Consent Withdrawal

Version 1.1.0·Effective 2026-06-01

Consent Withdrawal

This is the step-by-step for withdrawing any consent you previously gave in Phiusion — the Patient Photo Consent, the optional Patient AI Improvement Consent, or the biometric-handling terms in the Biometric Retention & Destruction Policy. The rights index is at Patient Privacy Notice §11; this page is the procedural detail underneath it. Withdrawing does not affect your care.

How do I withdraw?

Two ways. Either works.

  1. In-clinic, through your practitioner. At your next visit (or by phone with the clinic), tell your practitioner. They open your patient record's Manage Consents page in Phiusion, select the consent, and confirm the withdrawal. You receive a confirmation back through your practitioner.
  2. Out-of-band, through the Privacy Officer. Write to privacy@phiusionlabs.app with your full name, your practitioner's name, and which consent you are withdrawing. We acknowledge within 1 business day and route the request to your practitioner's records within 5 business days, recorded the same way as path 1.

Both paths produce the same audit trail and trigger the same destruction.

What happens immediately?

The moment a withdrawal is recorded, the application writes a new, immutable row to your consent audit with status = withdrawn, pointing back at the original acceptance row. The original row is preserved unchanged — we never alter what you previously agreed to; we add a new row recording the change. You (and regulators, on request) see both rows side by side in your patient consent inventory. The withdrawal takes effect at that moment: nothing covered by it flows to your record or to a sub-processor afterwards.

Service-level commitments

Applied universally to every patient regardless of residence:

  1. Photograph and biometric-vector destruction — within 30 days. Records are hard-deleted from the primary database (Supabase Postgres) and storage; soft-delete is not used for biometric records. Backups cycle out on their normal schedule (point-in-time recovery ≤7 days; longer-horizon snapshots sealed and aged out per docs/SUPABASE_OPS.md). Full protocol at Biometric Retention & Destruction Policy §7.
  2. AI-training-data row removal — within 30 days. Your photographs and face-geometry vectors are removed from Universkin SAS's training corpus, so any subsequent training run will not see them.
  3. Downstream sub-processor pass-through — within 60 days. We notify Universkin SAS and any other sub-processor holding a copy and require deletion on the same schedule. The 60-day window covers contractual pass-through and cache-purge cycles.
  4. Confirmation of completion — within 60 days, on request. The Privacy Officer issues a written certificate of destruction listing tiers cleared, timestamps, and sub-processor confirmations.

These are the strictest windows applicable across our jurisdictions.

What we cannot undo

Three categories sit outside what a withdrawal can reach.

  • Model weights already trained on your data. If a training run completed before you withdrew, your photographs and vectors will be removed from the corpus on the 30-day schedule, but the model itself cannot be "untrained." Future runs will not see your data; patterns already learned remain. This is the prior-reliance carve-out at HIPAA §164.508(b)(5) — see Patient AI Improvement Consent item 6.
  • De-identified statistical aggregates. Once aggregated into non-identifying form, the data is no longer your personal information under HIPAA, GDPR, or PHIPA — out of scope for withdrawal.
  • Records the law requires us to retain. For example, HIPAA §164.530(j) six-year audit-log retention, or Quebec Law 25 art. 3.8 incident register. The withdrawal row itself is one such record — the audit is the evidence we honoured your request.

Can I re-consent later?

Yes. Withdrawing does not bar you from giving the consent again. Your practitioner can present the current version at your next visit; you sign afresh. Re-consent creates a new acceptance row; the prior withdrawal row stays in place so the timeline reads accurately. No penalty, no waiting period, no effect on your care in between (GDPR Art. 7(3): "withdrawing consent shall be as easy as giving it").

Does this apply to me, wherever I live?

Yes. Phiusion applies the strictest of the applicable state, provincial, and national withdrawal protections to every patient — same universal-protection model as Patient Privacy Notice §6 and §8. The 30-day destruction window, the 60-day sub-processor pass-through, and the immutable-row audit reach you wherever you are.

A handful of state- and province-specific rights remain residence-keyed by law — e.g., BIPA §20 (private right of action), WA-MHMDA via RCW 19.86 (private right of action), PHIPA s.61 (complaint to IPC), Law 25 art. 90 (complaint to CAI). To raise one, write to the Privacy Officer with your state or province; see Patient Privacy Notice §11.

Quebec patients. This procedure is prepared for Quebec, but no Quebec patient is invited under it until three Phase 4 launch-gate items complete: a French-language version per Patient Privacy Notice §17; the Law 25 art. 12 / CAI 60-day biometric pre-notification; and the Law 25 art. 17 PIA. Until then, Quebec is out of scope.

What law backs each commitment?

CommitmentStatutory anchor
Right to withdraw at any time, no penaltyHIPAA §164.508(b)(5); GDPR Art. 7(3); Law 25 art. 13; PHIPA s.19; WA-MHMDA RCW 19.373.040; BIPA §15(b)(3)
Erasure of photographs and vectors (30 days)GDPR Art. 17; HIPAA §164.508(b)(5) prior-reliance carve-out; BIPA §15(a)
Sub-processor pass-through (60 days)GDPR Art. 28(3)(g); PIPEDA Schedule 1 Principle 4.1.3
Immutable-row auditHIPAA §164.530(j); Law 25 art. 3.8; GDPR Art. 5(2)
Re-consent any timeGDPR Art. 7(3); Law 25 art. 13
Universal application of the strictest windowPatient Privacy Notice §6 and §8

Contact

To withdraw, ask a status question, request a certificate of destruction, or direct a state-/province-specific right — either contact will route your request:

  • Privacy Officer (Phiusion Labs): Jonathan Garbutt, privacy@phiusionlabs.app.
  • Data Protection Officer (Universkin SAS, France): Maître Eric ELABD, +33 (4) 93.00.11.96, dpo@universkin.com.

Full supervisory-authority list at Patient Privacy Notice §16.

Updates to this page

Semantic versioning. Major (X.0.0) — material change to paths, SLAs, or scope; your practitioner re-prompts at your next visit. Minor (1.X.0) — clarifications, new anchors, sub-processor updates that don't change the procedure; banner only. Patch (1.0.X) — typos, formatting, broken links; no re-prompt. Full changelog at /legal/changelog.

Appendix A — What the audit row contains

The withdrawal row captures the version of the consent withdrawn, the timestamp, the capture method (doctor-proxy — your practitioner records the event for both paths), the withdrawal source (in-clinic vs Privacy-Officer email), an optional reason, and an immutable PDF snapshot of this page as it stood when recorded. Ask your practitioner or the Privacy Officer for a copy at any time.