Privacy Policy

Last updated: 19 March 2026

1. Introduction

Follow Up Systems (“we”, “us”, “our”) is a trading name of Lead Balloon Ltd, a company registered in England and Wales. We provide automated video follow-up sequences, AI receptionist chatbots, and lead intelligence dashboards for aesthetic clinics.

We are committed to protecting and respecting your privacy. This policy explains how we collect, use, store, and share your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller: Follow Up Systems / Lead Balloon Ltd
Contact: [email protected]

2. Data We Collect

2.1 Account Data (Clinic Owners)

When you register for a Follow Up Systems account, we collect:

  • Name and email address
  • Clinic name and website URL
  • Payment information (processed securely by Stripe — we do not store card details)
  • Login credentials and session data

2.2 Lead Data (Processed on Behalf of Clinic Clients)

When clinic owners use our platform to manage their patient leads, we process the following data on their behalf as a data processor:

  • Lead name, email address, and phone number
  • Treatment interests and enquiry details
  • Engagement events (email opens, link clicks, video watches, chat messages)
  • Lead temperature scores and qualification data
  • Communication history (emails sent, SMS messages, chat transcripts)

2.3 Widget and Visitor Data

Our JavaScript widget, when embedded on a clinic's website, may collect:

  • Anonymous visitor identifiers (randomly generated, not linked to personal identity)
  • Page views and engagement events (video plays, chat interactions, button clicks)
  • Browser type, device type, and approximate location (country/region level)
  • Information voluntarily provided through the chat widget (name, email, phone number, enquiry details)

The widget does not collect data from visitors who do not interact with it beyond basic anonymous page-level analytics.

2.4 Website Knowledge Base Data

When a clinic owner provides their website URL, we scrape publicly available content from that website to build a knowledge base. This is used to train the AI receptionist and generate follow-up sequences. Only publicly accessible information is collected.

2.5 Conversion Tracking Data

For clients who enable Meta (Facebook/Instagram) integration, we transmit conversion events via the Meta Conversions API (CAPI). This may include:

  • Hashed email addresses and phone numbers
  • Event data (e.g., lead submitted, consultation booked)
  • Client IP address and user agent (for event matching)

This data is sent directly to Meta Platforms, Inc. and is subject to Meta's own data policies. We also use the Meta Pixel on our own website for advertising measurement.

3. How We Use Your Data

We use personal data for the following purposes:

  • Providing and operating the Follow Up Systems platform
  • Sending automated follow-up sequences (email, SMS, WhatsApp) on behalf of clinic clients
  • Powering the AI receptionist chatbot with clinic-specific knowledge
  • Generating lead intelligence scores and engagement analytics
  • Processing payments and managing subscriptions
  • Sending service-related communications (account notifications, onboarding emails)
  • Improving our platform, fixing bugs, and developing new features
  • Measuring advertising effectiveness via Meta CAPI

4. Legal Basis for Processing

We process personal data under the following legal bases:

  • Contract: Processing necessary to perform our contract with you (e.g., providing the platform, managing your subscription).
  • Legitimate interests: Processing necessary for our legitimate business interests (e.g., improving the platform, preventing fraud, analytics), where those interests are not overridden by your rights.
  • Consent: Where you have given clear consent for specific processing activities (e.g., receiving marketing communications, enabling Meta CAPI tracking).
  • Legal obligation: Where processing is necessary to comply with a legal obligation.

For lead data processed on behalf of clinic clients, the clinic is the data controller and we act as a data processor. The clinic is responsible for ensuring they have a lawful basis for collecting and sharing lead data with us.

5. Data Sharing and Third-Party Services

We share personal data with the following third-party service providers, each of whom processes data in accordance with their own privacy policies:

Anthropic (Claude AI)

Powers our AI receptionist and sequence generation. Chat messages, knowledge base content, and lead context are sent to Anthropic's API for processing. Anthropic does not use API data to train its models.

Resend

Handles email delivery for follow-up sequences, transactional emails, and notifications. Email addresses, message content, and delivery events (opens, clicks, bounces) are processed by Resend.

Twilio

Handles SMS delivery for follow-up sequences. Phone numbers and message content are processed by Twilio.

Stripe

Processes all payments and subscription management. Name, email, and payment card details are processed by Stripe. We do not store card numbers on our servers.

Cloudinary

Hosts and delivers video content uploaded by clinic owners. Video files and associated metadata are stored on Cloudinary's infrastructure.

Neon (Database)

Our primary database provider. All platform data is stored on Neon's managed PostgreSQL infrastructure in the EU (eu-west-2 region).

Firecrawl

Used to scrape clinic websites when building knowledge bases. Publicly available website content is processed by Firecrawl.

Meta Platforms, Inc.

Where clinics enable Meta CAPI integration, hashed lead data and conversion events are transmitted to Meta for advertising measurement and optimisation.

We do not sell personal data to any third party. We only share data as described above, as necessary to provide our services, or as required by law.

6. Data Storage and Security

All platform data is stored on Neon's managed PostgreSQL infrastructure in the European Union (eu-west-2). We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Access controls and authentication
  • Regular security reviews
  • Secure API integrations with all third-party providers

7. Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this policy:

  • Account data: Retained for the duration of your subscription and for up to 12 months after account closure, unless you request earlier deletion.
  • Lead data: Retained for as long as the clinic client's account is active. Deleted within 30 days of account closure or upon request from the clinic owner.
  • Widget analytics: Anonymous engagement data is retained for up to 24 months.
  • Payment records: Retained for 7 years as required by UK tax law.

8. Cookies and Tracking

We use cookies and similar technologies for the following purposes:

Strictly Necessary Cookies

Session cookies for authentication and login. These are essential for the platform to function and cannot be disabled.

Analytics and Performance

We use the Meta Pixel and Conversions API to measure the effectiveness of our advertising. These may set cookies on your device to track conversions and build advertising audiences.

Widget Cookies

Our embedded chat widget uses a locally stored anonymous identifier to maintain conversation state across page views. This does not track users across different websites.

You can control cookies through your browser settings. Disabling non-essential cookies will not affect core platform functionality but may limit analytics and advertising measurement.

9. International Data Transfers

Our primary database is located in the EU. However, some of our third-party service providers (Anthropic, Stripe, Cloudinary, Twilio, Meta) may process data in the United States or other countries outside the UK/EEA. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or the provider's participation in recognised data protection frameworks.

10. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may request that we correct inaccurate or incomplete data.
  • Right to erasure: You may request that we delete your personal data, subject to legal obligations.
  • Right to restrict processing: You may request that we limit how we use your data.
  • Right to data portability: You may request a machine-readable copy of data you have provided to us.
  • Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

For leads/patients: If you are a patient or lead whose data is held on our platform, please contact the clinic directly in the first instance. The clinic is the data controller for your data. If you are unable to resolve your request with the clinic, you may contact us and we will assist.

11. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Website: ico.org.uk
Telephone: 0303 123 1113

12. Changes to This Policy

We may update this privacy policy from time to time. Where changes are significant, we will notify registered users by email. The “last updated” date at the top of this page indicates when the policy was last revised.

13. Contact Us

If you have any questions about this privacy policy or how we handle your data, please contact us:

Follow Up Systems (Lead Balloon Ltd)
Email: [email protected]