfying the worker-monitoring obligations of the country where the worker normally works, including any required works-council, employee-representative, trade-union or sector-specific consultation under the law of that EU Member State.

Before granting any worker access, the Subscribing Customer must provide a privacy notice meeting Articles 13 to 14 GDPR and the national worker-information rules implementing Article 88 GDPR, consult representatives where required, establish and document an appropriate lawful basis under Article 6(1) GDPR, and use monitoring features proportionately and only for the legitimate operational purposes described in the worker privacy notice. The App is not designed for, and must not be used for, covert worker, client or patient surveillance.

11.2 Aesthetic consent and informed medical consent

Where the Subscribing Customer captures an Aesthetic Consent record on iPad using Apple Pencil and biometric Face ID, the App records that a defined consent template was presented to the client / patient and that the client / patient signed in the App at a specific time. As clause A5 of Schedule A makes clear, this is an operational acknowledgement only — it does not, by itself, satisfy any national medical, dental, dermatological, surgical or cosmetic-procedure consent regime. The practitioner remains solely responsible for delivering a face-to-face informed consent process consistent with applicable national law, including discussion of the procedure, risks, alternatives, expected outcomes, aftercare and the client’s opportunity to ask questions and to refuse or withdraw consent.

11.3 Patient and client special-category health data

Where the Subscribing Customer enters Article 9 GDPR special-category health data into the App (Aesthetic Consent records, before / after photographs, contraindication acknowledgements, after-care notes), the Subscribing Customer is the controller and shall — under clause A6 of Schedule A — establish and document a valid Article 9(2) GDPR lawful basis (typically explicit consent under Article 9(2)(a), or processing for the provision of health or social care or treatment by or under the responsibility of a qualified professional under Article 9(2)(h)); comply with any national medical-confidentiality, patient-rights and sector-specific rule (including any cosmetovigilance reporting obligation under Regulation (EC) 1223/2009 and national medical-device incident-reporting obligation under Regulation (EU) 2017/745); ensure that before / after photographs are captured and retained on the basis of explicit consent (or another valid Article 9(2) GDPR basis) and that image-rights restrictions are respected; and use the App’s in-built retention, archive and erasure controls to honour data-subject rights, subject to legal retention obligations. The App is not, and must not be used as, a Patient Administration System, Electronic Health Record or other clinical system.

11.4 Repeat-Offender Risk Engine discipline

The Repeat-Offender Risk Engine produces workspace-internal advisory indicators based on saved Event Capture history. Under clause A9.3 of Schedule A, the Subscribing Customer shall: keep Repeat-Offender Risk indicators confidential within the Subscribing Customer; NOT use a Repeat-Offender Risk indicator as the sole basis for any material decision affecting an individual (refusal of service, mandatory pre-payment, deposit forfeiture, no-future-booking decision) without meaningful human review and an independent assessment; not use it in a defamatory, retaliatory, discriminatory or otherwise unlawful manner; not share Repeat-Offender Risk indicators between unaffiliated Subscribing Customers or with third-party scoring, credit-rating or blacklisting services; and not publish a Repeat-Offender Risk indicator or any derived ranking in a way that creates a substitute for an industry blacklist or a public scoring service. The same discipline applies to Revenue Leakage Scores at staff and branch level.

11.5 Minors

Where a minor is a client or patient referenced in the App (for example, a minor receiving a salon service or a permitted aesthetic procedure under applicable law), the Subscribing Customer shall obtain and document parental / guardian consent under Article 8 GDPR or the applicable national age-of-digital-consent rule; comply with any national or sector-specific rule restricting cosmetic or aesthetic procedures on minors (including any national prohibition or age limit on Botox, fillers, laser or other procedures); adapt the privacy notice and consent template to the language and rights regime applicable to minors; and configure the App so that the minor’s data is processed proportionately and only for the legitimate operational purposes described in that notice.

11.6 App Clip Check-In walk-ins and Booking-Platform Integrations

Where a walk-in client opens the App Clip Check-In at the counter, the Subscribing Customer is responsible for providing — on or before the first App Clip session — the privacy notice required by Articles 13 to 14 GDPR and any consumer-information notice required by applicable consumer-protection law. Where the Subscribing Customer enables a Booking-Platform Integration (Treatwell, Fresha, Booksy, Phorest, Timely, Boulevard or similar), the Subscribing Customer is responsible for the underlying contract with the booking platform and for ensuring that data exchanged via the integration is lawful and authorised by the booking platform’s terms. The Booking-Platform Integration does not create any sponsorship, partnership, certification or affiliation between ML Consulting and the named booking platform.

12. Recipients of personal data

We share personal data only with the categories of recipients listed below, and only to the extent necessary for the purpose. We do not sell personal data, and we do not “share” personal data for cross-context behavioural advertising as that term is defined under California law. We do not share or sell patient / client data, Aesthetic Consent records, before / after photographs, Chargeback Defence Pack content or Repeat-Offender Risk Engine data with any third party for advertising or commercial-intelligence purposes.

Recipient category: Apple Inc. and Apple Distribution International Limited

Purpose: App Store distribution, Sign in with Apple, App Clip experience hosting, APNs push delivery, ActivityKit Live Activities, iCloud where used, StoreKit 2 (preserved for any future App Store IAP path) and related Apple platform services.

Status: Independent controller for App Store-side and Apple-platform-side processing.

Recipient category: EU-resident backend hosting provider (managed Postgres)

Purpose: Host the Figaro Shield Field backend, including encrypted Workspace storage, signed-URL file storage, row-level security per Workspace, scheduled jobs (chargeback dispute deadline countdowns, sync-conflict notifications) and share-link serving.

Status: Sub-processor under written terms; data hosted in the European Union.

Recipient category: Workflow orchestration provider (server-side cron and event jobs)

Purpose: Run scheduled jobs — chargeback dispute deadline countdowns (Day-7, Day-3, Day-1), repeat-offender check-in alerts, aesthetic-consent expired alerts, product write-off threshold alerts.

Status: Sub-processor under written terms.

Recipient category: Email-delivery provider

Purpose: Send service messages, magic-link authentication emails, support replies, onboarding communications, Chargeback Defence Pack share-link emails and Insurance-Aligned Incident Pack share-link emails.

Status: Sub-processor under written terms.

Recipient category: Anonymised product-analytics, monitoring and crash-reporting providers

Purpose: Privacy-respecting product analytics, performance monitoring and bug diagnostics; pseudonymised where feasible; opt-in for Diagnostics and Usage Data in the App Privacy details.

Status: Sub-processors under written terms; used only after consent where required.

Recipient category: Payment and invoicing provider (Direct Channel)

Purpose: Process Direct-Channel payments (cards and other payment methods), invoices, refunds, taxes and reconciliation for all paid tiers, add-ons and onboarding. We do not store full payment-card numbers.

Status: Independent controller or sub-processor depending on the provider.

Recipient category: Voice-transcription provider (backend Whisper-class, paid add-on)

Purpose: Refine on-device first-pass transcripts of Event Capture and incident voice memos, where the Subscribing Customer has enabled the AI add-on.

Status: Sub-processor under written terms; inputs and outputs are not used to train any third-party model.

Recipient category: Language-model provider (Anthropic — Claude-class narrative drafts, paid add-on)

Purpose: Generate narrative drafts for Chargeback Defence Packs and Insurance-Aligned Incident Packs, where the Subscribing Customer has enabled the AI add-on. Customer-identifying free text is minimised before transmission. AI-drafted narratives carry a “Draft — review before submitting” watermark until an authorised user finalises.

Status: Sub-processor under written terms; inputs and outputs are not used to train any third-party model.

Recipient category: Booking-Platform Integration providers (Treatwell, Fresha, Booksy, Phorest, Timely, Boulevard and similar)

Purpose: Where the Subscribing Customer enables an integration, the named booking platform provides read-only sync of bookings, cancellations, deposit data and client-contact data under the Subscribing Customer’s contract with that platform. ML Consulting is not party to that contract and does not endorse, certify or warrant any named booking platform.

Status: Independent controller (under its own contract with the Subscribing Customer); references in the App are descriptive only.

Recipient category: Professional advisers (lawyers, accountants, auditors, insurers)

Purpose: Legal, tax, audit, insurance and compliance advice on a need-to-know basis.

Status: Independent controllers under their own duties of confidence.

Recipient category: Authorities, courts and regulators

Purpose: Where we are required by law, court order or a binding regulatory request, including the Lithuanian State Data Protection Inspectorate (VDAI) and the Lithuanian State Tax Inspectorate (VMI) where applicable.

Status: Independent controllers acting under their statutory powers.

Recipient category: Successor entity

Purpose: In the context of a merger, acquisition, restructuring or sale of assets, subject to confidentiality safeguards and to the buyer continuing to honour the commitments in this Policy.

Status: Independent controller after the transaction closes.

References in the App to card schemes (Visa, Mastercard, American Express, Discover, JCB, UnionPay) and card-scheme dispute frameworks (Visa Compelling Evidence 3.0, Mastercard Compelling Evidence) and to booking platforms (Treatwell, Fresha, Booksy, Phorest, Timely, Boulevard) are descriptive only. None of those card schemes, acquirers or booking platforms endorses, certifies, audits, approves or warrants the App, the templates or any Pack, and none is a sub-processor, recipient or party to this Policy by virtue of being named in a template or integration.

A current list of our sub-processors, together with the country in which each provider operates, is published at mlconsulting.lt/legal/sub-processors and is updated when the list changes. Each sub-processor we engage is bound by a written contract that imposes the data-protection obligations required by Article 28 GDPR (or, where ML Consulting is the controller, equivalent contractual safeguards).

13. International data transfers

ML Consulting MB is established in Lithuania and hosts the Figaro Shield Field backend in the European Union. Personal data is encrypted in transit and at rest, and we aim to keep personal data within the European Economic Area by default. Some of our sub-processors and the global infrastructure of Apple Inc. (App Store, App Clip hosting, APNs, ActivityKit) and of the language-model, voice-transcription and Booking-Platform Integration providers may process data in the United States or other regions where they operate.

Where personal data is transferred outside the EEA or the United Kingdom to a country that has not been the subject of an adequacy decision under Article 45 GDPR, we rely on one or more of the safeguards required by Chapter V GDPR, in particular:

European Commission adequacy decisions, including the EU-US Data Privacy Framework where the recipient is certified under it;

the European Commission’s Standard Contractual Clauses (Module Two — controller to processor — and Module Three — processor to sub-processor — as applicable), with the UK International Data Transfer Addendum or the UK International Data Transfer Agreement for transfers from the United Kingdom;

additional technical measures including TLS 1.2 or higher for data in transit and encryption at rest, as well as contractual and organisational measures appropriate to the risk; and

any other lawful transfer mechanism under Articles 46 to 49 GDPR.

14. Automated decision-making, on-device CoreML and backend AI

14.1 No solely-automated decisions with legal or similarly significant effects

We do not subject you to decisions producing legal effects concerning you or similarly significantly affecting you that are based solely on automated processing within the meaning of Article 22 GDPR. Where any aspect of a decision affecting you is informed by automated logic, a human is meaningfully involved in the outcome. The Repeat-Offender Risk Engine in particular is advisory only and must NEVER be used as the sole basis for refusing service, demanding pre-payment, forfeiting a deposit or any other material decision affecting an individual (see section 11.4).

14.2 On-device CoreML

The App may include on-device CoreML helpers — product-lot OCR (vial barcode → lot number, expiry, manufacturer) and a before / after photo-quality check. They run locally on your iPhone or iPad and the photograph is not transmitted to any third-party AI provider as a result of this feature. Outputs are advisory; below a confidence threshold of 70%, the App surfaces a “needs review” badge and does not auto-publish a classification. You can always override the suggestion before saving.

The App also uses Apple’s on-device Speech framework for a first-pass transcription of voice memos. Speech recognition runs locally and is governed by Apple’s framework and its iOS permission prompt.

14.3 Backend AI add-on — opt-in, never autonomous

The App may include an opt-in, paid backend AI add-on with two components: Whisper-class voice transcription for longer-form audio; and Claude-class narrative drafting for Chargeback Defence Packs and Insurance-Aligned Incident Packs. The add-on is off by default and is activated only when an admin of the Subscribing Customer explicitly enables it in Settings.

Where the backend AI add-on is enabled:

AI output is editable text only and requires explicit human confirmation before persistence, export or sending;

raw input (audio, photographs, free-text, original CoreML inputs) is always retained alongside any AI-structured output, so you can audit and override;

AI never auto-publishes an Event Capture, Aesthetic Consent record, Pack export or Repeat-Offender Risk indicator, never changes deposit-state, policy-state, biometric verification, billing state or audit-log state;

AI-drafted Pack narratives carry a “Draft — review before submitting” watermark until an authorised user explicitly finalises;

inputs and outputs are not used by ML Consulting or by any sub-processor to train any third-party model;

customer-identifying free text and third-party personal data are minimised before transmission to the sub-processor;

the Subscribing Customer may disable the add-on at any time in Settings.

14.4 Repeat-Offender Risk Engine — rules-based, advisory

The Repeat-Offender Risk Engine is a rules-based, deterministic Field Engine that produces workspace-internal advisory indicators based on saved Event Capture history. It is not an AI / ML model and does not call any third-party AI provider. The discipline rules in section 11.4 apply: indicators are confidential, advisory only, never a sole basis for material decisions affecting an individual, and must not be shared with third-party scoring, credit-rating or blacklisting services.

14.5 Third-party AI sub-processors

Backend Whisper-class voice transcription and Claude-class narrative drafting are performed by sub-processors disclosed in section 12 and in our sub-processor list, under written agreements that prohibit the use of inputs or outputs to train any third-party model.

14.6 EU AI Act readiness

We design and operate AI features to be compatible with applicable obligations under Regulation (EU) 2024/1689 (the Artificial Intelligence Act), including transparency, logging and human-oversight requirements appropriate to the risk classification of the relevant feature. None of our current AI features is, or is held out as, a high-risk AI system within the meaning of Annex III of the AI Act.

15. How long we keep personal data

We keep personal data only for as long as we need it for the purpose for which it was collected, or as required by applicable law. The retention periods below are indicative; the actual period for any item of personal data is the longest of the periods that apply to the purposes for which we use it.

Category: Account and authentication data

Retention period: Lifetime of the account; in any case deleted or anonymised within 24 months of complete inactivity, save where statutory retention applies.

Trigger for deletion or anonymisation: Account deletion, 24-month inactivity sweep or end of statutory retention.

Category: On-device application data

Retention period: Held on your device for as long as you keep it; included in iCloud Backup if you have it enabled. Removed by the operating system on App deletion.

Trigger for deletion or anonymisation: You delete the data, the App or your account.

Category: Telemetry, capture-duration and service-operation data

Retention period: Pseudonymised at collection where feasible; retained in identifiable form for a maximum of 13 months; aggregated or anonymised data may be retained indefinitely.

Trigger for deletion or anonymisation: Time-based deletion or aggregation.

Category: Communications and support data

Retention period: Up to 24 months from the close of the last related correspondence; longer where the matter relates to a complaint, dispute, regulatory request, chargeback matter, insurance matter, cosmetovigilance matter, medical-device incident or legal claim, until the matter is resolved plus the applicable limitation period.

Trigger for deletion or anonymisation: Time-based deletion or matter closure.

Category: Billing, accounting and tax records

Retention period: Up to 10 years from the end of the relevant accounting period, in line with the Lithuanian Law on Financial Accounting and the Lithuanian Law on Tax Administration.

Trigger for deletion or anonymisation: Expiry of the statutory retention period.

Category: Customer Data within Workspaces — Event Captures, policy snapshots, Chargeback Defence Pack PDFs and the append-only audit log (we are processor)

Retention period: Governed by the Master DPA: a 30-day data-export window in read-only mode after termination, followed by deletion or anonymisation within a further 60 days, save for records the Subscribing Customer is required by law to retain (in particular accounting, chargeback-defence and insurance / liability records).

Trigger for deletion or anonymisation: Termination of the customer agreement, plus the period set in the Master DPA.

Category: Aesthetic Consent records, before / after photographs, Product Lot Tracking, Insurance-Aligned Incident Pack PDFs (Article 9 GDPR data, we are processor)

Retention period: Retained for the period the Subscribing Customer determines under its Article 9(2) GDPR lawful basis, including any national medical-confidentiality, patient-rights, cosmetovigilance (Regulation (EC) 1223/2009) and medical-device incident-reporting (Regulation (EU) 2017/745) retention requirement. ML Consulting retains the data only for as long as the Subscribing Customer instructs and only as a processor.

Trigger for deletion or anonymisation: Subscribing Customer instruction or governing regulatory rule.

Category: App Clip Check-In session records

Retention period: Retained while the parent Event Capture or operational record exists; otherwise no longer than 12 months from the session end, save where part of a regulatory, chargeback, insurance or cosmetovigilance matter.

Trigger for deletion or anonymisation: Deletion of the parent records or time-based deletion.

Category: Chargeback Defence Pack and Insurance-Aligned Incident Pack share links

Retention period: Active until expiry or revocation; activity log retained for up to 12 months from link expiry for audit purposes (longer where part of an active chargeback or insurance matter).

Trigger for deletion or anonymisation: Link expiry, revocation or time-based deletion.

Category: Security and platform audit logs

Retention period: Up to 24 months, or longer where necessary for security, fraud-prevention, signature-integrity or legal-claim purposes.

Trigger for deletion or anonymisation: Time-based deletion.

Category: Backups

Retention period: Standard backup-rotation cycles (typically up to 30 days). Backups are not used to restore deleted accounts and are themselves overwritten on the rotation cycle.

Trigger for deletion or anonymisation: Backup-rotation cycle.

16. Security and personal-data breaches

16.1 Article 32 measures

We implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, alteration or disclosure, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk to your rights and freedoms (Article 32 GDPR). Given that Figaro Shield Field handles Article 9 GDPR special-category health data and Apple Pencil-signed Aesthetic Consent records, an elevated security posture is applied throughout.

These measures include: EU-resident backend hosting with encryption in transit (TLS 1.2 or higher) and at rest; row-level security per Workspace identifier in the database; signed-URL access to evidence files with short time-to-live; optional Face ID / Touch ID biometric gating of high-consequence operations (finalising Aesthetic Consent records, Pack generation, share-link issuance, audit-log access); watermarking and audit-trail blocks on every Pack (with the “Draft — review before submitting” watermark on AI-drafted narratives until finalised); an append-only audit log of capture, edit, status change, snapshot freeze, Pack export, share-link issuance, signature event and biometric-verification event; and time-limited, scope-restricted share links.

16.2 Notification of personal-data breaches

If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach (Article 33 GDPR). Where the breach is likely to result in a high risk, we will notify the affected data subjects without undue delay (Article 34 GDPR). Where ML Consulting is acting as processor on behalf of a Subscribing Customer, we will notify the Subscribing Customer without undue delay in accordance with Article 33(2) GDPR and the Master DPA.

16.3 Reporting a suspected breach to us

If you suspect a security incident or unauthorised access affecting your account, device, App Clip Check-In session, Aesthetic Consent record, Apple Pencil signature, biometric-verification metadata or Chargeback Defence Pack share link, please notify us at support+figaroshield@mlconsulting.lt without undue delay. Provide as much detail as you can; do not include passwords or other secrets in the email. We prioritise security reports and incidents during an active chargeback dispute window.

17. Your rights as a data subject

Subject to the conditions set out in the GDPR, you have the rights below. These rights are not absolute and may be restricted by law.

Right of access (Article 15). Confirm whether we process personal data about you and obtain a copy together with the information set out in Article 15.

Right to rectification (Article 16). Have inaccurate personal data corrected and incomplete data completed.

Right to erasure (Article 17). Have personal data erased where the conditions in Article 17 apply, including where the data is no longer necessary or where you withdraw consent and there is no other legal basis. The App offers an in-app “Delete account” control.

Right to restriction of processing (Article 18). Restrict our processing while we verify the accuracy of contested data, while we deal with an objection or in the other circumstances set out in Article 18.

Right to data portability (Article 20). Where processing is based on consent or contract performance and is carried out by automated means, receive the data you provided in a structured, commonly-used and machine-readable format. The App provides in-app exports and watermarked PDF Packs.

Right to object (Article 21). Object to processing based on legitimate interests on grounds relating to your particular situation, and at any time to direct marketing.

Rights related to automated decision-making (Article 22). Not be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects, and obtain human intervention, express your point of view and contest the decision where the right applies. See section 14, and the specific protection for clients and staff in section 11.4.

Right to withdraw consent (Article 7(3)). Where we rely on consent (or where the Subscribing Customer relies on Article 9(2)(a) explicit consent for Article 9 GDPR health data), withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

Right to lodge a complaint (Article 77). Complain to our lead supervisory authority — the VDAI in Vilnius — or to the supervisory authority of the EU Member State where you habitually reside, where you work or where the alleged infringement took place. We would, however, appreciate the opportunity to address your concern directly first.

17.1 How to exercise your rights

You can exercise the rights above by sending an email to support+figaroshield@mlconsulting.lt with the words “Privacy request — Figaro Shield Field” in the subject line.

We will respond to verifiable requests without undue delay and in any event within one month of receipt under Article 12(3) GDPR. We may extend that period by up to a further two months for complex or numerous requests, in which case we will inform you of the extension and the reason within the first month. We may need to verify your identity (typically by asking you to authenticate to the relevant account or to provide proof of identity proportionate to the request and the data concerned). The service is free of charge unless your request is manifestly unfounded or excessive (Article 12(5) GDPR).

17.2 Workspace-controlled data

For Customer Data that we process as processor on behalf of a Subscribing Customer — including data about staff, clients, patients, Aesthetic Consent records, before / after photographs, Repeat-Offender Risk indicators and App Clip walk-ins — please direct your request to the Subscribing Customer first; if you cannot identify the Subscribing Customer, contact us at support+figaroshield@mlconsulting.lt and we will redirect your request without undue delay. For Article 9 GDPR special-category health data, the Subscribing Customer is the controller and any erasure / rectification request must be processed under its Article 9(2) GDPR basis and any applicable medical-record retention rule.

18. Regional rights notices

18.1 United Kingdom

If you are in the United Kingdom, the UK General Data Protection Regulation and the UK Data Protection Act 2018 apply to processing within their territorial scope. The rights set out in section 17 apply equivalently. The UK supervisory authority is the Information Commissioner’s Office (ICO).

18.2 Switzerland

If you are in Switzerland, the Swiss Federal Act on Data Protection (revFADP) applies to processing within its territorial scope. The Swiss supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC). Where we transfer data to Switzerland, we apply the Swiss addendum to the Standard Contractual Clauses where required.

18.3 California, United States

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA / CPRA”), gives you the right to (i) know the categories and specific pieces of personal information we collect, (ii) request deletion, (iii) request correction, (iv) limit the use and disclosure of sensitive personal information (which includes health and similar categories — see section 11.3), and (v) opt out of any “sale” or “sharing” of personal information. We do not sell personal information and we do not “share” personal information for cross-context behavioural advertising. We will not discriminate against you for exercising any of these rights.

18.4 Other US states

Similar rights are available to residents of Colorado, Connecticut, Virginia, Utah, Texas, Florida and other US states with comprehensive privacy laws. To exercise any state-law right, write to support+figaroshield@mlconsulting.lt.

18.5 Global Privacy Control

On the App’s landing pages, we honour the Global Privacy Control signal where technically feasible, treating it as an objection to non-essential cookies and a request to opt out of any “sale” or “sharing” of personal information.

19. Children

Figaro Shield Field is intended for business users (B2B) only and is not designed for use by minors as the contracting party. Where a minor is a client or patient referenced in the App (for example, a minor receiving a salon service or a permitted aesthetic procedure under applicable law), the Subscribing Customer is responsible for obtaining the parental / guardian notice and consent required under Article 8 GDPR or the applicable national age-of-digital-consent rule, and for complying with any national or sector-specific rule restricting cosmetic or aesthetic procedures on minors. See section 11.5 and Schedule A clause A6. Apple’s App Store age rating reflects the relevant minimum age for the App. If we become aware that we have collected personal data from a child without the appropriate authorisation, we will work with the relevant Subscribing Customer to investigate and, where appropriate, erase the data. If you are a parent or guardian and believe your child has provided personal data to us, please contact us at support+figaroshield@mlconsulting.lt.

20. Cookies and similar technologies

The Figaro Shield Field iOS / iPadOS App does not use analytics, advertising, profiling or marketing cookies. The App and its App Clip use on-device storage (the iOS application sandbox, the Keychain, SwiftData, UserDefaults) to deliver their features. This is not “cookies” within the meaning of the ePrivacy Directive 2002/58/EC and is governed by this Policy rather than by this section.

The Chargeback Defence Pack and Insurance-Aligned Incident Pack share-link web pages, and the App’s landing pages on mlconsulting.lt, use only strictly-necessary cookies (for example, a signed session cookie to honour the share-link scope). No analytics or advertising cookies are set on the operator surface.

21. Communications

21.1 Service messages

We send transactional service messages (security alerts, billing notices, magic-link authentication emails, support replies, material change notices, chargeback dispute deadline notices) on the basis of contract performance under Article 6(1)(b) GDPR. Service messages are not commercial marketing and cannot be opted out of without ceasing to use the App.

21.2 Direct marketing

Where we send commercial marketing emails about Figaro Shield Field — product updates, launch announcements, educational materials or event invitations — we rely either on (i) your prior consent under Article 6(1)(a) GDPR and Article 13 of the ePrivacy Directive, or (ii) the “soft opt-in” under Article 13(2) of the ePrivacy Directive (existing customer relationship, similar products or services, with a clear opt-out at the point of collection and in every message). You may opt out at any time by clicking the unsubscribe link in any marketing email, by emailing support+figaroshield@mlconsulting.lt or by updating your preferences in your account where applicable.

21.3 Operational notifications

APNs Time-Sensitive notifications (chargeback dispute deadline alerts at Day-7, Day-3 and Day-1; new chargeback received; repeat-offender check-in alerts; aesthetic-consent expired alerts; product write-off threshold alerts; sync-conflict alerts), ActivityKit Live Activities (dispute deadline countdowns on the Dynamic Island and Lock Screen) and EventKit calendar writes are operational reminders configured by you in iOS Settings and in the App’s Settings. They are best-effort and depend on Apple’s platform services. The Subscribing Customer remains responsible for performing the underlying operational action (chargeback dispute response, follow-up, write-off) regardless of the presence or absence of a notification.

22. Changes to this Policy

22.1 Routine updates

We may update this Policy from time to time, for example to reflect new features, regulatory developments, sub-processor changes or operational changes. The latest version is always published on the App’s App Store listing and at mlconsulting.lt/figaroshield/privacy.

22.2 Material changes

Where a change is material and adversely affects your rights or expectations, we will give reasonable advance notice — typically at least 30 days, unless a shorter period is required by law — by in-app notice and, where we have your email address, by email. Non-material changes (typographical fixes, clarifications, contact-detail updates, sub-processor list updates) take effect on posting.

22.3 Versioning

Each version of this Policy is dated and archived. The version in force at the time of the relevant processing governs that processing.

23. Contact us

For any question, request or complaint about this Policy or about how we process your personal data, please contact us using the details below.

Controller: ML Consulting MB

Address: Vilnius, Republic of Lithuania

Legal entity code: 306991112

Privacy contact (email): support+figaroshield@mlconsulting.lt

Website: https://mlconsulting.lt

Lead supervisory authority: Valstybinė duomenų apsaugos inspekcija (VDAI), L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania · +370 5 271 2804 · ada@ada.lt · vdai.lrv.lt

Document end · Version 1.0 · Effective 1 June 2026 · Figaro Shield Field — Privacy Policy · © 2026 ML Consulting MB

© 2026. All rights reserved.