Dermio Privacy Policy
Who We Are
This Privacy Policy explains how AURA MANAGEMENT LLC, which operates Dermio ("Dermio", "we", "us", or "our"), collects, uses, shares, stores, and protects personal data when you use Dermio, our mobile application, related websites, customer support channels, and associated services (collectively, the "Service").
If you have privacy questions, data-rights requests, or complaints, contact us at support@getdosiq.com.
Scope
This Policy applies to information processed when you:
- download, install, access, or use the Service;
- create an account or sign in;
- purchase or manage a subscription;
- use AI-powered scan, analysis, or chat features;
- scan, search, save, or submit product information, barcodes, product photos, or ingredient labels;
- create a skin profile, avoid list, favorites list, scan history, or chat history;
- use location-based UV index features;
- contact support;
- receive service messages, marketing, or push notifications;
- otherwise interact with us.
This Policy does not override any mandatory rights you may have under applicable privacy or consumer law.
Personal Data We Collect
The personal data we collect depends on the features you use.
Account and Profile Data
We may collect:
- name or display name;
- email address;
- login credentials, authentication tokens, and sign-in provider identifiers;
- pseudonymous internal user ID;
- skin type, skin concerns, avoid-list preferences, pregnancy or nursing preference if you choose to provide it, and other profile settings;
- account preferences, settings, consent records, and customer-support identifiers.
Subscription and Purchase Data
If you purchase a subscription or digital feature, we may collect:
- subscription tier and entitlement status;
- purchase history;
- renewal and cancellation status;
- store transaction identifiers and receipt-related metadata;
- billing-country or tax-relevant information;
- pseudonymous subscription identifiers;
- refund, restore, or chargeback history.
We generally do not receive your full payment card number when purchases are processed by an app store or billing processor.
User Content and Scan Data
We may collect content you submit to the Service, such as:
- prompts, messages, and chat requests;
- uploaded product photos, barcode scans, ingredient label photos, prompts, messages, or text you choose to submit;
- extracted ingredient text, product names, brands, categories, safety scores, warnings, positive matches, analysis output, and scan results;
- favorites, saved products, scan history, chat history, reviews, comments, and support messages.
Device, App, and Technical Data
We may collect:
- device model, operating system, app version, language, and time zone;
- IP address or approximate location derived from IP, where relevant;
- diagnostics, crash logs, performance events, and debug data;
- installation IDs, push tokens, and similar identifiers;
- fraud-prevention, abuse-prevention, request logs, security events, and rate-limit data.
Camera, Photos, and Location
If you grant permission, Dermio may access your camera so you can scan product labels, barcodes, and ingredient lists. If you grant photo library permission, Dermio may access selected photos so you can analyze product or ingredient images.
If you grant location permission, Dermio may use your device location to show local UV index and sun protection guidance. If location is unavailable or not granted, the Service may show a fallback or ask you to enable permission.
Analytics and Usage Data
If enabled, we may collect analytics about how you interact with the Service, such as screens viewed, feature usage, session length, broad engagement patterns, campaign or attribution data, and performance signals.
Messages and Notifications
If you opt in to notifications, we may process push tokens, installation IDs, notification preferences, delivery and interaction events, and message content metadata needed to send the notification.
Sources of Personal Data
We collect personal data:
- directly from you;
- automatically from your device or app environment;
- from app stores, subscription processors, or billing providers;
- from authentication providers you choose to use;
- from AI, product data, search, UV, analytics, support, fraud, security, and infrastructure providers where relevant.
How We Use Personal Data
We use personal data to:
- provide, operate, and maintain the Service;
- create and manage your account;
- authenticate you and keep the Service secure;
- process subscriptions, entitlements, cancellations, restorations, and refunds;
- provide AI-powered analysis, chat responses, scan results, safety scores, and other requested features;
- retrieve, generate, and display product, ingredient, barcode, and UV information;
- personalize guidance based on your skin profile, concerns, avoid list, and preferences;
- let you save content, maintain scan history, maintain conversations, and manage favorites;
- provide support and communicate with you;
- monitor performance, fix bugs, and improve reliability;
- analyze usage and improve product design;
- send transactional, service, legal, security, and administrative messages;
- send promotional messages or marketing communications where permitted;
- enforce our Terms, policies, and legal rights;
- comply with law, regulator demands, court orders, tax obligations, or law-enforcement requests.
Legal Bases
Where privacy law requires a legal basis, we generally rely on the following bases:
| Purpose | Typical legal basis |
|---|---|
| Account creation, login, subscriptions, entitlement delivery, restoration, scan history, and requested features | Performance of a contract or steps requested before entering a contract |
| Customer support and service communications | Performance of a contract, legitimate interests, or legal obligation |
| Security, fraud prevention, abuse detection, service integrity, and rate limiting | Legitimate interests and, where applicable, legal obligation |
| AI processing, product analysis, image processing, and chat features requested by the user | Performance of a contract and, where required, consent or another valid basis |
| Location-based UV guidance | Consent or permission from your device settings, and performance of the requested feature |
| Optional analytics, optional advertising attribution, and optional promotional push messages | Consent where required by law; otherwise legitimate interests where permitted |
| Crash reporting and reliability monitoring | Legitimate interests or performance of a contract, depending on necessity |
| Accounting, tax, and legal recordkeeping | Legal obligation |
| Handling rights requests, complaints, and disputes | Legal obligation and legitimate interests |
Third-Party Services and APIs
We use third-party service providers and APIs to run the Service. Depending on your usage, these may include the following categories.
AI and Image Processing Providers
We may send prompts, messages, images, structured instructions, product information, profile preferences, and related metadata to AI or image processing providers so the Service can generate, transform, classify, moderate, extract, or summarize content.
This may include personal data if you choose to include it in your inputs. We ask you not to submit sensitive or regulated data unless that use is clearly supported and lawful.
AI outputs may be stored by us if needed to provide scan history, conversation history, support, safety, or another feature you request. Providers may also apply their own retention rules depending on endpoint and configuration.
Product Data, Search, Barcode, and UV Providers
We may query third-party databases, search tools, barcode sources, manufacturer or public product information, and UV or weather-related providers using barcodes, product names, ingredient text, search terms, location data, and related metadata to retrieve or generate relevant information.
External product and UV information may be incomplete, inaccurate, out of date, or unavailable.
Billing-Related Providers
We may use app stores and billing-related providers to manage subscriptions, purchases, entitlements, receipt validation, renewals, restoration, refund workflows, and subscription analytics.
Authentication Providers
If you choose to sign in with a third-party account, the relevant provider may share identifiers such as your account ID, email address, name, and authentication token information with us so we can create or access your Dermio account.
Analytics Providers
Where enabled, we may use analytics providers to understand app usage, improve product design, measure feature adoption, and maintain service quality. Where required by law, we will ask for your consent before enabling non-essential analytics.
Crash Reporting and Diagnostics Providers
Where enabled, we may use diagnostics providers to collect crash logs, device state, performance data, and related diagnostics so that we can investigate bugs, improve stability, and prevent outages. We configure such tools to minimize collection where possible and to avoid intentionally sending unnecessary personal data in diagnostic payloads.
Push Messaging Providers
Where enabled, we may use device platform messaging infrastructure or similar providers to deliver transactional or promotional push notifications. Push messaging generally requires a device token, installation identifier, or similar technical identifier.
How We Share Personal Data
We may share personal data only as reasonably necessary with:
- service providers, processors, and infrastructure vendors acting on our behalf;
- app stores, billing processors, and subscription infrastructure providers;
- AI, image processing, product data, search, barcode, and UV providers used through the Service;
- analytics, diagnostics, observability, hosting, customer-support, communications, and security vendors;
- authentication providers you choose to use;
- legal, tax, accounting, and professional advisers;
- law-enforcement bodies, regulators, courts, counterparties, or other third parties where required by law or necessary to protect rights, safety, or the Service;
- a buyer, investor, or successor entity in connection with a merger, acquisition, financing, restructuring, or sale of assets.
We do not sell personal data in the ordinary meaning of that phrase. Some privacy laws define "sale" or "sharing" broadly enough to include certain advertising, analytics, or data-sharing arrangements. If that applies, we will provide any rights or opt-outs required by law.
International Transfers
We and our providers may process personal data in countries outside your place of residence, including the United States.
Where applicable law requires safeguards for international transfers, we rely on measures such as adequacy decisions, standard contractual clauses, contractual confidentiality and security protections, and other lawful transfer mechanisms.
You may contact us to request more information about the safeguards relevant to your data.
Data Retention
We keep personal data only for as long as reasonably necessary for the purposes described in this Policy, including to provide the Service, meet legal obligations, resolve disputes, enforce agreements, and protect the Service.
| Category | Example retention approach |
|---|---|
| Account data | While your account is active, then a limited post-deletion period needed for security, dispute handling, or technical rollback |
| Subscription and transaction records | Duration of the subscription plus any legally required accounting, tax, audit, or dispute period |
| Scan history, product history, favorites, and profile settings | While needed to provide the feature or until deleted, subject to backup, legal, safety, and abuse-prevention limits |
| AI request and response history | Only for as long as needed for the specific feature, account history, safety, support, or quality need, and shorter where feasible |
| Crash reports and diagnostics | Short operational period, then deletion or aggregation |
| Analytics events | Based on the reporting window we select and your consent status where relevant |
| Support records | For a limited follow-up and dispute period after closure |
| Push tokens | Until notifications are disabled, the app is uninstalled, the token expires, or the account is deleted |
| Location data | Only as needed to provide UV guidance, caching, security, or support unless a longer period is required or permitted by law |
We may retain data longer where required or permitted by law, including for tax, accounting, litigation hold, fraud prevention, security incident analysis, and abuse-prevention programs.
Security
We use technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, loss, or destruction. Depending on the system and risk, these measures may include:
- access controls and least-privilege permissions;
- encryption in transit and, where appropriate, at rest;
- pseudonymization or tokenization;
- logging and monitoring;
- environment segregation;
- incident-response procedures;
- vendor diligence;
- regular review of security controls.
No system is perfectly secure. You are also responsible for maintaining the security of your device, credentials, and account.
Your Privacy Rights
Depending on your location and the law that applies, you may have the right to:
- access your personal data;
- correct inaccurate or incomplete data;
- delete your data;
- restrict or object to certain processing;
- withdraw consent where processing relies on consent;
- receive a portable copy of certain data;
- opt out of certain direct marketing, profiling, sales, or sharing;
- appeal a denied privacy request where applicable;
- complain to a supervisory authority, attorney general, or regulator.
To exercise your rights, contact us at support@getdosiq.com.
We may need to verify your identity before acting on a request. We may also decline or limit a request where an exemption or legal exception applies.
Consent, Opt-Outs, Analytics, Crash Reporting, and Push Notifications
Consent
Where required by law, we ask for your consent before enabling non-essential analytics, enabling promotional push notifications, using optional advertising or attribution tools, accessing device permissions, or sending your data to a third-party service in a way that is not strictly necessary to provide the Service.
You may withdraw consent at any time through app settings, device settings, or by contacting us.
Analytics
If analytics is enabled, we use analytics data to understand feature usage, improve product performance, measure engagement, and make product decisions. Where analytics is not strictly necessary, we will not activate it until you consent if consent is required in your jurisdiction.
Crash Reporting
We use crash and diagnostic data to detect defects, investigate failures, prioritize bug fixes, and maintain the reliability and security of the Service. We try to configure crash tools to reduce unnecessary personal-data collection.
Push Notifications
If you allow push notifications, we may send service messages such as account alerts, billing notices, security notices, reminders, or feature updates. Where required by law, we will ask for a separate opt-in before sending promotional or marketing push notifications.
You can disable push notifications at any time in your device settings or in the app settings, if available.
Opt-Outs
You can opt out of marketing emails by using the unsubscribe link in the message, promotional push notifications by changing your device or app notification settings, non-essential analytics through available consent controls, and account-based communications that are not strictly necessary by contacting us, subject to legal or operational limitations.
We may still send essential service, billing, legal, security, and administrative communications.
Children's Privacy
The Service is not intended for children under 13. If we learn that we collected personal data from a child in a manner that violates applicable law, we will take steps to delete or otherwise handle that data as required.
If you believe a child has provided personal data to us unlawfully, contact us at support@getdosiq.com.
Automated Decision-Making
We do not make solely automated decisions with legal or similarly significant effects about you unless we specifically disclose that practice and provide any rights required by law.
AI-assisted ranking, classification, moderation, scoring, or recommendation tools may influence product analysis, safety scores, labels, warnings, or what content is shown, but those outputs are general informational guidance and do not replace professional judgment.
Changes to This Policy
We may update this Privacy Policy from time to time. If we make a material change, we may notify you by posting the updated version in the app or on our website, by email, or by another reasonable method.
The revised Policy will become effective on the date stated at the top, unless applicable law requires another form of notice or consent.
Contact
If you have questions, complaints, or rights requests, contact Dermio at support@getdosiq.com.