Cookie & Tracking Notice

1. What this notice covers

Phiusion is B2B software for licensed health professionals. This notice describes the cookies and similar technologies Phiusion uses on its application.

"Cookies and similar technologies" means small files and storage entries that we place in your browser when you visit the Phiusion app at phiusionlabs.app and its subdomains. They include traditional cookies, browser local storage entries, and short-lived tokens that an edge network uses to route your requests.

This notice is for everyone who lands on a Phiusion page: the health professional (practitioner) who logs in to use the platform, and, occasionally, a patient or other visitor who reaches a public Phiusion page. The behavior described below is the same in both cases. In practice, patients do not authenticate to phiusionlabs.app; this notice applies to patients only if they reach a public page directly.

If you are a patient in Ontario, decisions about your personal health information are governed by your treating practitioner under PHIPA, not by this cookie notice; see the Patient Privacy Notice and the PHIPA Audit Summary.

A French version of this notice is in progress and will be available at /fr-CA/legal/cookie-tracking-notice (Quebec Charter of the French Language arts. 51–52; Law 25 arts. 5.1, 14). Patient-facing cookie consent in Quebec will be served in French at launch; practitioner-facing English access is unaffected.

For information about how Phiusion handles personal data once it is collected, see the Privacy Notice for Practitioners and the Privacy Notice for Patients.

2. The categories we use

We group cookies and similar technologies into four categories. Where a category is described below as "off by default until you choose," that behavior applies to the opt-in jurisdictions listed in §3 (EU/EEA, UK, Switzerland, and Québec). Everywhere else, the default is opt-out, as detailed in §3.

Strictly necessary. These keep the app working. They include your authentication session (so you stay logged in), an anti-forgery (CSRF) token, a language preference, and the shopping-cart token that lets you place an order. You cannot turn these off, because without them the app cannot deliver the service you asked for. They do not track you across other sites and they are not used for analytics or advertising.

Functional. These remember choices that make the app more comfortable to use — for example, whether you collapsed the sidebar, or which view mode you last selected on a list. Turning these off does not break the app; you will just see default settings each time. Outside the opt-in jurisdictions, functional cookies are on by default. In opt-in jurisdictions they are off until you choose them.

Analytics. These let us count how many people visited a page, how often a feature is used, and where a multi-step flow breaks down. Counters are aggregated on your device before they leave it, and no individual identifier is included in the analytics payload — analytics events do not carry a user ID, email, account fingerprint, or device fingerprint. (IP addresses are visible to our edge network and server logs at the TLS layer, as for any web request, and are retained only as described in our Privacy Notice.) We use analytics to fix bugs, plan capacity, and improve the product. Outside the opt-in jurisdictions, analytics are on by default under a documented legitimate interest (see Appendix A and the lia-aggregate-analytics internal LIA). In opt-in jurisdictions they are off until you choose them.

Error monitoring (Sentry). This is a stack-trace and exception pipeline that tells our engineers when something breaks in production. It is essential for catching defects that could otherwise corrupt the clinical record. It is scrubbed and minimized before transmission (see §4). Outside the opt-in jurisdictions, error monitoring is on by default under a documented legitimate interest and under the posture described in §4 (see Appendix A and the lia-error-monitoring internal LIA). In opt-in jurisdictions it is off until you choose it; the Sentry SDK bundle may be present on the page but Sentry.init() is not called until consent is recorded; no events can be transmitted before init.

Phiusion does NOT use marketing or advertising cookies. We do not use cross-site tracking pixels, third-party advertising networks, or social-media trackers of any kind. See §7 for the full list of things we do not do.

3. Per-jurisdiction default table

Defaults differ by where you are when you load the app. The mechanism is the same in every case: a banner appears on first visit, and a "Cookie Preferences" link in the footer is always available afterwards.

Footnote on EU/EEA/UK/CH: Phiusion does not serve, and does not plan to serve, users in the EU/EEA, UK, or Switzerland. The opt-in default in those regions is retained for two independent reasons: (i) the Phiusion app is hosted by Universkin SAS (France), our EU-established platform operator and sub-processor, and (ii) we serve the same banner UI to every visitor regardless of jurisdiction. Neither rationale is a representation that EU/EEA/UK/CH data subjects are an intended audience.

Footnote on "Rest of Canada" (AB/BC/MB/NB/NL/NS/ON/PE/SK/YT/NT/NU): We rely on implied consent under PIPEDA Schedule 1 Principle 3 (read together with provincial equivalents BC PIPA s. 6–8 and AB PIPA s. 7–8, and the OPC's 2018 Guidelines for Obtaining Meaningful Consent) for non-essential analytics and error monitoring outside Quebec. The banner provides clear category-level opt-out, the categories are limited to the non-identifying telemetry described in §2, and the four-factor meaningful-consent test is met because: (a) what is being collected is identified by category and example in §2; (b) the named parties with whom information is shared are listed in §6; (c) the purposes (product reliability, bug detection, capacity planning, breach detection) are stated in §2 and Appendix A; and (d) the consequence of opt-out is none — the app continues to function.

3.1 Universal opt-out signals

For users in California, Colorado, and Connecticut, we recognize and honor the Global Privacy Control (GPC) browser signal (Sec-GPC: 1) as an opt-out request for any non-essential category that would otherwise be on by default. Receipt of a GPC signal is treated as equivalent to clicking "Reject all non-essential" on the banner. This is required by CCPA Reg. §7025(b) (California), CO Privacy Act §6-1-1306(1)(a)(IV)(B) read with 4 CCR 904-3 Rule 5.06 (Colorado, since July 2024), and CT-DPA §6(e)(1)(A) (Connecticut, since January 2025). The signal is honored on a same-device basis for the lifetime of the browser's setting; users may still adjust per-category preferences in the banner if they want to enable specific non-essential categories.

3.2 Banner mechanics (opt-in jurisdictions)

On the first layer of the banner shown in opt-in jurisdictions (EU/EEA, UK, Switzerland, and Québec), an "Accept all" button, a "Reject all" button, and a "Customize" button are presented with equal visual prominence (same size, contrast, and position weight). No category is pre-ticked. Per-category toggles are exposed within one click via "Customize." This design follows EDPB Guidelines 03/2022 on deceptive design patterns and CNIL Délibération 2020-091 on cookie consent.

4. Sentry under Decision #16

Error monitoring is currently provisioned through Sentry on its free plan, while we evaluate a paid tier with stronger contractual protections (an internal posture documented in our launch spec as "Decision #16, Option C"); a pre-launch re-decision is scheduled. Until then, the following minimization controls apply at all times, regardless of your jurisdiction:

• We strip out IDs, emails, and login tokens from every error report before it leaves your browser — specifically, pre-send regular-expression scrubbing for UUIDs, email addresses, and JWTs on URLs, query strings, cookies, headers, exception messages, and breadcrumbs.
• Errors that happen on patient-record pages are dropped entirely — they are never sent to Sentry. The blocklist applies to any route that renders or processes patient records, wellness sessions, AI skin-assessment inputs or outputs, photo uploads, or admin-order details. The canonical list is maintained in sentry.shared.ts and is verified against this notice by automated CI.
• A safety setting (sendDefaultPii: false) is locked on by our build process; a test fails if anyone tries to change it.
• A best-effort regex re-check drops any event that, after primary scrubbing, still matches a UUID or email pattern.

The full legitimate-interest assessment for this processing is filed as lia-error-monitoring and is available on request to data subjects exercising their access rights (see §10).

4.1 Canadian users outside Quebec

Outside Quebec, Phiusion relies on implied consent under CASL §10(8) for strictly necessary cookies and similar technologies, and on opt-out via the cookie banner — supported by PIPEDA Principle 3 meaningful-consent disclosure — for analytics and error monitoring. The Sentry SDK is loaded under that implied / opt-out basis; toggling it off in the banner stops further telemetry transmission.

5. How to change your preferences

You can change your cookie choices at any time, in three ways:

1. On the cookie banner. The banner appears on first visit and lets you accept, reject, or fine-tune categories.
2. From the "Cookie Preferences" link in the footer. This is available on every page, before and after login. Your changes take effect on the next page load; for Sentry specifically, switching error monitoring off triggers a full page reload so the SDK is fully torn down.
3. From your browser's own controls. Most browsers let you block or delete cookies. Browser controls are coarser than ours: they may not respect our per-category granularity, and blocking strictly necessary cookies will prevent you from signing in.

For users in the EU / EEA, UK, Switzerland, and Québec: withdrawing consent is as easy as giving it (GDPR Art. 7(3); Law 25 art. 9 — withdrawal on terms equivalent to giving consent). The same banner UI used to grant consent reappears via the footer "Cookie Preferences" link, with the same toggles, the same labels, and an equal-prominence reject-all button. Toggling a category off in the banner or the footer link withdraws that consent immediately for future processing on that device.

6. Sub-processors who set cookies on our domain or receive cookie-equivalent telemetry

A small number of named service providers act on our behalf and either set cookies under our domain or receive cookie-equivalent telemetry that we transmit from your browser.

• Universkin SAS (France) — the Phiusion platform is built and operated by Universkin SAS; Universkin does not set cookies on phiusionlabs.app but operates the underlying infrastructure (storage in France / EU).
• Vercel — hosts the Phiusion application and sets edge-routing and load-balancing cookies; these are strictly necessary. Storage in the United States; transfers covered by Standard Contractual Clauses and EU-US Data Privacy Framework self-certification.
• Supabase — provides our authentication and session layer; the login session cookie is set under our domain through Supabase. Storage in the United States; transfers covered by Standard Contractual Clauses.
• Sentry — receives application error telemetry under the post-scrub posture described in §4, on the opt-out path only. Storage in the United States; transfers covered by Standard Contractual Clauses and EU-US Data Privacy Framework self-certification.

Some sub-processors (Vercel, Supabase, Sentry) store data in the United States; the Phiusion platform is operated by Universkin SAS in France. See the Sub-Processors page for storage regions and transfer mechanisms (PIPEDA-adequacy for France; SCCs for US sub-processors).

The full list of sub-processors, what they process, where data is stored, and what contractual safeguards apply is published on the Sub-Processors page.

7. What we do NOT do

We do not, on any page of the Phiusion application:

• Set advertising cookies of any kind.
• Use Google Analytics, Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, X (Twitter) Pixel, or any equivalent ad-tech beacon.
• Run cross-site tracking pixels or share identifiers with advertising networks.
• Sell or share personal information (as those terms are defined under the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.140(ad) and 1798.140(ah)) with third parties.
• Build targeted-advertising profiles, audience segments, or look-alike audiences.
• Operate session-replay tooling that records the contents of a wellness session.

Because Phiusion does not sell or share personal information and does not use cookies for cross-context behavioral advertising, no separate "Do Not Sell or Share My Personal Information" or "Your Privacy Choices" link is required. The "Cookie Preferences" link in the footer functions as the universal opt-out surface for all non-essential processing, and the GPC signal described in §3.1 is honored for users in California, Colorado, and Connecticut.

If any of this changes, the banner will re-prompt on your next visit and this notice will be re-versioned with a change_summary.

8. Updates

We re-version this notice when we materially change what we collect, how we collect it, or which sub-processors are involved. Material changes cause the banner to re-prompt for consent on your next visit. The version history of this notice — including the version, effective_date, and change_summary of each revision — is generated at build time from the document's frontmatter and is displayed at the bottom of this page in production.

9. Contact

• Privacy Officer (Phiusion Labs): Jonathan Garbutt, privacy@phiusionlabs.app.
• Data Protection Officer (Universkin SAS, France): Maître Eric ELABD, +33 (4) 93.00.11.96, dpo@universkin.com.

You may contact either named individual; we route to the appropriate one internally.

10. Appendix A — Legitimate Interest Assessments

For the opt-out path described in §3, two internal Legitimate Interest Assessments (LIAs) document why the processing is lawful under GDPR Art. 6(1)(f) and the equivalent provisions of UK GDPR, with a three-part purpose / necessity / balancing analysis.

• Aggregate analytics LIA (lia-aggregate-analytics) — concludes that counting page views, feature usage, and funnel events with no identifier transmitted off the device is the minimum processing capable of supporting product reliability, bug detection, and capacity planning, and is balanced by an always-available opt-out toggle.
• Error monitoring LIA (lia-error-monitoring) — covers Sentry error reports for users outside the EU and Québec. It concludes that this scrubbed, blocklisted telemetry helps us meet our security obligations (GDPR Art. 32) and our HIPAA duty to review system activity (§164.308(a)(1)(ii)(D)), and that the remaining risk is acceptable under the Sentry posture described in §4.

For users in the EU/EEA, UK, Switzerland, and Québec, the lawful basis is opt-in consent (GDPR Art. 6(1)(a); Law 25 art. 12). Neither LIA is, or may be cited as, a lawful basis for processing in those jurisdictions.

These are internal documents. They are available on request to any data subject exercising a right of access (GDPR Art. 15, PIPEDA Principle 9, Law 25 art. 27, or the equivalent right under their local law). Requests should be sent to the Privacy Officer or DPO addresses in §9.