How Iris handles your data.

Iris is operated by IrisAI Pte Ltd, a company incorporated in Singapore. This policy is aligned with Singapore’s Personal Data Protection Act (PDPA) and is written for the medical-aesthetic clinics we serve and the patients those clinics message.

In the course of an engagement with a clinic, Iris processes:

• Clinic-provided patient contact details— typically a CSV containing a patient’s name, phone number and visit history, used to identify who the clinic wants to reach.
• Message content— the conversations exchanged with patients over the clinic’s own WhatsApp or Instagram, including the clinic’s drafts and the patient’s replies.
• Clinic user account information— the names and login details of the clinic staff who set the rules and review escalations and the audit log.

The clinic is the data controllerof its patients’ personal data — it decides who to message and why. Iris acts as a data processor and intermediary, handling that data only on the clinic’s instructions and only to deliver the service the clinic has asked for. We do not decide, on our own, to contact a clinic’s patients.

We use patient data for one purpose: to draft, screen and send the messages Iris is configured to send under the rules the clinic sets, and to report back on the outcomes of those messages (for example, who replied or booked).

We do not:

• sell or rent patient data to anyone;
• share patient data with third parties beyond what is needed to send the clinic’s own messages;
• use patient data to advertise our own or anyone else’s products to those patients;
• use one clinic’s patient data for the benefit of another clinic.

Before a recall campaign goes out, Iris checks the messaging against PDPA consent requirements and Singapore’s Do Not Call (DNC) registry. The aim is to make sure the clinic is reaching only the patients it is legally allowed to reach, in the way it is allowed to reach them. A campaign does not proceed until those checks are satisfied.

We apply access controls so that patient data is available only to the people who need it to run the engagement. We keep patient data only for as long as it is needed for that engagement, and we delete it on the clinic’s request or when the engagement ends. We do not hold patient data longer than we need to.

Patients have the right to ask for access to the personal data a clinic holds about them, to correct it, and to withdraw consent to being contacted. Because the clinic is the data controller, those requests are normally handled by the clinic — and Iris will support the clinic in honouring them. Clinics, in turn, can ask us at any time about the data we process on their behalf, request corrections, or ask us to delete it.

To make any such request, use the contact below and we’ll route it to the right place.

For any data-protection question or request, contact our Data Protection point of contact at adrianlee2026@gmail.com. (A branded data-protection address is on the way.)

Last updated: June 2026