Patient AI Improvement Consent
Patient AI Improvement Consent
This page is the optional authorization you are asked to sign if you would like to let Universkin SAS use your photographs and the face-geometry vector that SkinXS computes from them to improve the SkinXS model. It is separate from the Patient Photo Consent (which covers taking the photograph) and the Biometric Retention & Destruction Policy (which covers vector handling). The broader picture is at the Patient Privacy Notice.
Signing is entirely optional. Saying no — or never being asked — has no effect on your care; your skin assessment runs the same way and nothing in the application changes. Phiusion is general wellness software, not a medical device; the skin assessment is not a diagnosis; your practitioner reviews everything and applies professional judgment.
How this page works, and how you sign
This consent has to satisfy two statutes that each impose a nine-item checklist, so the page is laid out as two clearly distinguishable authorization blocks — the layout the European Data Protection Board's Guidelines 05/2020 require for explicit consent. Both blocks cover the same use; you tap to confirm both on the same screen.
- HIPAA §164.508 Authorization (items 1–9): US federal authorization for a covered entity to use protected health information for a purpose that is not treatment, payment, or health-care operations.
- WA-MHMDA §19.373.030(2) Authorization (items A–I): Washington State Consumer Health Data authorization, with its own checklist that does not fully overlap with HIPAA's.
Both blocks apply to every patient regardless of residence, under our universal-protection commitment (Patient Privacy Notice §6 and §8). State- and province-specific rights (WA-MHMDA private right of action, BIPA §20, Law 25 access, etc.) remain residence-keyed and are exercised by contacting the Privacy Officer (§9).
You sign on your own device. The application asks for your phone number or email and sends you a link; you open it, read this page, and tap "Yes, I authorize" at the bottom of each block. Tapping is the signature event for HIPAA §164.508 and WA-MHMDA §19.373.030; the application records the version you saw, the timestamp, the capture method (patient-device), and a PDF snapshot. Under EDPB Guidelines 05/2020 and Decision #21 in the Phiusion legal record, a doctor-proxy tap is not a valid signature here. A paper alternative is available on request.
HIPAA §164.508 Authorization
The nine numbered items below are the elements required by 45 CFR §164.508(c)(1).
1. Information to be Used or Disclosed
The specific protected health information covered by this authorization is: (a) the frontal and profile photographs of your face taken on the Phiusion application (background pixels removed by remove.bg before storage); (b) the face-geometry vector that SkinXS computes from each photograph — a numerical representation of your facial geometry used to derive the skin-assessment indicators; and (c) the skin-assessment indicators that SkinXS returns (hydration, redness, oiliness, fine lines, age signals, etc., per Patient Privacy Notice §2).
Nothing else in your record is covered. Your name, contact details, health background, skin concerns, treatment notes, and billing are explicitly not authorized for AI-improvement use.
2. Persons Authorized to Make the Use or Disclosure
The parties authorized to make the use or disclosure are your treating practitioner (or clinic) — the HIPAA covered entity that holds your record — and Phiusion Labs Inc. (Ontario, Canada), the HIPAA business associate that operates the application and transmits the data to Universkin SAS under a signed Business Associate Agreement. No other parties are authorized.
3. Recipients Authorized to Receive the Information
The persons authorized to receive the information are Universkin SAS (France), the controller of the SkinXS AI-improvement training corpus, under an intercompany BAA and DPA (D15 in the Phiusion legal record); and the sub-processors of Universkin SAS strictly necessary to operate the training corpus — Supabase (storage), Vercel (compute pass-through), and internal Universkin compute — listed at Sub-Processors. Anthropic, Stripe, SendGrid, AfterShip, remove.bg, Google Maps, and Sentry are not authorized recipients on this leg.
4. Purposes of the Use or Disclosure
The purposes of the use or disclosure under this authorization are (a) to train and improve the SkinXS skin-assessment model by incorporating your photographs, vectors, and assessment indicators into Universkin SAS's training corpus, and (b) to evaluate the model's outputs against practitioner-curated outputs at a population level. The purposes of this authorization do not include marketing, sale to third parties, advertising, profiling for behavioural targeting, or identification of individuals.
5. Expiration
This authorization expires at the earlier of seven years from the date you sign it or the date you withdraw it under item 6 — until you withdraw it, whichever first. After expiration, no new data is added to the training corpus, and previously-retained data is destroyed under Biometric Retention & Destruction Policy §6. The WA-MHMDA-side expiration is shorter (one year — item H) and controls in practice.
6. Your Right to Revoke
You have the right to revoke this authorization at any time, for any reason or no reason, without affecting your care. To revoke: (1) tell your practitioner; (2) email privacy@phiusionlabs.app; or (3) use the in-app Consent Withdrawal flow. Revocation is effective immediately. Your photographs and vectors are removed from the training corpus and destroyed within 30 days across every storage tier (Biometric Retention & Destruction Policy §7); a certificate of destruction is available on request. Revocation does not undo training runs already completed in reliance on the authorization — the §164.508(b)(5) prior-reliance carve-out is the only limitation.
7. Re-Disclosure
Once your information is disclosed to Universkin SAS, it leaves the protection of HIPAA. Universkin SAS is a French company, not a HIPAA covered entity or business associate; the intercompany BAA extends HIPAA-equivalent obligations contractually, but the regulator-level protection ends at the disclosure boundary. The information disclosed under this authorization may be subject to re-disclosure by the recipient and may no longer be protected by HIPAA. In practice the data enters a layered framework of GDPR, UK GDPR, Swiss nFADP, and contractual flowdowns — see Patient Privacy Notice §5.1.
8. Treatment Will Not Be Affected by Your Choice
Under 45 CFR §164.508(b)(4), your treatment will not be conditioned on signing this authorization, and your treatment will not be affected by whether you sign, decline, or revoke this consent. Your eligibility for care, the care you receive, the skin assessment, your practitioner's regimen recommendations, and the cost of your visit are the same in every scenario. If you decline, the SkinXS service continues on the default-ephemeral basis at Biometric Retention & Destruction Policy §4. If anyone tells you your care depends on signing, report it to privacy@phiusionlabs.app.
9. Patient Signature and Date
By tapping "Yes, I authorize" at the bottom of this block on your own device, you provide your patient signature for 45 CFR §164.508(c)(1)(vi). The application records the timestamp, the device fingerprint, the capture method (patient-device), the version of this page shown, the calendar date in your practitioner's local time zone, and an immutable PDF snapshot. If you sign on paper, you write your full name, the date, and your signature in the spaces provided. If the patient is a minor or otherwise unable to sign, a parent or legal guardian signs as the personal representative under §164.502(g). You can request a copy of your signed authorization at any time.
WA-MHMDA §19.373.030(2) Authorization
The nine lettered items below are the elements required by RCW 19.373.030(2). This signed authorization is required for the sale or sharing of consumer health data under RCW 19.373.030(1), applied universally to every patient on Phiusion regardless of residence.
A. Categories of Consumer Health Data
The specific categories of consumer health data shared under this authorization, as defined in RCW 19.373.010(8), are: biometric data (the face-geometry vector); health data linked to an identifier (the SkinXS skin-assessment indicators associated with each photograph); and photographs of your face (frontal and profile, post-background-removal). No other categories of consumer health data are covered.
B. Purposes of the Sharing
The specific purposes of the sharing under this authorization are to train and improve the SkinXS skin-assessment model and to evaluate the model's outputs against practitioner-curated outputs at a population level. The purposes do not include sale to a third party, advertising, marketing, or profiling. Phiusion does not sell consumer health data — we apply NV-SB370's no-sale rule universally (Patient Privacy Notice §8). The Phiusion answer to WA-MHMDA's "sale or sharing" framing is non-sale sharing under contract.
C. Name and Contact Information of the Seller / Controller
The name and contact information of the seller / controller sharing the data is Phiusion Labs Inc., 1 Yonge Street, Toronto, Ontario, Canada. Privacy Officer: Jonathan Garbutt, privacy@phiusionlabs.app. Role: HIPAA business associate; Ontario PHIPA HINP under O. Reg. 329/04 s.6; controller of doctor data, processor of patient data under GDPR. "Seller / controller" is WA-MHMDA's checklist wording; Phiusion does not in fact sell consumer health data — the disclosure to Universkin is a contractual sharing, not a sale.
D. Name and Contact Information of the Recipient
The name and contact information of the recipient / purchaser receiving the data is Universkin SAS, 400 Avenue Roumanille, 06410 Biot, France. Data Protection Officer: Maître Eric ELABD, +33 (4) 93.00.11.96, dpo@universkin.com. Role: operator of SkinXS (sub-processor for service delivery); controller for AI-improvement processing under GDPR; holder of the training corpus. No other recipient or purchaser is named. Universkin's sub-processors act on its instructions under signed contracts, not as separately-named recipients.
E. Authorization Required for the Sale or Sharing
This signed authorization is required for the sale or sharing of consumer health data under RCW 19.373.030(1). Without your signature, Universkin SAS may not receive your photographs, vector, or assessment indicators for AI-improvement purposes. Phiusion enforces this technically: without a signed authorization, nothing is sent to the Universkin training corpus and the vector is destroyed at the end of the SkinXS request under the default-ephemeral protocol at Biometric Retention & Destruction Policy §4.
F. Signature Given Freely and Voluntarily
Your signature on this authorization must be given freely and voluntarily. You are not required to sign as a condition of care, of seeing this practitioner, or of any other consent. Tapping "No" or ignoring this page is a complete answer; your care continues unchanged. Under RCW 19.373.030(2)(e) and EDPB Guidelines 05/2020, a signature obtained under duress, coercion, or where you are not free to refuse is not valid. If anyone pressures you, report it to privacy@phiusionlabs.app.
G. Data May No Longer Be Protected Once Shared
Once your consumer health data is shared with Universkin SAS, it leaves Washington and is held in France. Universkin is contractually bound to HIPAA-equivalent, GDPR, and WA-MHMDA-equivalent terms by the intercompany BAA and DPA, but as a matter of regulator jurisdiction the data may no longer be protected by WA-MHMDA after it leaves Washington. The Washington Attorney General retains its RCW 19.86 authority over Phiusion as the Washington-facing entity, and the data enters a layered framework of GDPR, UK GDPR, and Swiss nFADP. You should know before signing that the direct WA-MHMDA private right of action against a foreign recipient is a more uncertain remedy than against a Washington-based one.
H. Expiration — One Year
This Washington-side authorization expires one year from the date you sign it, per RCW 19.373.030(2)(g) (a WA-MHMDA authorization may not exceed one year). After expiration, no new data is added to the Universkin training corpus; if you would like to continue, your practitioner asks you to sign a fresh authorization at your next visit. Previously-retained data is destroyed under Biometric Retention & Destruction Policy §6. The HIPAA-side expiration in item 5 is seven years; when the two differ, the shorter controls under our universal-protection commitment — so the one-year WA-MHMDA expiration applies in practice for every patient.
I. Right to Revoke, and How to Revoke
Your right to revoke this authorization, and how to do so, under RCW 19.373.030(2)(h): revoke at any time, for any reason, by (1) telling your practitioner; (2) emailing privacy@phiusionlabs.app with "I revoke my Phiusion AI-improvement consent" (include your full name and your practitioner's name); or (3) using the in-app Consent Withdrawal flow. Revocation is effective immediately and triggers the 30-day destruction protocol in item 6 above. A revocation under this item revokes the HIPAA-side authorization above as well, and vice versa — the two blocks are signed together and revoked together.
How this consent fits with your other consents and rights
This consent does not replace or modify the Patient Photo Consent, the Biometric Retention & Destruction Policy, or the Consent Withdrawal flow (whose 30-day SLA applies here). The legal basis for AI-improvement processing differs by region: HIPAA §164.508 in the US; GDPR Art. 9(2)(a) explicit consent in the EU / EEA / UK / Swiss leg via Universkin SAS; Law 25 art. 12 for any future Quebec patient (subject to the launch-gate items at Patient Privacy Notice §17); and the residence-keyed state biometric and consumer-health regimes for US patients in addition to HIPAA. GDPR Art. 22 on automated decision-making is not triggered — model training is not a decision about you, and the doctor remains the decision-maker.
This authorization is offered on the same terms to every patient regardless of residence. State- and province-specific rights (BIPA §20, WA-MHMDA private right of action under RCW 19.86, Law 25 access, CCPA/CPRA, PHIPA s.52, etc.) remain residence-keyed and are exercised by contacting the Privacy Officer per Patient Privacy Notice §11.
9. Contact and supervisory authorities
To exercise any right under this consent, to raise a question, or to report pressure to sign:
- Privacy Officer (Phiusion Labs):
Jonathan Garbutt,privacy@phiusionlabs.app. - Data Protection Officer (Universkin SAS, France): Maître Eric ELABD, +33 (4) 93.00.11.96,
dpo@universkin.com.
The full supervisory-authority list (HHS-OCR, FTC, state AGs, OPC Canada, IPC Ontario, CAI Quebec, CNIL, ICO, FDPIC) is at Patient Privacy Notice §16.
10. Updates to this consent
Semantic versioning. Major (X.0.0) — material change to scope, recipients, purposes, retention, or withdrawal mechanism; your practitioner re-prompts you to sign a fresh authorization at your next visit; previous authorization superseded, its signed record preserved. Minor (1.X.0) — clarifications, new statutory anchors, or sub-processor updates that do not change scope; banner only. Patch (1.0.X) — typos, formatting, broken links; no re-prompt. Full changelog at /legal/changelog.
Appendix A — Delivery evidence
When you tapped to confirm, the application recorded the version of this page, the timestamp of your tap, the capture method (patient-device), and an immutable PDF snapshot. The signed record uses the immutable-row pattern: a withdrawal does not delete the original signing event, it adds a new row recording the withdrawal. Ask your practitioner or the Privacy Officer for a copy at any time.