Privacy Policy

Effective date: Oct 16, 2025

This Privacy Policy ("Policy") explains how Ivy AI Solutions Limited ("Company," "we," "us," "our") collects, uses, stores, and discloses personal data when you use ScanSkinAI.com and our related apps and services (the "Services").

For users located in Hong Kong, this Policy is governed by Hong Kong law, including the Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO"). Our handling of personal data follows the Six Data Protection Principles (DPP1–DPP6) under the PDPO. For users outside Hong Kong, local data protection laws may also apply. This Policy forms part of our Terms of Service.

1) Acceptance

By accessing or using the Services, you agree to this Policy and the Terms. If you do not agree, do not use the Services.

2) Changes

We may update this Policy for legal, technical, or business reasons. Material changes will be notified in‑Service and/or by email (if available) before they take effect. Continued use after the effective date means you accept the changes.

3) What We Collect

"Personal data" means data relating directly or indirectly to an individual from which it is practicable to ascertain the identity of the individual (PDPO definition).

A. Data you provide

  • Account & contact data: email and similar details when you register or contact support.
  • Social sign‑on (optional): if you register via a social account, we receive the associated email and any fields you choose to share.
  • Profile (optional): avatar/display name, country/region, language preference.
  • User content: images, videos, and other content you upload/capture (e.g., using your device camera/microphone) for screening or product features.
  • Support communications: information you send to our support teams.

B. Data collected automatically

  • Device/usage data: device type/OS, app version, IP address, time zone, diagnostic/crash logs, feature interaction.
  • Cookies & SDKs: to run core features, remember preferences, perform analytics, and (where permitted) measure marketing.
  • Network info: limited metadata (e.g., Wi‑Fi/cellular type) to deliver features and prevent abuse.

You can manage some collection via device/browser settings; some features may not function without basic technical data (DPP1 & DPP4).

C. Third‑party sites

Our Services may link to third‑party sites or social services. Their policies apply to your use of those services.

D. Photos and Face Data (If Present)

ScanSkinAI does not use facial recognition and does not collect face templates, biometric identifiers, or facial landmarks. Photos uploaded by users may incidentally include a face; however, we do not analyse faces for identification or profiling purposes. Images are processed only to provide the skin screening/triage service and (if selected) clinician review. Images are stored securely and retained only for the period described in this Policy, after which they are deleted or anonymised.

What face data does the app collect?

  • We do not collect biometric "face data" for identification.
  • We do not collect face templates, facial landmarks, or face embeddings.
  • If a photo incidentally includes a face, it is treated only as part of the image pixels.

Use of face data (if present in images)

  • We do not use face data for identification, authentication, profiling, or advertising.
  • If a face is present in an uploaded image, it is not analysed as a face. Images are processed only to provide skin screening/triage functionality and optional clinician review.

Sharing and storage

  • We do not share face data with third parties for marketing or advertising.
  • If the user selects clinician/dermatology review (where available), the uploaded image is shared only with the assigned clinician for the purpose of providing the review.
  • Images are stored securely as described in this Privacy Policy.

Retention

Images are retained only for the period described in this Privacy Policy and only as necessary to provide the service. Users may request deletion according to this Policy (see Section 12).

4) How We Use Personal Data (PDPO DPPs)

  • Provide and operate the Services (accounts, image capture, screening workflows, troubleshooting). (DPP1–3)
  • Security and integrity (prevent, detect, investigate fraud/abuse, secure our systems). (DPP4)
  • Service communications (transactional/account notices; not marketing). (DPP3)
  • Compliance & record‑keeping (tax, legal, regulatory, audits). (DPP2 & DPP5)
  • Personalisation & preferences (language, time zone, UX). (DPP3)
  • Research & development (quality assurance, accuracy, performance; aggregated or de‑identified where possible). (DPP2–3)
  • Direct marketing (optional)—only with your consent per Part VIA PDPO; you can opt out anytime. (See Section 10)

We collect no more data than necessary for stated purposes and do not use it for new purposes without your prescribed consent (DPP1–3).

5) AI Processing / Backend Processing

User-submitted photos, videos, and text provided for analysis are transmitted to Ivy AI's backend environment hosted on Amazon Web Services (AWS). These data are processed by Ivy AI's proprietary AI model to generate scan results and support ongoing tracking features.

We do not send user personal data to an external third-party AI service for inference.

All AI processing occurs within our own controlled infrastructure. Images and text are processed in real time to produce results, and raw inputs are not retained beyond the period necessary to deliver the service unless you have an active account with stored history.

6) Data Collection for Premium Services

In addition to standard data collection, we collect and process additional data when you use our premium features:

A. Expert Dermatologist Review Service

When you use the Derm Review add-on service, we collect and process:

  • Photos and AI results: Your uploaded skin photos and AI analysis results are shared with qualified dermatology specialists for review
  • Reviewer feedback: Written notes and interpretation provided by the reviewing dermatologist are stored in your account
  • Service metadata: Response tier selected, timestamps, and payment information (processed via Stripe)

Retention: Derm Review data is retained for the duration of your account plus a compliance period (typically 7 years) for healthcare record-keeping and legal purposes.

B. Ongoing Care Support Features

When you use our condition tracking and ongoing care features, we collect and process:

  • Tracking photos: Photos uploaded for monitoring chronic conditions (e.g., eczema, psoriasis)
  • AI trend analysis: Automated analysis of your photos over time to identify patterns and changes
  • Treatment notes: Personal notes, treatment logs, and health observations you record
  • PDF reports: Generated summaries of your skin health data for sharing with healthcare providers
  • Community interactions: Posts, replies, and engagement in community forums

Retention: Tracking data is retained for the duration of your account. You may request partial or full deletion at any time (see Section 12).

C. Subscription Billing and Auto-Renewal

When you subscribe to a ScanSkinAI plan, the following billing and renewal terms apply:

  • 3-Month Monitoring Plan: Automatically renews and charges your payment method every 3 months until cancelled.
  • 12-Month Monitoring Plan: Automatically renews and charges your payment method every 12 months (annually) until cancelled.
  • Enterprise Plan: Billed annually per year. Automatically renews and re-charges every 12 months until cancelled.

You may cancel at any time via the Manage Subscription portal or by contacting info@ScanSkinAI.com. Cancellation takes effect at the end of the current billing period. We store billing cycle dates and payment metadata (processed via Stripe) to manage your subscription (DPP1–2).

7) How We Share Personal Data

  • Service providers (processors): hosting, support, analytics, messaging, and security vendors acting on our instructions under confidentiality and security obligations (DPP4).
  • Legal/safety: where required by law, subpoena, court order, law enforcement, or to protect rights, safety, or property and to enforce our terms (DPP3–5).
  • Business transactions: in a merger, acquisition, financing, reorganisation, insolvency, or sale of assets; the recipient will continue to process personal data consistently with this Policy.
  • Affiliates: within our corporate group for purposes consistent with this Policy (DPP3).

We do not sell personal data.

8) Children

Our Services are intended for adults. We do not knowingly collect personal data from individuals under 18. If you believe a minor has provided personal data, contact us and we will remove it.

9) Security (DPP4)

We employ administrative, technical, and physical safeguards designed to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use. No system is perfectly secure. You are responsible for safeguarding your credentials and devices.

10) Direct Marketing (Part VIA PDPO)

We will not use your personal data for our direct marketing (or provide it to others for their direct marketing) without your consent and the required notification of the intended use, the kinds of data to be used, and the classes of marketing subjects. You can opt out at any time and at no charge.

11) Retention (DPP2)

We keep personal data no longer than is necessary for the purposes for which it is used, and then delete or anonymise it unless retention is required for legal claims, audits, or compliance. Typical periods:

  • Marketing contacts: until you unsubscribe (then we keep minimal suppression data).
  • User content & interactions: for your account's life and a reasonable period thereafter for compliance/defence.
  • Cookies/analytics: per cookie/SDK expiry or up to 12 months from collection where applicable.

12) Account Deletion and User Rights (PDPO DPP2 & DPP6)

Under the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO"), you may request deletion of your personal data held by Ivy AI Solutions Limited ("we," "us," "our") in whole or in part. We act in accordance with the PDPO's Data Protection Principles, particularly DPP2 (retention) and DPP6 (access and correction).

In-App Account Deletion

You can permanently delete your account directly within the app by navigating to Account → Settings → Delete Account. This feature is available on all platforms including web, iOS (App Store / TestFlight), Android, and TWA.

What is deleted immediately:

  • Your account profile (email, name, user ID)
  • All uploaded skin photos and AI analysis results
  • Chronic condition tracking data and treatment notes
  • Community posts and replies
  • Wallet balance and transaction history
  • Subscription records and notification preferences
  • All other account-associated data in our database

What may be retained if legally required:

  • Payment transaction records managed through Stripe (for tax, accounting, and fraud-prevention obligations)
  • Derm Review records where healthcare record-keeping laws mandate retention (up to 7 years)
  • Any data required to comply with a legal hold, court order, or regulatory investigation

Retained data is not used for analytics, marketing, or any purpose other than legal compliance. Backups containing your data are purged within the next scheduled cycle (within 30 days).

Partial Deletion Options

You may also choose to delete only certain categories of data by contacting us, such as:

  • Photos only (retain account and non-image data)
  • Results only (retain account and uploaded photos)
  • Photos and results for specific body areas or date ranges
  • App activity logs (retain account)
  • Communication history or non-essential correspondence

Partial deletion requests may limit or disable certain app features (e.g., viewing history, generating trend reports).

How to Request Deletion (Alternative)

If you prefer not to use the in-app deletion feature, you may send an email to info@ScanSkinAI.com from your registered email with the subject line "Delete my ScanSkinAI data" and include:

  1. Your account email address.
  2. Whether the request is for full deletion or partial deletion (and specify the scope if partial).
  3. The statement: "I confirm I want the specified personal data deleted."

Verification & Response Timeline

In-app deletion is processed immediately upon confirmation. Email-based requests will be verified using the registered email and processed within 7 days. Associated backups will be purged within 30 days.

Refusal & Legal Grounds

We may decline a request if deletion is prohibited under applicable law, required for legal defence, dispute resolution, or compliance with PDPO obligations. Where refusal occurs, we will provide reasons in writing as required under Section 19(2) of the PDPO.

To exercise these rights, contact us (Section 16).

13) International Transfers

We primarily process data in Hong Kong. However, user-submitted data (including photos, videos, and text) may be transmitted to and processed on servers hosted by Amazon Web Services (AWS) in the United Kingdom for AI analysis and backend processing.

This means your data may be processed outside Hong Kong, specifically in the UK. Section 33 PDPO (cross‑border transfer restrictions) has not commenced as of this Policy's effective date; however, we follow recommended best‑practices including:

  • Contractual safeguards and model clauses with hosting providers
  • Data processing agreements that require recipients to maintain equivalent security standards
  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Access controls limiting who can view user data within our infrastructure

The UK maintains robust data protection standards under UK GDPR, which provides a high level of protection for your personal data.

14) Your Rights (DPP5–DPP6; PDPO ss. 18, 20)

Under the PDPO, you may request access to personal data we hold about you and request correction of any data that is inaccurate, by submitting a Data Access Request (DAR) and/or Data Correction Request (DCR). We will respond within a reasonable time and may charge a reasonable fee for DARs limited to the cost of compliance. We may refuse a request on statutory grounds (and will give reasons if we do).

To exercise these rights, contact us (Section 16).

15) Cookies & Similar Technologies

We use cookies/SDKs for core functionality, preferences, analytics, and (where permitted) marketing measurement. You can manage cookies via browser/device settings; some features may not work without them.

16) Contact (Data Access/Correction & Privacy Enquiries)

Data Protection Officer

Ivy AI Solutions Limited (Hong Kong)

Email: info@ScanSkinAI.com (DAR/DCR, privacy enquiries, and data deletion requests)

Web: https://www.scanskinai.com/contact

You may also bring concerns to the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD).

17) Governing Law & Jurisdiction

This Policy is governed by the laws of the Hong Kong SAR. You submit to the non‑exclusive jurisdiction of Hong Kong courts for any dispute arising under this Policy, except where prohibited by local law.