Privacy Policy

Data Protection Notice pursuant to GDPR (EU) 2016/679

Effective: 23 March 2026 | Last updated: 23 March 2026

1. Data Controller

Derma2in1 Alapítvány (Derma2in1 Foundation)

Registered Office: Budapest, Hungary
Email: [email protected]
Website: https://dermatoscope.ai

Data Protection Officer (DPO):

Name: Gábor Sipos
Email: [email protected]

The appointment of a DPO is mandatory under GDPR Article 37(1)(c) as we process special categories of personal data (health data) on a large scale.

2. Scope and Purpose

This Privacy Policy applies to the Dermatoscope.ai web application ("Service"), an AI-powered dermatological risk assessment and decision-support tool. The Service operates as a Progressive Web App (PWA) accessible via web browsers.

Important: This application does NOT provide medical diagnoses. The AI analysis provides risk assessment information only. A licensed medical practitioner always provides the final clinical evaluation.

3. Categories of Personal Data Processed

We process the following categories of personal data:

Special Category Data (Health Data) — GDPR Art. 9: Photographs of skin conditions, symptom descriptions, age, sex, skin type (Fitzpatrick scale I–VI), medical history information. These are processed exclusively for dermatological analysis.
Identity Data: Full name, date of birth (required for medical validation pursuant to EU Directive 2012/52/EU on cross-border prescriptions).
Health Insurance Data: PPS Number (Ireland) or TAJ Number (Hungary), EHIC number — collected only when medical validation or prescriptions are requested.
Contact Data: Email address (for sending analysis results).
Payment Data: Transactions are processed securely by Stripe, Inc. (Dublin, Ireland). We do not store credit card or bank account details.
Technical Data: IP address, browser type, device information, usage statistics — processed for security and service improvement.

4. Legal Basis for Processing

We process your data on the following legal bases under GDPR:

Explicit Consent — Art. 9(2)(a): For processing special category health data (skin photographs, symptoms). You provide this consent explicitly before uploading images. You may withdraw consent at any time.
Performance of Contract — Art. 6(1)(b): For processing data necessary to provide the Service (AI analysis, medical validation).
Legitimate Interest — Art. 6(1)(f): For security measures, fraud prevention, and service improvement using anonymised/pseudonymised data.
Legal Obligation — Art. 6(1)(c): For compliance with tax, accounting, and healthcare record-keeping requirements.

Consent for health data is granular and revocable. You can withdraw consent at any time by contacting our DPO at [email protected]. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

5. AI and Automated Decision-Making — GDPR Art. 22

Our application uses machine learning (ML) algorithms and an ensemble of 15 AI models for skin condition risk assessment.

Nature of Processing: The AI provides a probability-based risk assessment. It does NOT make binding medical decisions.
No Solely Automated Decision: All AI results are subject to human review — either by the user's own physician or through our Medical Validation service by IMC-registered (Ireland) or OGYÉI-registered (Hungary) practitioners.
Right to Contest: Under GDPR Art. 22(3), you have the right to obtain human intervention, express your point of view, and contest the AI assessment.
Bias Mitigation: Our models are validated across all Fitzpatrick skin types (I–VI) to minimise skin tone bias. We continuously monitor and improve model fairness.

In accordance with the Irish Medical Council's 2025 AI Position Statement: AI complements, but does not replace, physician decision-making. Patients are informed of AI involvement.

6. Data Sharing and Processors

Your data may be shared with the following categories of recipients:

Medical Practitioners: IMC-registered doctors (Ireland) or OGYÉI-registered specialists (Hungary) — only when you request Medical Validation. Data shared under Art. 9(2)(h) (healthcare purposes).
Stripe, Inc.: Payment processing. Stripe is a PCI-DSS Level 1 certified payment processor headquartered in Dublin, Ireland. Stripe Privacy Policy.
Hetzner Online GmbH: Server hosting and data storage. Servers located in Germany (EU). Data remains within the European Economic Area (EEA) at all times.
Cloudflare, Inc.: CDN and DDoS protection. Cloudflare processes limited technical data under Standard Contractual Clauses (SCCs) where non-EU processing occurs.

No data is sold to third parties. No data is used for advertising purposes.

7. International Data Transfers

Your health data is stored exclusively on servers within the European Economic Area (EEA) — specifically in Germany (Hetzner). Where any sub-processor processes data outside the EEA (e.g., Cloudflare CDN edge nodes), appropriate safeguards are in place:

EU Standard Contractual Clauses (SCCs) — Art. 46(2)(c)
Adequacy decisions where applicable — Art. 45

8. Data Retention

AI Analysis Data: Skin photographs and analysis results are retained for 30 days after the analysis, then automatically deleted unless Medical Validation is requested.
Medical Validation Data: Retained for the period required by applicable medical record-keeping laws (6 years in Ireland under the Medical Practitioners Act 2007; 30 years in Hungary under Act XLVII of 1997).
Payment Records: Retained for 7 years as required by tax legislation.
Technical Logs: Retained for 90 days for security purposes.
Anonymised Research Data: May be retained indefinitely for algorithm improvement (fully anonymised, cannot be linked back to individuals).

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right of Access (Art. 15): Obtain a copy of your personal data.
Right to Rectification (Art. 16): Correct inaccurate data.
Right to Erasure (Art. 17): Request deletion of your data ("Right to be Forgotten").
Right to Restrict Processing (Art. 18): Limit how we use your data.
Right to Data Portability (Art. 20): Receive your data in a machine-readable format.
Right to Object (Art. 21): Object to processing based on legitimate interest.
Right to Withdraw Consent (Art. 7(3)): Withdraw consent for health data processing at any time.
Right Not to Be Subject to Automated Decisions (Art. 22): Request human intervention in AI-based assessments.

To exercise any right, contact our DPO: [email protected]. We will respond within 30 days.

10. Supervisory Authorities

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

Ireland: Data Protection Commission (DPC) — www.dataprotection.ie — 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Hungary: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) — www.naih.hu — 1055 Budapest, Falk Miksa utca 9-11.

11. Cookies and Tracking

Our Service uses the following cookies:

Strictly Necessary Cookies: Session management, authentication, language preference. These do not require consent.
Payment Cookies: Stripe payment processing cookies — required for payment functionality.

We do NOT use advertising, analytics, or tracking cookies. We do NOT use Google Analytics, Facebook Pixel, or any third-party tracking.

12. Data Security — GDPR Art. 32

We implement appropriate technical and organisational measures:

TLS/SSL encryption for all data in transit
AES-256 encryption for data at rest
Pseudonymisation of health data (separated from personal identifiers)
Access controls and authentication for medical practitioners
Regular security assessments and penetration testing
Incident response procedures (72-hour breach notification to DPC/NAIH per Art. 33)

13. Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment has been conducted pursuant to GDPR Article 35, as our processing involves:

Special category data (health) on a large scale — Art. 35(3)(b)
Systematic, automated evaluation of personal aspects — Art. 35(3)(a)

The DPIA is available for review by the relevant supervisory authority upon request.

14. Children's Data

Our Service is intended for users aged 16 and over (the digital age of consent in both Ireland and Hungary under GDPR Art. 8). Users under 16 require verifiable parental/guardian consent. Users under 13 are not permitted to use the Service.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or prominently displayed within the application. The "Last updated" date at the top reflects the most recent revision.

ANALYZE