Effective date: Oct 16, 2025
This Privacy Policy ("Policy") explains how Ivy AI Solutions Limited ("Company," "we," "us," "our") collects, uses, stores, and discloses personal data when you use ScanSkinAI.com and our related apps and services (the "Services").
For users located in Hong Kong, this Policy is governed by Hong Kong law, including the Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO"). Our handling of personal data follows the Six Data Protection Principles (DPP1–DPP6) under the PDPO. For users outside Hong Kong, local data protection laws may also apply. This Policy forms part of our Terms of Service.
By accessing or using the Services, you agree to this Policy and the Terms. If you do not agree, do not use the Services.
We may update this Policy for legal, technical, or business reasons. Material changes will be notified in‑Service and/or by email (if available) before they take effect. Continued use after the effective date means you accept the changes.
"Personal data" means data relating directly or indirectly to an individual from which it is practicable to ascertain the identity of the individual (PDPO definition).
You can manage some collection via device/browser settings; some features may not function without basic technical data (DPP1 & DPP4).
Our Services may link to third‑party sites or social services. Their policies apply to your use of those services.
ScanSkinAI does not use facial recognition and does not collect face templates, biometric identifiers, or facial landmarks. Photos uploaded by users may incidentally include a face; however, we do not analyse faces for identification or profiling purposes. Images are processed only to provide the skin screening/triage service and (if selected) clinician review. Images are stored securely and retained only for the period described in this Policy, after which they are deleted or anonymised.
What face data does the app collect?
Use of face data (if present in images)
Sharing and storage
Retention
Images are retained only for the period described in this Privacy Policy and only as necessary to provide the service. Users may request deletion according to this Policy (see Section 12).
We collect no more data than necessary for stated purposes and do not use it for new purposes without your prescribed consent (DPP1–3).
User-submitted photos, videos, and text provided for analysis are transmitted to Ivy AI's backend environment hosted on Amazon Web Services (AWS). These data are processed by Ivy AI's proprietary AI model to generate scan results and support ongoing tracking features.
We do not send user personal data to an external third-party AI service for inference.
All AI processing occurs within our own controlled infrastructure. Images and text are processed in real time to produce results, and raw inputs are not retained beyond the period necessary to deliver the service unless you have an active account with stored history.
In addition to standard data collection, we collect and process additional data when you use our premium features:
When you use the Derm Review add-on service, we collect and process:
Retention: Derm Review data is retained for the duration of your account plus a compliance period (typically 7 years) for healthcare record-keeping and legal purposes.
When you use our condition tracking and ongoing care features, we collect and process:
Retention: Tracking data is retained for the duration of your account. You may request partial or full deletion at any time (see Section 12).
When you subscribe to a ScanSkinAI plan, the following billing and renewal terms apply:
You may cancel at any time via the Manage Subscription portal or by contacting info@ScanSkinAI.com. Cancellation takes effect at the end of the current billing period. We store billing cycle dates and payment metadata (processed via Stripe) to manage your subscription (DPP1–2).
We do not sell personal data.
Our Services are intended for adults. We do not knowingly collect personal data from individuals under 18. If you believe a minor has provided personal data, contact us and we will remove it.
We employ administrative, technical, and physical safeguards designed to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use. No system is perfectly secure. You are responsible for safeguarding your credentials and devices.
We will not use your personal data for our direct marketing (or provide it to others for their direct marketing) without your consent and the required notification of the intended use, the kinds of data to be used, and the classes of marketing subjects. You can opt out at any time and at no charge.
We keep personal data no longer than is necessary for the purposes for which it is used, and then delete or anonymise it unless retention is required for legal claims, audits, or compliance. Typical periods:
Under the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO"), you may request deletion of your personal data held by Ivy AI Solutions Limited ("we," "us," "our") in whole or in part. We act in accordance with the PDPO's Data Protection Principles, particularly DPP2 (retention) and DPP6 (access and correction).
You can permanently delete your account directly within the app by navigating to Account → Settings → Delete Account. This feature is available on all platforms including web, iOS (App Store / TestFlight), Android, and TWA.
What is deleted immediately:
What may be retained if legally required:
Retained data is not used for analytics, marketing, or any purpose other than legal compliance. Backups containing your data are purged within the next scheduled cycle (within 30 days).
You may also choose to delete only certain categories of data by contacting us, such as:
Partial deletion requests may limit or disable certain app features (e.g., viewing history, generating trend reports).
If you prefer not to use the in-app deletion feature, you may send an email to info@ScanSkinAI.com from your registered email with the subject line "Delete my ScanSkinAI data" and include:
In-app deletion is processed immediately upon confirmation. Email-based requests will be verified using the registered email and processed within 7 days. Associated backups will be purged within 30 days.
We may decline a request if deletion is prohibited under applicable law, required for legal defence, dispute resolution, or compliance with PDPO obligations. Where refusal occurs, we will provide reasons in writing as required under Section 19(2) of the PDPO.
To exercise these rights, contact us (Section 16).
We primarily process data in Hong Kong. However, user-submitted data (including photos, videos, and text) may be transmitted to and processed on servers hosted by Amazon Web Services (AWS) in the United Kingdom for AI analysis and backend processing.
This means your data may be processed outside Hong Kong, specifically in the UK. Section 33 PDPO (cross‑border transfer restrictions) has not commenced as of this Policy's effective date; however, we follow recommended best‑practices including:
The UK maintains robust data protection standards under UK GDPR, which provides a high level of protection for your personal data.
Under the PDPO, you may request access to personal data we hold about you and request correction of any data that is inaccurate, by submitting a Data Access Request (DAR) and/or Data Correction Request (DCR). We will respond within a reasonable time and may charge a reasonable fee for DARs limited to the cost of compliance. We may refuse a request on statutory grounds (and will give reasons if we do).
To exercise these rights, contact us (Section 16).
We use cookies/SDKs for core functionality, preferences, analytics, and (where permitted) marketing measurement. You can manage cookies via browser/device settings; some features may not work without them.
Data Protection Officer
Ivy AI Solutions Limited (Hong Kong)
Email: info@ScanSkinAI.com (DAR/DCR, privacy enquiries, and data deletion requests)
Web: https://www.scanskinai.com/contact
You may also bring concerns to the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD).
This Policy is governed by the laws of the Hong Kong SAR. You submit to the non‑exclusive jurisdiction of Hong Kong courts for any dispute arising under this Policy, except where prohibited by local law.