Acceptable Use Policy

Version 1.0.0·Effective 2026-06-01

Acceptable Use Policy

This Acceptable Use Policy (the "Policy") governs your use of the Phiusion application, the websites at phiusionlabs.app and its subdomains, and any product or service we make available through them (collectively, the "Service"). It supplements §4 of the Terms of Service; where the two address the same subject, this Policy controls. Phiusion is business-to-business ("B2B") software for licensed health professionals, positioned as general wellness software, not a substitute for your professional judgment, and offered to credentialed practitioners only.

1. Acceptance and scope

You accept this Policy by checking the acceptance box at signup, by clicking "Agree," and by using the Service. That action creates a binding obligation between you, the licensed health professional ("Practitioner" or "you"), and Phiusion Labs ("we," "us," or "our") under the contract law of Ontario, Canada (see Terms of Service §13). Each subsequent login confirms acceptance of the version then in effect.

This Policy applies to every part of the Service — the application, our websites, our APIs, our outbound email, and any feature we add over time. If a conflict arises between this Policy and another document incorporated into the Terms of Service, the more specific document controls. When we materially change this Policy, we will re-version it under §10 and ask you to accept the new version.

2. Allowed uses

You may use the Service only:

  • To operate your licensed clinical practice in cosmetic and general wellness work, within the scope of your professional license and the law of the jurisdiction where you practice.
  • To create and maintain patient records that you, as the controller (or the Ontario PHIPA "custodian," where applicable), are entitled to create under the consent framework in the Privacy Notice for Patients.
  • To review and curate skin-assessment information the Service surfaces (including SkinXS output), applying your professional judgment before any patient-facing action.
  • To order Phiusion-distributed cosmetic products through the shop for use in your practice, on a B2B basis.
  • To configure your account, train teammates who hold their own Practitioner accounts, and export your records.

The Service is credentialed B2B access only. Each individual licensed practitioner requires a separate Practitioner account; clinic-level access is provisioned only through manual sales onboarding under Terms of Service §2.

3. Prohibited uses

The list below is not exhaustive; anything else that violates law, breaches your professional duty, or jeopardises the security or integrity of the Service is also prohibited. You must not:

  • Resell, sublicense, rent, lease, or otherwise transfer access to the Service to any third party. The licence under Terms of Service §5 is non-transferable and non-sublicensable.
  • Reverse-engineer, decompile, disassemble, or extract the source code of the Service, except where applicable law (e.g., EU Directive 2009/24/EC art. 6 on interoperability, or the equivalent Canadian or US copyright provision) expressly preserves that right.
  • Make off-label, disease-treatment, or regulatory claims about the Service or any product offered through it. Do not represent the Service or any Phiusion-distributed product as approved, cleared, or authorised for medical use by the US Food and Drug Administration ("FDA"), Health Canada, the European Medicines Agency, the UK MHRA, Swissmedic, or any equivalent regulator. The Service is general wellness software; PBSERUM products are cosmetic; nothing in the Service is approved for medical use.
  • Use SkinXS or any other feature for a purpose the software is not certified for. SkinXS surfaces a skin assessment for the licensed Practitioner to review and curate; it is not certified for diagnostic purposes. Do not represent its output as a clinical assessment, and do not use it where the law of your jurisdiction would require a certified clinical decision-support tool.
  • Create patient records in bulk or by automated means without each patient's prior consent, obtained as required by your professional duty and the Privacy Notice for Patients.
  • Share, lend, or transfer your account credentials. Multi-factor authentication ("MFA," a second-factor sign-in step) is required and cannot be disabled. Each practitioner requires their own account.
  • Scrape, crawl, or use automated means to access the Service without authorisation. API access is provisioned only through our published interfaces under credentials we issue.
  • Perform penetration testing, vulnerability scanning, or other security probing without our prior written authorisation. Send requests to security@phiusionlabs.app; do not initiate a test before we confirm scope, window, and rules of engagement in writing.
  • Host, transmit, or store unlawful content on or through the Service, including content that infringes a third party's IP, violates a court order, or constitutes child sexual abuse material, threats of violence, harassment, hate speech, or unlawful discrimination.
  • Interfere with the Service's security, availability, or integrity, including by malware, overloading our infrastructure, tampering with rate-limit or audit-log mechanisms, or circumventing access controls.
  • Attempt to access another Practitioner's account, records, or any data you are not authorised to access. Cross-account access is prevented at the database layer by Row-Level Security; attempting to circumvent it is a violation whether or not it succeeds.

4. Outbound email policy (CASL operational mechanics)

This section sets out the mechanics Phiusion follows for outbound commercial email, and that you must follow for any email you send through or with the assistance of the Service. It implements Canada's Anti-Spam Legislation ("CASL," S.C. 2010 c. 23), the US CAN-SPAM Act (15 U.S.C. §§7701–7713 and 16 CFR §316), and the consent rules under PIPEDA, Quebec Law 25, and GDPR Art. 6(1)(a).

  • Implied consent window (CASL §10(9)). Where a Practitioner has an existing business relationship with Phiusion (active subscription, paid order in the prior 24 months, or written enquiry in the prior 6 months), CASL permits implied consent for commercial electronic messages for up to two years (730 days) after the relationship ends. After that window we stop unless consent is refreshed on an express basis.
  • Express consent for marketing (CASL §6(1) and §6(2)). Marketing outside the implied-consent window requires express opt-in consent. Phiusion records the date, the channel (in-app checkbox, hosted form, double opt-in email), and the wording shown. Consent is sought through a clear, separate request not bundled with other terms.
  • Unsubscribe within ten calendar days (CASL §10(2)). Every commercial message includes a one-click unsubscribe link that works in any modern browser without log-in. Requests are processed within ten (10) calendar days at the latest — the statutory maximum under CASL §10(2); in practice most are processed within minutes. The cap is reflected in this document's frontmatter (outbound_email_policy.unsubscribe_sla_days: 10), which the Phase 2 CI validator checks before publication.
  • Sender identification (CASL §6(2)(c) and CAN-SPAM 16 CFR §316.5(a)). Every message identifies the sender (Phiusion Labs, or, where sent by Universkin SAS on Phiusion's behalf, that fact and Universkin's identity), includes a physical mailing address valid for at least 60 days after sending, and accurately reflects the subject in the "Subject" and "From" lines.
  • One-click unsubscribe (CASL §11 and CAN-SPAM 16 CFR §316.5(a)(3)). The unsubscribe mechanism requires no more than a single click of a visible link and does not require log-in, payment, or any information beyond what was in the original message.
  • Consent records (D1 §7). Timestamps, channel, and wording of every consent and withdrawal are retained for three (3) years past withdrawal, the period set in the Privacy Notice for Practitioners §7 (CASL row), so Phiusion can answer a CRTC enforcement inquiry years after a Practitioner unsubscribes.
  • GDPR overlay (Universkin leg). For the leg at Universkin SAS in France, the lawful basis is the Practitioner's GDPR Art. 6(1)(a) consent; withdrawal under GDPR Art. 7(3) is honoured on the same timeline as the CASL unsubscribe.

You must not use the Service, or any data exported from it, to send outbound commercial email that violates this section, CASL, CAN-SPAM, the ePrivacy Directive (2002/58/EC) as transposed in your jurisdiction, or the equivalent law of the recipient's jurisdiction.

5. Patient-data isolation

Each Practitioner's patient records are scoped to that Practitioner's account by Row-Level Security at the database layer; a Practitioner cannot read, write, or list any patient record belonging to another Practitioner's account.

You must not attempt to circumvent that isolation. In particular, you must not (a) request records through a parameter that does not match your own Practitioner identifier, (b) probe API endpoints to enumerate accounts other than your own, (c) ask a Phiusion staff member to override Row-Level Security, or (d) accept records exported by another Practitioner outside the authorised export flow without a documented written authorisation the law of both jurisdictions accepts. Multi-tenant clinic features, when they ship, will introduce a clinic-scoped access model with its own controls.

6. Security expectations

You are responsible for everything that happens under your account. The baseline:

  • Use a strong, unique password; do not reuse one used on another service.
  • Keep MFA enabled. The Service requires MFA at signup and it cannot be disabled.
  • Sign in only from reasonably secure, patched devices protected by a screen-lock or equivalent.
  • Do not transmit your credentials, MFA factor, or session token to anyone, including someone claiming to be Phiusion support. Phiusion will never ask you for your password.
  • Report a suspected security incident promptly to security@phiusionlabs.app — as soon as you reasonably can after becoming aware of or suspecting it.
  • Cooperate with our incident-response process, including by preserving logs and not taking unilateral remediation steps that could impair forensic analysis.

You are liable for actions taken under your account until you report a compromise; after you report it, we will work with you to secure the account, and we are not liable for unauthorised activity before you reported it.

7. Reporting violations

If you believe another user, a Phiusion staff member, or a third party is violating this Policy, write to abuse@phiusionlabs.app with a description of what happened (dates, times, and any account or message identifier), any evidence you can share (please do not share another person's medical information unless the disclosure is itself authorised by law), and your contact details for follow-up.

We acknowledge every report and begin investigating within five (5) business days of receipt. We will not name the reporter to the subject of the report unless the law requires it or you give us written permission, and we will not retaliate against a Practitioner who reports a good-faith concern.

8. Enforcement

We enforce this Policy through a graduated ladder. The ladder is illustrative; we choose the response that fits the violation, and serious violations may skip steps.

  • Warning. For a first or minor violation, a written notice identifies the conduct, cites the section, and asks for a cure within a stated period (typically 10 business days).
  • Feature restriction. If unactioned, or for a violation more than minor, we may restrict specific features (e.g., outbound email, new-patient creation) while the rest of the account remains usable.
  • Suspension. For a continuing or more serious violation, we may suspend the account. Suspension cuts off sign-in but does not delete data; you remain liable for fees that accrue during the suspension unless the suspension is our fault.
  • Termination. For an unresolved suspension, a repeat violation, or a sufficiently serious first violation, we may terminate the account under Terms of Service §11.

We may suspend or terminate immediately, without prior notice, if (a) we reasonably believe your use of the Service is unlawful, (b) it threatens platform security, integrity, or availability, (c) it risks harm to a patient (including off-label claims that could expose a patient to undue risk), (d) you have lost the eligibility status in Terms of Service §2, or (e) we are required to act by an order of a court, regulator, or supervisory authority. Where immediate action is required, we will provide notice and reasons as soon as is reasonably practicable. Suspension or termination does not waive any other remedy, including the indemnity in Terms of Service §10.

9. Relationship with the Terms of Service

This Policy is incorporated into the Terms of Service. Defined terms in Terms of Service §1 apply here. The governing-law, dispute-resolution, and notice provisions of Terms of Service §13, the limitation of liability in §9, and the indemnity in §10 all apply to disputes and violations under this Policy. The sub-processor pass-through in Terms of Service §6 applies to outbound email (SendGrid via Twilio, listed at Sub-Processors), to error monitoring (Sentry), and to every other vendor that supports Service operation.

10. Updates to this Policy

We use the semantic-versioning scheme in Terms of Service §12: major versions (material change to what you can or cannot do, to enforcement, or to §4) gate your next login until accepted and are notified at least 30 days in advance; minor versions are notified by a 30-day in-app banner; patch versions cover typos and formatting only. Every version is logged at /legal/changelog.

11. Contact and supervisory authorities

For anything covered by this Policy, write to:

  • Abuse and Policy violations: abuse@phiusionlabs.app.
  • Security incidents: security@phiusionlabs.app.
  • Privacy Officer (Phiusion Labs): Jonathan Garbutt, privacy@phiusionlabs.app.
  • Data Protection Officer (Universkin SAS, France): Maître Eric ELABD, +33 (4) 93.00.11.96, dpo@universkin.com. Universkin SAS has appointed Maître Eric ELABD as its Data Protection Officer in compliance with GDPR Art. 37. The contact details above also satisfy the public-publication prong of GDPR Art. 37(7); the corresponding notification to the Commission Nationale de l'Informatique et des Libertés ("CNIL", the French supervisory authority) is administered by Universkin SAS.

If a concern is not resolved, you may also contact the supervisory authority for your jurisdiction. The complete list — HHS-OCR and state Attorneys General in the United States, the OPC and provincial commissioners in Canada, CNIL in France, the ICO in the UK, and the FDPIC in Switzerland — is published in §13 of the Privacy Notice for Practitioners. In addition, CAN-SPAM complaints in the United States go to the US Federal Trade Commission (FTC) at https://www.ftc.gov/, and CASL complaints in Canada go to the Canadian Radio-television and Telecommunications Commission (CRTC) at https://www.crtc.gc.ca/.

For related documents, see the Terms of Service, the Privacy Notice for Practitioners, the Privacy Notice for Patients, the Cookie & Tracking Notice, and the Sub-Processors page.