*This Privacy Policy governs the collection, use, disclosure, and protection of personal information, including sensitive health and biometric data, by DermaSci Corporation. Please read it carefully before using our Platform. If you do not agree with this Policy, you must not access or use our services.*
DermaSci Corporation (“DermaSci,” “we,” “our,” or “us”) is an Ontario corporation with its principal place of business in Ontario, Canada. We operate an artificial-intelligence-powered digital platform (the “Platform”) that connects individuals seeking evidence-based skincare and aesthetic treatments with licensed clinics and aesthetic service providers. DermaSci is not a healthcare provider, medical clinic, or regulated health professional, and nothing on the Platform constitutes medical advice, diagnosis, or treatment.
This Policy applies to all personal information collected by DermaSci through:
This Policy applies regardless of your location. Jurisdiction-specific supplements for the European Union, the Province of Québec, the State of California, Mexico, and Brazil are set out in Sections 18 through 22 below and form an integral part of this Policy.
This Policy covers:
*THE PLATFORM IS RESTRICTED TO INDIVIDUALS WHO ARE 18 YEARS OF AGE OR OLDER. We do not knowingly collect personal information from persons under the age of 18\. If you are under 18, you must not use the Platform. See Section 16 for our full children’s privacy statement.*
DermaSci operates as a technology platform intermediary. While DermaSci maintains its own privacy and data protection compliance program, all users of the Platform, whether Client/Patient Users, Clinic Partners, or Clinic Staff, are independently responsible for complying with all laws, regulations, and professional standards applicable to their own activities, roles, and jurisdictions.
In particular:
DermaSci’s compliance with its own privacy obligations does not relieve any user of their separate, independent compliance obligations. DermaSci expressly disclaims any responsibility for a user’s failure to comply with laws applicable to that user’s own activities.
In this Policy, the following terms have the meanings set out below:
| Term | Meaning |
|---|---|
| Biometric Data | Measurable physical characteristics used to identify an individual, including facial geometry, skin texture mapping, or other unique biological identifiers derived from uploaded photographs. |
| Clinic Partner | A licensed aesthetic clinic, medical spa, dermatology clinic, or similar business that has entered into a Subscription Agreement with DermaSci. |
| Health Information | Any information relating to an individual’s past, present, or anticipated physical or mental health, including skin conditions, photographs of skin, and related treatment history. |
| Personal Information | Any information about an identifiable individual, including name, contact details, Health Information, Biometric Data, location data, and device identifiers. |
| Platform | The DermaSci website, mobile application, AI assessment engine, and all related Services offered by DermaSci Corporation. |
| Sensitive Data | A subset of Personal Information that warrants heightened protection, including Health Information, Biometric Data, and financial information. |
| Special Category Data | Personal data revealing racial or ethnic origin, health data, biometric data for the purpose of uniquely identifying a natural person, and other categories listed in Article 9 of the GDPR. |
| AI Assessment Engine | The artificial-intelligence and machine-learning models operated by DermaSci that analyze user-submitted photographs and questionnaire responses to generate treatment and clinic-matching recommendations. |
When you create an account or use the Platform, we collect:
Important: Photographs submitted for AI analysis are treated as Health Information and as potential Biometric Data. See Sections 3.3 and 15 for specific disclosures.
When you use the Platform, we automatically collect:
*IMPORTANT – BIOMETRIC DATA: Photographs you upload may be processed by our AI Assessment Engine in ways that constitute the collection of biometric data under applicable laws, including the Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act (CUBI), and the EU General Data Protection Regulation (GDPR). Specific consents and rights apply. See Section 15\.*
Biometric data we may collect or derive includes:
We do not use biometric data for identity verification or authentication purposes. Biometric data derived from photographs is used solely for the purpose of generating skin assessment recommendations and is not sold or disclosed to third parties for marketing purposes.
Clinic Partners may provide us with information about their existing or prospective patients for the purpose of referral coordination or follow-up, including:
DermaSci does not collect or process:
DermaSci currently collects prescription and pharmaceutical information only where you voluntarily disclose it, for example, current topical medications or known treatment contraindications, for the sole purpose of generating safer and more relevant skin assessment recommendations. DermaSci does not collect this information from pharmacies, prescribing physicians, insurance providers, or any other third-party source. If DermaSci expands its collection of pharmaceutical information in the future, this Policy will be updated and, where required, fresh consent will be obtained before any expanded collection begins.
We collect personal information through the following means:
DermaSci collects and uses personal information for the following primary purposes:
| Purpose | Description |
|---|---|
| Account Creation and Authentication | To register you as a Client/Patient User, verify your identity and age, and provide secure access to the Platform. |
| AI Skin Assessment | To analyze your submitted photographs and questionnaire responses using our AI Assessment Engine to generate personalized, evidence-based skincare treatment recommendations. |
| Clinic Matching and Referral | To identify and recommend 3–4 Clinic Partners in your geographic area that offer treatments relevant to your skin concerns, and to facilitate warm referrals between you and those clinics. |
| Treatment Recommendations | To provide you with information about evidence-based aesthetic and skincare treatments, including explaining the science behind recommended treatments to support informed decision-making. |
| Communications | To send you appointment reminders, follow-up messages, and service-related communications. |
| Platform Improvement | To analyze usage patterns, troubleshoot errors, and improve the performance, safety, and accuracy of our AI models and Services. |
| Legal Compliance | To comply with applicable laws, regulations, court orders, and legal processes. |
| Safety and Fraud Prevention | To detect and prevent fraud, abuse, and security incidents. |
*We will not use your photographs, skin assessment data, or any other Sensitive Data to train, retrain, fine-tune, or benchmark our AI models without obtaining your separate, explicit, and informed consent through a standalone consent process. Acceptance of this Privacy Policy does not constitute consent to AI training use of your data.*
We may send you promotional communications about DermaSci’s Services, new features, or relevant skincare information, subject to your opt-in consent where required by law (including under Canada’s Anti-Spam Legislation, SC 2010, c 23). You may unsubscribe at any time using the link provided in any marketing email or by contacting us at privacy@dermasci.com.
We may use personal information to create aggregated or de-identified data sets that do not identify any individual. Such data may be used for research, product development, industry reporting, or shared with Clinic Partners as anonymized market intelligence. We will not attempt to re-identify de-identified data, and we contractually prohibit our service providers from doing so.
DermaSci processes your personal information on the following legal bases, which vary by jurisdiction:
| Legal Basis | Application |
|---|---|
| Consent | For the collection of photographs, Biometric Data, Health Information, and for any marketing communications. You may withdraw consent at any time (see Section 13). |
| Contractual Necessity | To create and maintain your account, deliver the Services you request, and fulfil our obligations to Clinic Partners. |
| Legitimate Interests | For fraud prevention, Platform security, analytics, and improving the accuracy of our AI models using anonymized data, where such interests do not override your privacy rights. |
| Legal Obligation | To comply with Canadian, provincial, US, EU, and other applicable laws, regulations, court orders, or regulatory requirements. |
| Vital Interests | In exceptional circumstances where processing is necessary to protect the vital interests of any person (e.g., responding to a reported health emergency). |
For EU/EEA residents: the specific legal basis under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) for each processing activity is further detailed in Section 20\.
For Québec residents: processing is based on the purposes described above in accordance with An Act Respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 (as amended by Law 25).
*When you accept a clinic referral through the Platform, DermaSci will share your name, contact information, and a summary of your skin assessment results (but not your raw photographs unless you separately consent) with the relevant Clinic Partner. You control which referrals you accept.*
DermaSci shares personal information with Clinic Partners only:
Whether a Clinic Partner is subject to PHIPA or equivalent health information legislation depends on its own staffing and operational structure, specifically whether it employs or retains regulated health professionals. DermaSci relies on Clinic Partners to self-assess and disclose their regulatory status. Each Clinic Partner is required to:
DermaSci does not independently verify the regulatory status of Clinic Partners or their practitioners. Each Clinic Partner bears sole responsibility for the accuracy of its disclosure and for its own compliance with applicable health information legislation. DermaSci expressly disclaims liability arising from a Clinic Partner’s failure to disclose its status or to comply with applicable law.
We engage third-party service providers who process personal information on our behalf under written data processing agreements. These include:
All service providers are required by contract to: process personal information only on our documented instructions; maintain appropriate technical and organizational security measures; and not engage sub-processors without our prior written consent.
We may disclose personal information without your consent where required or permitted by law, including:
If DermaSci undergoes a merger, acquisition, sale of assets, reorganization, financing, or similar corporate transaction, personal information held by DermaSci may be transferred to or accessed by the other party as part of that transaction. Any such transfer is made on the basis of DermaSci’s legitimate business interests in completing the transaction and is subject to the condition that the receiving party agrees to handle personal information in accordance with privacy commitments substantially equivalent to those in this Policy.
Where a transaction is completed, DermaSci will notify affected users through the Platform or by email to their registered address within a reasonable time. Users who object to their personal information being held by the new entity may close their account at any time. Your personal information will continue to be used only for the purposes described in this Policy at the time of collection unless you are notified otherwise and, where required by law, provided with an opportunity to consent to any new purpose.
For Québec residents: the transfer of personal information in connection with a business transaction is subject to applicable requirements under Law 25, and DermaSci will take commercially reasonable steps to ensure those requirements are satisfied in connection with any such transaction.
DermaSci does not:
DermaSci is an Ontario corporation and your personal information is initially stored on servers located in Canada. As we scale operations internationally, personal information may be transferred to, stored in, or processed in jurisdictions outside Canada, including the United States, members of the European Economic Area, the United Kingdom, Mexico, Brazil, and countries in the Asia-Pacific region. These jurisdictions may have privacy laws that differ from the laws of your home province or country.
Where personal information is transferred outside Canada to a country that does not provide equivalent privacy protections, DermaSci implements the following safeguards:
*Pursuant to section 17 of An Act Respecting the Protection of Personal Information in the Private Sector (Québec), DermaSci conducts a Privacy Impact Assessment (PIA) prior to communicating personal information outside Québec. A summary of completed PIAs is available upon request. By using the Platform, Québec residents acknowledge that their personal information may be communicated outside Québec subject to these safeguards.*
DermaSci is not a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 USC § 1320d et seq. DermaSci does not provide health care services, administer a health plan, or process health insurance claims.
Whether DermaSci functions as a Business Associate under HIPAA in any particular situation depends on the Covered Entity status of the receiving Clinic Partner and the nature of the data transmitted. Where a US Clinic Partner is itself a HIPAA Covered Entity, DermaSci’s Data Processing Agreement is structured to address the applicable obligations. Clinic Partners who are Covered Entities are responsible for ensuring their own HIPAA compliance in respect of any patient information they receive through the Platform.
Health information voluntarily submitted by Client/Patient Users directly to DermaSci’s Platform is collected from the individual directly and is not received from a Covered Entity. DermaSci treats this information as Health Information under applicable Canadian privacy law and as sensitive personal information under applicable US state law, regardless of its technical HIPAA status.
Transfers of personal information to Clinic Partners in the United States are also subject to applicable US state health data privacy laws, including Washington’s My Health MY Data Act, Nevada’s Consumer Health Data Privacy Law, and equivalent legislation in other states where such laws apply to DermaSci’s data practices. DermaSci will assess and address these obligations as it expands US operations, and will seek qualified US legal counsel before commencing material US-facing activities.
We retain personal information for as long as necessary to fulfil the purposes described in this Policy, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Our general retention periods are:
| Category of Information | Retention Period |
|---|---|
| Account and Identity Information | Duration of account plus 7 years after account closure, or longer as required by applicable law, including tax, regulatory, or limitation period requirements. |
| Skin Assessment Photographs | Up to 5 years from date of submission, or until you request deletion, whichever comes first. You may delete uploaded photographs at any time through your account settings. Note: biometric data derived from photographs is subject to the separate retention limit described below, regardless of how long the photograph itself is retained. |
| AI Assessment Results and Recommendations | Duration of account plus 7 years after account closure, for dispute resolution, AI model validation, and regulatory compliance purposes. |
| Referral and Clinic Interaction Records | 10 years from date of referral, for dispute resolution, litigation defence, and regulatory compliance purposes. This extended period reflects the discoverability principle applicable to personal injury and health-related claims in many jurisdictions. |
| Biometric Data | Deleted or irreversibly de-identified within 3 years of collection, or within 1 year of your last interaction with the Platform, whichever is sooner. This period is fixed by applicable biometric privacy law, including the Illinois Biometric Information Privacy Act (BIPA), and cannot be extended regardless of photograph retention. |
| Communications and Support Records | 7 years from the date of the communication, for dispute resolution and regulatory compliance purposes. |
| Cookie and Session-Level Analytics | 13 months (rolling), after which data is aggregated and de-identified. |
| Aggregated Platform Analytics | Up to 5 years in de-identified and aggregated form, which no longer constitutes personal information once properly anonymized. |
| Legal Hold Data | Retained for the duration of any legal proceeding, investigation, or regulatory matter, plus 1 year thereafter. |
Upon expiry of applicable retention periods, personal information is deleted or irreversibly de-identified using commercially reasonable methods. DermaSci reviews its retention practices periodically and may adjust retention periods where legitimate purposes no longer justify continued retention.
DermaSci maintains an information security program appropriate to the size and nature of its operations and the sensitivity of the personal information it holds. Security measures are scaled and developed as the Platform grows. Current and planned measures include:
In the event of a breach of security safeguards involving personal information that poses a real risk of significant harm to affected individuals, DermaSci will:
The DermaSci AI Assessment Engine analyzes your submitted photographs and questionnaire responses to generate personalized treatment and clinic-matching recommendations. The AI model uses pattern recognition, computer vision, and machine-learning techniques trained on dermatological and aesthetic treatment data to identify skin characteristics and match them with evidence-based treatment options.
*AI-GENERATED RECOMMENDATIONS ARE NOT MEDICAL ADVICE. The outputs of the DermaSci AI Assessment Engine are informational recommendations intended to help you navigate available aesthetic and skincare treatments and connect you with qualified providers. They do not constitute a medical diagnosis, clinical assessment, or professional medical opinion. DermaSci’s AI is not a licensed health professional. Always consult a qualified healthcare professional for medical concerns.*
DermaSci’s AI Assessment Engine generates recommendations algorithmically. Clinic-matching recommendations that result in a referral are not individually reviewed by a DermaSci employee before delivery. However, Clinic Partners receiving referrals are licensed aesthetic professionals who will independently assess your suitability for any recommended treatment.
To the extent that our AI processing constitutes solely automated decision-making that produces a legal or similarly significant effect on you:
DermaSci conducts ongoing evaluation of the accuracy, fairness, and potential biases of its AI Assessment Engine across different skin tones, ethnicities, ages, and genders. We are committed to improving representativeness and reducing discriminatory outputs. If you believe a recommendation was inaccurate or unfair, please report this through our feedback mechanism or by contacting privacy@dermasci.com.
Our AI models are trained using datasets that may include:
We do not use individual user photographs or health data submitted through the Platform to train AI models without your separate explicit consent. If we wish to use your data for training purposes, we will contact you with a clear, standalone consent request.
Subject to applicable law and certain exceptions, you have the right to:
| Right | Description |
|---|---|
| Access | Request confirmation of whether we hold personal information about you and obtain a copy of that information. |
| Correction | Request correction of inaccurate, incomplete, or out-of-date personal information. |
| Deletion / Erasure | Request deletion of your personal information, subject to our legal obligations and legitimate business needs (e.g., retention for dispute resolution). |
| Withdraw Consent | Withdraw consent at any time for any processing based on consent, without affecting the lawfulness of prior processing. |
| Data Portability | Request a machine-readable copy of personal information you have provided to us (available to EU/EEA and certain other residents). |
| Object to Processing | Object to processing based on legitimate interests, and to profiling for marketing purposes. |
| Restrict Processing | Request that we temporarily restrict processing of your personal information in certain circumstances. |
| Complaint | Lodge a complaint with a relevant supervisory authority or data protection commissioner. |
To exercise any of the rights above, please submit a written request to our Privacy Officer by:
We will respond to your request within:
We do not charge a fee for exercising your rights unless requests are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or decline to act, with written reasons.
We are required to verify your identity before processing any request to access, correct, or delete your personal information. This protects your information from unauthorized access. We may ask you to provide identifying information sufficient to match your request to your account, and will not retain verification information beyond what is necessary for this purpose.
Where processing of your personal information is based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
The consequences of withdrawing consent vary depending on the type of consent withdrawn:
| Consent Type | Consequence of Withdrawal |
|---|---|
| Account creation and Services | Your account will be closed and you will no longer be able to use the Platform. We will delete or de-identify your personal information in accordance with our retention schedule (Section 9). |
| Photograph and AI Assessment processing | We will cease processing your photographs and will delete them from active storage. You will not be able to receive AI-generated recommendations. Anonymized or de-identified data derived prior to withdrawal may be retained. |
| Biometric Data processing | We will promptly delete or de-identify biometric data derived from your photographs. Deletion will occur within the timeframes specified in Section 9 and Section 15\. |
| Clinic referral sharing | We will not share your information with Clinic Partners. You will not receive clinic referrals. |
| Marketing communications | You will be unsubscribed from marketing emails. Transactional and legal communications may still be sent. |
To withdraw consent, please contact privacy@dermasci.com or use the consent management tools available in your account settings.
| Cookie Type | Purpose |
|---|---|
| Strictly Necessary | Essential for the operation of the Platform, including authentication, security, and session management. Cannot be disabled. |
| Functional | Remember your preferences and settings to personalize your experience. |
| Analytics and Performance | Collect information about how you use the Platform to help us improve its performance and design. Data is aggregated and, where possible, anonymized. |
| Targeting / Advertising | Used only with your explicit consent to deliver relevant advertising and measure campaign effectiveness. We do not use targeting cookies based on health or biometric profiles. |
You can manage your cookie preferences through:
Please note that disabling certain cookies may affect the functionality of the Platform.
Our Platform currently does not respond to “Do Not Track” signals from browsers. Where applicable law requires us to honour such signals (e.g., under the California Consumer Privacy Act), we will update this section accordingly.
*This section provides disclosures required under applicable biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq.; the Texas Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code § 503.001; GDPR Article 9; and Quebec Law 25\.*
If you upload a photograph of your face for skin assessment, our AI Assessment Engine may derive biometric identifiers including facial geometry measurements and structural characteristics of your skin. This information is derived from your photograph as part of the assessment process and may constitute “biometric information” under applicable state and provincial laws.
Biometric data is collected and used exclusively for the purpose of generating personalized skin assessment recommendations. It is not used for identity verification, authentication, marketing, or any other purpose.
Biometric data is subject to its own independent retention schedule, separate from and shorter than the retention period that applies to the underlying photograph. Even where a photograph is retained for longitudinal assessment purposes under Section 9, any biometric data derived from that photograph will be permanently and irreversibly destroyed on the following schedule, whichever event occurs first:
This schedule is fixed by applicable biometric privacy law, including the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/15(a), and cannot be extended. Your photograph may remain in our system after biometric data has been destroyed. You may request earlier deletion of biometric data at any time by contacting privacy@dermasci.com.
DermaSci does not sell, lease, trade, or otherwise profit from biometric data. Biometric data is not shared with Clinic Partners or any other third party except our data hosting and AI infrastructure providers, who process it on our behalf under written agreements prohibiting independent use or disclosure.
If you are an Illinois resident, you have the right to:
This Privacy Policy, together with our Biometric Data Consent Form, constitutes our written policy for purposes of BIPA. Your explicit consent to biometric data collection is obtained through the separate consent process prior to your first photograph upload.
THE PLATFORM IS NOT DIRECTED TO AND MUST NOT BE USED BY INDIVIDUALS UNDER THE AGE OF 18\. We do not knowingly collect personal information from anyone under 18 years of age.
If we become aware that we have inadvertently collected personal information from a person under 18, we will:
If you believe we may have collected information from or about a minor, please contact us immediately at privacy@dermasci.com. We comply with the Children’s Online Privacy Protection Act (COPPA), 15 USC § 6501, to the extent it applies to our operations.
The Platform may contain links to third-party websites, applications, or services operated by Clinic Partners or other third parties. This Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through our Platform. DermaSci is not responsible for the privacy practices of third parties.
DermaSci’s personal information practices are governed by the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA”) and substantially follow the 10 Fair Information Principles set out in Schedule 1 of PIPEDA. Our Privacy Officer oversees compliance with PIPEDA and is responsible for receiving and responding to complaints.
You may direct complaints to the Office of the Privacy Commissioner of Canada:
DermaSci is not a "health information custodian" as defined under Ontario's Personal Health Information Protection Act, 2004, SO 2004, c 3, Sch A ("PHIPA"). DermaSci does not provide health care, and its primary function is technology-based commercial referral matchmaking, not the provision of health services. Accordingly, PHIPA's custodian obligations do not apply to DermaSci's own handling of personal information through the Platform.
However, Clinic Partners who receive personal health information through the Platform may themselves be health information custodians subject to PHIPA. Whether a Clinic Partner is a custodian depends on the services it performs and the nature of any regulated health professional's involvement \-- not on the label the clinic uses to describe itself. The following framework applies:
| Clinic Classification (by Services and Professional Involvement) | Likely PHIPA Status and Obligations |
|---|---|
| Facility performing non-controlled act services only, with no regulated health professional involvement (e.g., esthetics salon, beauty spa offering facials, waxing, and non-invasive treatments) | Likely not a PHIPA custodian. Governed by PIPEDA and applicable provincial commercial privacy law. Standard Data Processing Agreement with DermaSci applies. |
| Facility performing controlled act services (e.g., injectables, medical-grade treatments, prescription topicals) under active supervision or delegation by a regulated health professional, including physicians, nurse practitioners, or registered nurses | Likely a PHIPA health information custodian in respect of the regulated practitioner's practice. Client/patient health information received through DermaSci is subject to PHIPA. The clinic must comply with all applicable PHIPA custodian obligations and enter into an appropriate data processing arrangement with DermaSci before patient data is transmitted. |
| Physician-owned or physician-operated practice where a physician is an active treating clinician (e.g., cosmetic medicine clinic, dermatology practice) | Almost certainly a PHIPA custodian. All personal health information received through the Platform is subject to PHIPA. An appropriate data processing arrangement with DermaSci is required before patient data is transmitted. |
| Facility outside Ontario | Governed by equivalent provincial legislation (e.g., Alberta Health Information Act, RSA 2000, c H-5; BC Personal Information Protection Act, SBC 2003, c 63\) or, for non-Canadian clinics, applicable international law. The same classification exercise applies under the relevant framework. DermaSci relies on Clinic Partner self-disclosure of status under all applicable frameworks. |
Each Clinic Partner is responsible for self-assessing its regulatory status and ensuring its own compliance with applicable health information legislation. DermaSci’s agreements with Clinic Partners require them to:
DermaSci bears no responsibility for a Clinic Partner's failure to disclose its custodian status or to comply with PHIPA or equivalent legislation. Client/Patient Users with concerns about how a specific Clinic Partner is handling their health information should contact that clinic's Privacy Officer directly, or lodge a complaint with the Information and Privacy Commissioner of Ontario at www.ipc.on.ca or 1-800-387-0073.
For individuals whose personal information is subject to Québec’s Act respecting the protection of personal information in the private sector, CQLR c P-39.1, as amended by An Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c 25 (“Law 25”), the following additional rights and obligations apply:
*This section applies to California residents and supplements the rest of this Policy. It is provided pursuant to the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”).*
In the preceding 12 months, DermaSci has collected the following categories of personal information from California residents:
California residents have the right to:
California Civil Code § 1798.83 (“Shine the Light”) permits California residents to request information about third parties to whom we have disclosed personal information for their own direct marketing purposes. DermaSci does not share personal information with third parties for their own direct marketing purposes.
*This section applies to individuals located in the European Union or European Economic Area and supplements the rest of this Policy. It is provided pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”).*
DermaSci Corporation is the data controller of personal information collected through the Platform from EU/EEA residents during the collection and AI assessment phases of the Service. DermaSci independently determines the purposes and means of that processing and is accordingly the data controller under GDPR Article 4(7) for those activities.
Clinic Partners who receive referral information are independent data controllers in respect of their use of that information following delivery of a referral. DermaSci and a receiving Clinic Partner may, in respect of the referral transaction itself, be joint controllers under GDPR Article 26 to the extent they jointly determine the purposes of the data sharing. DermaSci's agreements with Clinic Partners address the allocation of responsibilities between the parties in that context.
Where EU/EEA resident personal data is transferred to Clinic Partners located outside the EU/EEA, such transfers are subject to appropriate transfer mechanisms under GDPR Chapter V, including Standard Contractual Clauses where applicable. Our contact details are set out in Section 24\.
Photographs used for AI analysis and biometric data derived from them constitute “special category data” under GDPR Article 9\. DermaSci processes such data only with your explicit consent (Article 9(2)(a)) obtained through our separate consent form, and where necessary to protect your vital interests (Article 9(2)(c)). We have completed a Data Protection Impact Assessment (DPIA) for this processing activity.
Transfers of personal data from the EU/EEA to Canada are made pursuant to the European Commission’s adequacy decision for Canada under PIPEDA (Commission Decision 2002/2/EC). Transfers to other third countries (including the United States) are made pursuant to Standard Contractual Clauses (SCCs) adopted under Commission Implementing Decision (EU) 2021/914, supplemented by technical measures as appropriate following a Transfer Impact Assessment.
In addition to the rights described in Section 12, EU/EEA residents have the right to:
As we expand operations into the EU, DermaSci will appoint an EU Representative as required under GDPR Article 27\. Details of our EU Representative will be published at www.dermasci.com/legal/eu-rep once appointed. [Note: Appoint your EU Representative before launching EU-facing operations.]
This section applies to individuals whose personal information is collected or processed in Mexico, and supplements the rest of this Policy pursuant to the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, “LFPDPPP”), published in the Official Gazette of the Federation on July 5, 2010, and its Regulations.
This Policy constitutes DermaSci’s Aviso de Privacidad (Privacy Notice) for purposes of the LFPDPPP. It sets out the identity and domicile of the data controller (DermaSci Corporation), the personal data collected, the purposes of processing, and the mechanisms for exercising ARCO rights.
Mexican residents have the rights of Acceso (Access), Rectificación (Rectification), Cancelación (Cancellation), and Oposición (Opposition), collectively, “ARCO rights”. To exercise these rights, contact privacy@dermasci.com. We will respond within 20 business days.
Health information and biometric data constitute “datos personales sensibles” under the LFPDPPP. We collect and process such data only with your express written consent, which will be obtained through our separate consent form.
This section applies to individuals whose personal information is processed in Brazil, and supplements the rest of this Policy pursuant to the Lei Geral de Proteção de Dados Pessoais, Law No. 13,709/2018 (“LGPD”).
Brazilian residents have rights under the LGPD including the right to: confirm the existence of processing; access data; correct incomplete, inaccurate, or outdated data; anonymize, block, or delete unnecessary or excessive data; port data; obtain information about entities with which data has been shared; be informed of the possibility of denying consent and the consequences; revoke consent; and lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at www.gov.br/anpd.
Health data constitutes “dados sensíveis” under LGPD Article 5(II) and is processed only on the basis of your specific consent (LGPD Article 11(I)).
DermaSci may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. When we make material changes, we will:
Your continued use of the Platform after any revised Policy becomes effective constitutes your acceptance of the changes, except where applicable law requires your affirmative consent to the revised terms.
We maintain an archive of previous versions of this Policy, which is available upon request from privacy@dermasci.com.
DermaSci has designated a Privacy Officer who is responsible for overseeing compliance with this Policy and applicable privacy laws. You may contact our Privacy Officer with any questions, concerns, or requests:
| Contact Method | Details |
|---|---|
| privacy@dermasci.com | |
| Privacy Officer, DermaSci Corporation, \[Address\], Ontario, Canada | |
| Response Time | We will acknowledge your inquiry within 5 business days and respond substantively within the applicable statutory timeframe. |
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant privacy regulatory authority:
| Jurisdiction | Regulatory Authority |
|---|---|
| Canada (Federal) | Office of the Privacy Commissioner of Canada, www.priv.gc.ca, 1-800-282-1376 |
| Québec | Commission d’accès à l’information (CAI), www.cai.quebec, 1-888-528-7741 |
| European Union / EEA | Your national data protection supervisory authority, see edpb.europa.eu for a directory |
| United Kingdom | Information Commissioner’s Office (ICO), www.ico.org.uk, 0303 123 1113 |
| Brazil | Autoridade Nacional de Proteção de Dados (ANPD), www.gov.br/anpd |
| Mexico | Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI), www.inai.org.mx |
This Privacy Policy has been reviewed and approved on behalf of DermaSci Corporation.
Nancy Eliott, Privacy Officer
DermaSci Corporation
Nancy Eliott, Chief Executive Officer
DermaSci Corporation