1. Introduction

DermaLyze ("Company", "we", "our" or "us") provides AI-powered skincare diagnostics, biometric scanning, dermatologist collaboration, and curated product fulfillment. We are committed to protecting your privacy and handling personal data in a transparent, lawful, and secure manner.

2. Scope

This policy applies to personal data processed through the DermaLyze mobile applications, websites, customer support, marketing activities, clinical partnerships, and subscription services. It covers customers, prospective customers, site visitors, and business partners.

3. Definitions

• Personal Data: Any information relating to an identified or identifiable individual (e.g., name, email, device identifiers, online identifiers, location data).

• Sensitive Personal Data: Categories requiring additional protection, such as health-related data, biometric templates, precise geolocation, financial information, and government identifiers.

• PHI: Protected Health Information under HIPAA when DermaLyze acts as or on behalf of a covered entity/ business associate.

4. What We Collect

• Account & Contact Data: name, email, phone, shipping address.

• Device & Usage Data: cookies, IP address, app telemetry, crash logs, referral URLs.

• Diagnostic & Biometric Data: skin images, scan metadata (tone, hydration, micro-textures), posture/temperature sensor readings relevant to skincare analysis.

• Consultation Data: notes from dermatologist interactions, treatment preferences.

• Transaction Data: tier selection, payments (processed by PCI-compliant providers), order history.

• Communications: customer service messages, feedback, survey responses.

5. Purposes of Processing

• Provide and improve services (AI diagnostics, recommendations, fulfillment).

• Personalize routines and content; measure performance.

• Support consultations and customer care.

• Operate marketing, referrals, and loyalty programs (with choice controls).

• Ensure security, fraud prevention, and regulatory compliance.

• Research and development (aggregated or pseudonymized where feasible).

6. Legal Bases (GDPR/EEA)

Where GDPR applies, we rely on: (i) consent for processing sensitive/biometric analysis and marketing; (ii) contract to provide requested services; (iii) legitimate interests for service improvement and security (balanced with your rights); and (iv) legal obligations.

7. Your Rights

• GDPR/EEA: Rights to access, rectification, erasure, restriction, portability, objection, and withdraw consent at any time.

• California (CCPA/CPRA): Rights to know/access, delete, correct, opt-out of sale/share, limit use of sensitive personal information, and non-discrimination.

• HIPAA (when applicable): Right of access to PHI and amendment per covered entity policies. Requests may be routed through your provider.

8. Data Sharing

We share data with: (i) service providers (hosting, analytics, payments, customer support) under contractual safeguards; (ii) clinical partners for consultations (with appropriate authorizations); (iii) fulfillment and logistics partners; (iv) legal authorities where required by law; and (v) in corporate transactions, subject to continuity of protections. We do not sell personal data.

9. International Transfers

If data is transferred outside your jurisdiction, we use appropriate safeguards, such as standard contractual clauses and technical measures (encryption, access controls).

10. Retention

We retain personal data only as long as necessary for the stated purposes and to comply with legal requirements. Retention periods vary by data type (e.g., account, diagnostics, consultations). We will de-identify or delete data when it is no longer needed.

11. Cookies & Tracking Technologies

We use cookies, SDKs, and similar tools for functionality, analytics, and marketing. For HIPAA-covered contexts, we avoid impermissible disclosures and require business associate agreements when tracking tools could access ePHI. You can manage preferences via our cookie banner and app settings.

12. Security

We implement administrative, technical, and physical safeguards, including encryption at rest/in transit, access controls, secure development practices, vulnerability management, and employee training. We assess vendors and conduct risk reviews.

13. Children

Our services are intended for individuals 16+ (or local age of consent). We do not knowingly collect personal data from children without appropriate parental consent.

14. Contact

For privacy requests or questions, contact privacy@dermalyze.com or write to DermaLyze Privacy Office, 1234 Example Ave, San Francisco, CA 94105, USA. EU/UK users may contact our Data Protection Officer and lodge complaints with their supervisory authority.

15. Updates to this Policy

We may update this policy to reflect changes in law or our practices. Material changes will be notified via app, website, or email. Effective date: November 25, 2025.