Privacy Policy

Last updated: May 2026

Summary: go360 processes practitioner account data, uploaded scan/report data, client report data, share-link activity, subscription and payment information, authentication data, cookies and support/security logs so that we can provide the Platform securely. We do not sell personal data.

1. Who we are

This Privacy Policy explains how ABEEBA LTD, trading as go360 (“go360”, “we”, “us” or “our”), collects and uses personal data when you use the go360 platform, practitioner workspace, shared report links, billing features, referral tools, cookie consent tools and related services.

Contact: support@go360.io.

2. Scope

This policy applies to practitioners, clinic users, account administrators, report recipients, clients who access shared reports, referral participants and website/platform visitors.

3. Roles under data protection law

For practitioner account, billing, security, product analytics, support, website and cookie consent data, go360 generally acts as a data controller.

For client scan data, uploaded client information and practitioner-created reports, the practitioner or clinic will often be the controller and go360 may act as a processor or service provider. The exact role may depend on how the practitioner uses the Platform and any applicable agreement.

Practitioners remain responsible for obtaining lawful client consent, providing appropriate client notices, and confirming the lawful basis before uploading, generating, storing or sharing client information through the Platform.

4. Personal data we collect

Practitioner and account data

name, email address, password hash, login credentials, social login identifiers, verification status and password reset events;
clinic, branding, report settings and practitioner preferences;
subscription status, billing history, referral information and Stripe customer identifiers;
Stripe Connect status, payout readiness and connected account identifiers where used.

Client and report data

client name, age, sex, scan metadata and case information entered or uploaded by a practitioner;
QRMA or similar scan exports, parsed markers, report JSON, generated reports, PDFs and trend data;
practitioner notes, report settings and recommendations where entered or generated.

Social login and authentication providers

When you sign in using Google or Microsoft OAuth, we may receive your name, verified email address, provider profile identifier and basic account profile information from the provider.
We use this information solely for authentication, account creation, account linking, security and account management.

Usage, security, cookies and technical data

IP address, device/browser information, session data, cookie consent preference, log files and security events;
share-link access events, report views, payment-started events and download activity;
support messages, troubleshooting data and audit logs.

5. Special category health data

Some uploaded or generated data may include health-related information or information that could be treated as special category data under UK GDPR. Practitioners must obtain appropriate client consent or identify another valid lawful basis before uploading or sharing such data. We process this data to provide the Platform and related services.

6. How we use personal data

create and manage practitioner accounts;
authenticate users, verify email addresses, process social login and reset passwords;
generate, store, display and share reports;
operate subscriptions, billing, refunds, referrals, paid bundles and Stripe Connect workflows;
remember cookie choices and provide essential platform functions;
provide support, troubleshoot issues, maintain security, audit logs, fraud prevention and platform integrity;
improve reliability, product design and user experience; and comply with legal, tax, accounting, regulatory or dispute-resolution requirements.

7. Lawful bases

Depending on the context, we rely on one or more of the following lawful bases: contract, legitimate interests, legal obligation, consent, and where applicable for health-related data, explicit consent or provision/management of health or social care by an appropriate professional where available under applicable law. Practitioners are responsible for confirming the lawful basis for client data they upload.

8. Sharing personal data

authorised practitioner account users and clinic team members;
clients or recipients where a practitioner creates a share link;
hosting, storage, database, monitoring, email and security providers;
Stripe for payment processing, subscriptions, billing portal, refunds, disputes and Stripe Connect;
Google and Microsoft authentication services where social login is used;
professional advisers, insurers, auditors or legal authorities where required;
successors or purchasers if our business or assets are reorganised or transferred.

We do not sell personal data.

9. Cookies and similar technologies

We use essential cookies and similar technologies for authentication, security, account access, cookie preference storage, OAuth state checks, billing redirection and platform operation. These are required for the Platform to work and do not require opt-in consent.

Optional analytics or marketing cookies will only be used where they are implemented and permitted by your cookie choice. For full details, see our Cookie Policy.

10. International transfers

Some providers may process data outside the UK or EEA. Where required, we use appropriate safeguards such as adequacy decisions, standard contractual clauses or equivalent protections.

11. Retention

We retain personal data for as long as needed to provide the Platform, meet contractual obligations, support practitioners, maintain records, comply with legal/accounting requirements, resolve disputes and preserve security/audit logs.

12. Security

We use technical and organisational safeguards designed to protect personal data, including access controls, authentication, secure infrastructure, audit logging, encrypted transport, role-based restrictions and operational monitoring. No system can be guaranteed completely secure.

13. Automated and AI-assisted processing

The Platform may use automated or AI-assisted tools to structure report content, identify patterns, summarise scan data or support practitioner workflows. These outputs are intended for practitioner review and are not solely automated clinical decisions about clients.

14. Your rights

Depending on your location and the circumstances, you may have rights to access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and not to be subject to solely automated decisions with legal or similarly significant effects.

15. Client requests

If you are a client of a practitioner and want to access, correct or delete report data, you should usually contact the practitioner or clinic that created the report. We may need to refer client data requests to the relevant practitioner where they are the controller of that information.

16. Children

The Platform is not intended for direct use by children. Practitioners are responsible for obtaining appropriate parental/guardian consent and complying with applicable laws when uploading or sharing information about minors.

17. Complaints

You can contact us first at support@go360.io. If you are in the UK and remain concerned, you may contact the Information Commissioner’s Office.

18. Changes to this policy

We may update this Privacy Policy from time to time. The latest version will be posted on the Platform with an updated date.

19. Contact

Questions or requests can be sent to support@go360.io.