Privacy Notice (Practitioners)

Version 1.0.0·Effective 2026-06-01

Privacy Notice (Practitioners)

This notice explains what personal information Phiusion Labs collects about you, the health professional who uses the Phiusion application, and what we do with it. It is separate from the Privacy Notice for Patients, which covers the people you see in your practice.

Phiusion is B2B software for health professionals. We do not sell your data, we do not run advertising on the application, and we do not make automated decisions about you that produce legal or similarly significant effects. The rest of this notice covers the detail.

1. Who we are

Three parties handle your information. It is easier to follow the rest of this notice if you know which one is which.

  • Phiusion Labs (Ontario, Canada) is the controller of your account, billing, and support information — the data we collect from you so we can give you access to the application and bill you for it. Phiusion Labs is also the processor (or, in Ontario, the Health Information Network Provider — "HINP", a defined role under Ontario Regulation 329/04 s.6 that supplies electronic services to a health-information custodian) for the patient records you create inside the application. Phiusion publishes its PHIPA s.6(3) services description, safeguards summary, and audit summary at PHIPA Audit Summary. Mailing address: 29 East Wilmot, Richmond Hill, Ontario, Canada.
  • Universkin SAS (France) builds and operates the application on behalf of Phiusion Labs. Universkin is our sub-processor for service delivery, and it is the controller for limited AI-model-improvement work — that work is governed by patient consent and is described in the Patient Privacy Notice and the AI Training & Improvement Notice, not here.
  • You, the practitioner (or clinic), are the controller of the patient records you create. Phiusion processes those records on your behalf. This notice is about your data, not your patients' data.

Practitioners who self-identify at signup as an Alberta HIA (Health Information Act) custodian, a Manitoba or Atlantic PHIA-equivalent (Personal Health Information Act) trustee, or a similar provincial public-health-information-statute-regulated person will be routed to manual sales onboarding for a bilateral agreement; the standard self-serve flow does not establish that status.

You can reach either office at the addresses in §13.

2. What we collect about you

We collect the following categories of information about you as the user of the application. We do not buy lists of practitioners from data brokers, and we do not collect anything about you from social media.

  • Identity and professional credentials. Your name, your professional title, your medical license or registration number, your National Provider Identifier ("NPI", the unique number issued to US health professionals by the Centers for Medicare & Medicaid Services), your specialization, and the country and state or province in which you are licensed. We collect these at signup to verify that you are a licensed practitioner. The product is sold for cosmetic and general wellness use; license verification is part of B2B credentialing.
  • Contact information. Your professional email address, your phone number, and the address of your practice.
  • Account credentials. Your login email, a salted hash of your password (we never store your password in clear text), your multi-factor authentication ("MFA", a second-factor sign-in step) settings, and the timestamps of your sessions for audit purposes.
  • Billing and tax information. Your Stripe customer ID, a tokenized reference to your payment method (the card number itself never touches Phiusion systems — it is held by Stripe), your billing address, and, where required for tax reporting, a W-9 (US) or business registration number (Canada). We retain these for the period required by US and Canadian tax law.
  • Usage telemetry. Aggregate counters of which features you use, how often, and where multi-step flows break down, plus error reports from your browser. This is the same telemetry described in the Cookie & Tracking Notice; the controls there govern how it is collected.
  • Communications. Support tickets you open with us, the messages we send back, and the in-app notifications we generate for you.
  • Tax and regulatory records. Anything we are required to keep by US or Canadian tax law, or by anti-money-laundering or business-records law.

We do not collect biometric information about you. The face-geometry processing performed by SkinXS applies to patient photos, not to you.

3. Why we collect it

The table below maps each purpose to its legal basis. The GDPR (General Data Protection Regulation) articles apply only to the leg of the processing that takes place at Universkin SAS in France; the rest of the legal bases come from US and Canadian law.

PurposeLegal basis
Create your account, sign you in, and deliver the applicationPerformance of our contract with you (GDPR Art. 6(1)(b) for the Universkin leg); PIPEDA Schedule 1 Principle 3 implied consent for service delivery
Bill you and keep tax recordsLegal obligation under US and Canadian tax law (GDPR Art. 6(1)(c) for the Universkin leg)
Operate the application through Universkin SAS as our sub-processorPhiusion-as-controller leg: performance of our contract with you, plus our legitimate interest in using a qualified operator (GDPR Art. 6(1)(b) and Art. 6(1)(f)). Universkin-as-processor leg: Universkin processes your account information only on documented instructions from Phiusion under GDPR Art. 28; where Universkin acts in a separate controller capacity (for AI-model improvement on patient data), that lawful basis is disclosed in the Privacy Notice for Patients and the AI Improvement Consent, not here. The BAA (Business Associate Agreement, a HIPAA-required contract between a covered entity and a vendor handling PHI) and DPA (Data Processing Agreement, the GDPR Art. 28 equivalent) with Universkin SAS are available to regulators and to data subjects exercising access rights on request
Count feature usage and measure where flows break down (aggregate analytics)Our legitimate interest in product reliability (GDPR Art. 6(1)(f)); documented in lia-aggregate-analytics. Opt-in consent in the EU/EEA, UK, Switzerland, and Quebec, per the cookie notice
Catch and fix bugs through error monitoringOur legitimate interest in operational security and product quality (GDPR Art. 6(1)(f)) plus our duty to review system activity (HIPAA Security Rule §164.308(a)(1)(ii)(D)); documented in lia-error-monitoring
Detect and respond to security incidentsLegal obligation (HIPAA Security Rule §164.308 and GDPR Art. 32) plus our legitimate interest in protecting the platform; documented in lia-breach-detection
Send you support replies and service announcementsPerformance of our contract with you
Send you marketing or promotional emailsYour opt-in consent (which Phiusion applies voluntarily, more strictly than CAN-SPAM requires; we additionally comply with CAN-SPAM Act §316.5 for US recipients — accurate sender identification, physical mailing address, and a working one-click unsubscribe link). CASL (Canada's Anti-Spam Legislation) §6 governs Canadian recipients. GDPR Art. 6(1)(a) consent applies to the Universkin (France) leg. You can withdraw at any time

We do not use your information for any purpose not listed here. If we add a new purpose, we will publish a new version of this notice and, where the change is material, ask you to consent again before you can keep using the application.

Consequences of not providing the data. Providing your identity, license, and credential information is necessary to receive a practitioner account; without it we cannot deliver the service. Billing and tax fields are required to bill you. Aggregate analytics is your choice — opting out does not break the application. (GDPR Art. 13(2)(e).)

4. Who we share it with

We share your information with a small number of named service providers who act on our behalf, and with Universkin SAS, the French company that builds and operates the platform on our behalf. We do not sell or share your information for advertising (as those terms are defined under CCPA (California Consumer Privacy Act) / CPRA (California Privacy Rights Act), Cal. Civ. Code §§1798.140(ad) and 1798.140(ah)), we do not provide it to data brokers, and we do not provide it to social-media platforms.

  • Universkin SAS — operates the application from France under BAA and DPA (available to regulators and to data subjects exercising access rights on request).
  • Supabase, Vercel, Sentry, Stripe, SendGrid (Twilio), AfterShip, remove.bg, Google Maps — listed by service and storage region on the Sub-Processors page, with BAA and DPA status disclosed for each. The BAA chain is described in our HIPAA Business Associate Agreement, which you accept when you sign up.

Some sub-processors listed at Sub-Processors (notably Anthropic for patient-side LLM (large language model) processing) handle only patient data and do not appear in the practitioner-data sharing list above.

We do not share your information with anyone else except where we are required to do so by law (a subpoena, court order, or comparable instrument), or with your prior written authorization.

5. Where your data is processed

Phiusion is headquartered in Ontario, Canada. Your data is processed in three regions, depending on the service:

  • France (EU) — application operations, including Supabase and SkinXS data paths that pass through Universkin SAS.
  • United States — Supabase, Vercel, Stripe, SendGrid, Sentry, AfterShip, and Google Maps.
  • Canada — Phiusion's own administrative records.

Transfers out of Canada and the EU are covered by the following mechanisms — note that these mechanisms are distinct and not interchangeable:

  • Canada → EU (France): the European Commission's PIPEDA-adequacy decision; no further mechanism required.
  • EU (Universkin SAS) → US sub-processors: Standard Contractual Clauses ("SCCs", the European Commission's pre-approved contractual safeguards for cross-border transfers; Module 2 controller-to-processor or Module 3 processor-to-processor as appropriate), plus EU-US Data Privacy Framework ("DPF", a self-certification regime that legitimises EU-to-US transfers to participating US vendors) self-certification where the vendor participates; a per-vendor Transfer Impact Assessment ("TIA", a documented analysis of third-country law and supplementary measures) is on file.
  • Canada (Phiusion Labs) → US sub-processors: PIPEDA Schedule 1 Principle 4.1.3 contractual flowdowns ensuring a comparable level of protection. This is not the same mechanism as EU SCCs.
  • UK → US sub-processors: UK International Data Transfer Agreement ("IDTA") or the UK Addendum to EU SCCs.
  • Switzerland → US sub-processors: SCCs recognised by the Swiss Federal Data Protection and Information Commissioner ("FDPIC"), or the Swiss extension of the EU-US DPF.

The supplementary measures we apply (per European Data Protection Board Recommendations 01/2020, issued in response to the EU's case-law requirement for extra safeguards when personal data leaves the EU for the US, commonly called "Schrems II") include: encryption in transit and at rest (§8); pseudonymisation through scrubbing for Sentry and similar telemetry (described in the Cookie & Tracking Notice §4); contractual challenge-and-notify obligations against third-country government access (filed in the vendor agreements with Universkin SAS); and per-vendor TIAs.

Quebec practitioners: before the Quebec launch, Phiusion will file a written Privacy Impact Assessment ("PIA", a documented risk analysis required under Law 25 art. 17) covering the cross-border processing of your account information by Universkin SAS in France. The PIA is filed before Quebec practitioners can sign up.

6. Your rights

Your rights depend on where you are. The summary below is keyed by region; statute citations follow each entry in parentheses. Whichever route applies, write to privacy@phiusionlabs.app and we will respond within 30 days. We may extend the deadline where the law allows (HIPAA §164.524(b)(2) permits a 30-day extension; GDPR Art. 12(3) permits a 60-day extension for complex requests). If we extend, we will tell you why.

Across all jurisdictions you can ask us to:

  • Tell you what data we hold about you and give you a copy.
  • Correct anything that is wrong.
  • Delete data we no longer need to keep (subject to retention rules in §7).
  • Stop using your data for purposes you have not consented to.
  • Withdraw any consent you have given (for marketing emails, for cookie categories that require consent, and so on). Withdrawing consent does not affect anything we did before you withdrew.

United States

  • HIPAA right of access does not apply to your practitioner-account data. Phiusion does not hold protected health information about you as a patient; HIPAA's right of access (§164.524) therefore does not apply to your practitioner-account data. You retain HIPAA rights as a covered entity to receive cooperation from Phiusion as a business associate (§164.504(e)).
  • State consumer-privacy laws. You also have the rights in your state's consumer-privacy law if you live in one of the states that has one — California (CCPA / CPRA), Washington (MHMDA — My Health My Data Act), Connecticut (CT-DPA — Connecticut Data Privacy Act), Colorado (CPA — Colorado Privacy Act), Nevada (SB 370, codified at NRS 603A.300–360), Oregon (OCPA — Oregon Consumer Privacy Act), or Maryland (MODPA — Maryland Online Data Privacy Act).
  • California medical information. CMIA (California Confidentiality of Medical Information Act) primarily flows through the Privacy Notice for Patients; to the extent any practitioner-account record incidentally falls within scope, the same access and correction rights apply.
  • New York and Massachusetts. New York residents have rights under the SHIELD (Stop Hacks and Improve Electronic Data Security) Act primarily on the breach-notification side. Massachusetts residents are covered by 201 CMR 17 on the safeguards side.

Canada — federal and provincial

  • Federal (PIPEDA). Right of access and correction (PIPEDA Schedule 1 Principles 9 and 4.9).
  • Quebec. Access and rectification (Law 25 arts. 27–30) and data portability (Law 25 art. 28.1; in force since 22 September 2024).
  • Ontario. PHIPA s.52 applies primarily to administrative records we hold about you, since PHI (personal health information) flows under your control as custodian.
  • British Columbia / Alberta. Access and correction rights (BC PIPA s.23; AB PIPA s.24).
  • Other provinces (MB / NB / NL / NS / PE / SK / YT / NT / NU). Equivalent provincial or territorial rights apply.

EU / EEA / UK / Switzerland (Universkin leg only)

Because Universkin SAS operates the application from France, the leg of the processing that takes place there is in GDPR scope by Universkin's establishment in France. You can exercise GDPR Arts. 15–22 rights — access, rectification, erasure, restriction, portability, objection, and the right not to be subject to a solely automated decision — against that processing through dpo@universkin.com. Equivalent rights apply under UK GDPR and the Swiss revFADP / nFADP (revised / new Federal Act on Data Protection). Phiusion is not targeting EU/EEA/UK/CH residents as customers; this is a sub-processor leg only.

Right to lodge a complaint. You can also complain to a supervisory authority — see §13.

7. How long we keep your data

We keep your data only as long as we need it. The schedule below is the same one we publish in our internal Retention Schedule (available to regulators and to data subjects on request); these are the rows that apply to you.

CategoryRetentionReason
Active account dataWhile your account is active, plus 7 years after closureHIPAA BAA minimum, plus a buffer for audit. For pure-Canadian practitioners (no HIPAA PHI), retention is set by PIPEDA Principle 5 + Canadian tax law (6-year horizon)
Billing and order records7 years from the order dateUS and Canadian tax law
Support communications3 years from your last contactPIPEDA reasonable-period standard
Consent records (your acceptances of this notice and others)7 years past withdrawalHIPAA §164.530(j) and Quebec Law 25
Marketing-email consent records3 years from withdrawalCASL
Security and breach-detection logsPer the internal Breach Notification Playbook (available to regulators and to data subjects on request); non-Quebec records 6 years, Quebec-affected records indefiniteHIPAA §164.530(j); Law 25 art. 3.8
DSAR (data-subject access request) logs3 years past resolutionPIPEDA and GDPR

When the retention period ends, we delete the data or aggregate it into non-identifying form. Where deletion is technically constrained (some backup systems do not allow targeted deletion), we isolate the data, restrict access, and let it age out on the backup schedule.

8. How we protect your data

We apply the controls required by HIPAA Security Rule §§164.302–318, PIPEDA Schedule 1 Principle 7, and GDPR Art. 32, including:

  • TLS 1.2 or higher for all data in transit.
  • AES-256 encryption at rest for all stored records.
  • Row-Level Security ("RLS", a database-level access control that limits each row to its rightful owner) in the database, so practitioners only see their own data.
  • MFA on your account (required, not optional).
  • Access logging on every read and write of sensitive records.
  • Annual penetration testing and continuous security monitoring.
  • Background checks and confidentiality undertakings for engineering staff with production access.
  • An incident-response plan with the notification SLAs published in our internal Breach Notification Playbook (available to regulators and to data subjects on request).

Confidentiality incidents are logged in a register maintained under Quebec Law 25 art. 3.8; affected Quebec practitioners are notified under art. 3.5 if a serious risk of injury exists.

The BAA chain — between you (the covered entity), Phiusion (your business associate), and each sub-processor we use — is documented in our HIPAA Business Associate Agreement and our Data Processing Agreement. The piece between Phiusion and Universkin is in our BAA and DPA with Universkin SAS (available to regulators and to data subjects exercising access rights on request).

9. Children's data

Phiusion is B2B software for licensed health professionals. We do not knowingly collect personal information from anyone under 18, and practitioner accounts must represent age-of-majority licensed practitioners. If we discover that a person under 18 has somehow signed up, we will close the account and delete the data.

Information about minor patients in your practice is governed by the Privacy Notice for Patients and is your responsibility as the custodian or controller of those records.

10. Automated decisions about you

SkinXS suggests; you decide. We do not run a model that makes a yes/no call about your patients without you in the loop. SkinXS does not analyze you, the practitioner; it analyzes your patients under the rules in the Privacy Notice for Patients. Phiusion does not run automated decision-making about practitioners.

The practitioner curation step is mandatory in the workflow — no patient-facing output is produced from SkinXS without your professional judgment overlaid on top of it. That framing means SkinXS is not within scope of the Colorado AI Act's "consequential decisions" category in healthcare, because the consequential decision (if there is one) is made by you under your license, not by the software. It also means Law 25 art. 12.1 does not require us to surface a "right to human review" prompt, because the human review is the workflow. (GDPR Art. 22; Quebec Law 25 art. 12.1; Colorado AI Act, effective February 2026.)

If automated processing of your data ever produced a decision with legal or similarly significant effects on you, GDPR Art. 22(3) would give you the right to obtain human intervention, to express your point of view, and to contest the decision. No such processing happens today.

We will tell you in this notice and in the Privacy Notice for Patients if this ever changes.

11. Privacy Officer and Data Protection Officer

Universkin SAS has appointed Maître Eric ELABD as its Data Protection Officer ("DPO") in compliance with GDPR Art. 37. The contact details published here (and in §13 below) also satisfy the public-publication prong of GDPR Art. 37(7); the corresponding notification to the Commission Nationale de l'Informatique et des Libertés ("CNIL", the French supervisory authority) is administered by Universkin SAS. Phiusion Labs will name a Privacy Officer in compliance with Quebec Law 25 art. 3.1 before any Quebec practitioner onboards.

  • Privacy Officer (Phiusion Labs): Jonathan Garbutt, privacy@phiusionlabs.app.
  • Data Protection Officer (Universkin SAS, France): Maître Eric ELABD, +33 (4) 93.00.11.96, dpo@universkin.com.

You may write to either office; we route internally to the right person.

12. Updates to this notice

We use semantic versioning to manage updates:

  • Major version (X.0.0) — material change to what we collect, why, or who we share with. We will gate your next login until you have read and accepted the new version. Major changes also re-version any cross-referenced documents that the change touches.
  • Minor version (1.X.0) — clarifications, new sub-processors that do not change processing categories, new statutory anchors. We show an in-app banner and you can review the changelog at your own pace.
  • Patch version (1.0.X) — typos, formatting, broken links. No banner.

Every version is logged at /legal/changelog with the effective date and a plain-language summary of what changed.

13. Contact

For anything covered by this notice, write to:

  • Privacy Officer (Phiusion Labs): Jonathan Garbutt, privacy@phiusionlabs.app.
  • Data Protection Officer (Universkin SAS, France): Maître Eric ELABD, +33 (4) 93.00.11.96, dpo@universkin.com.

If we do not resolve a concern to your satisfaction, you can also reach the supervisory authority for your jurisdiction, grouped by region:

United States

  • US Department of Health and Human Services, Office for Civil Rights (HHS-OCR), https://www.hhs.gov/ocr/.
  • Your state Attorney General handles state consumer-privacy complaints.

Canada — federal

  • Office of the Privacy Commissioner of Canada (OPC), https://www.priv.gc.ca/.

Canada — provincial

  • Ontario: Information and Privacy Commissioner of Ontario (IPC), https://www.ipc.on.ca/.
  • Quebec: Commission d'accès à l'information du Québec (CAI), https://www.cai.gouv.qc.ca/.
  • British Columbia: Office of the Information and Privacy Commissioner of BC, https://www.oipc.bc.ca/.
  • Alberta: Office of the Information and Privacy Commissioner of Alberta, https://www.oipc.ab.ca/.
  • Manitoba: Manitoba Ombudsman, https://www.ombudsman.mb.ca/.
  • Other provinces (NB / NL / NS / PE / SK): see your provincial commissioner's website.

Canada — territorial

  • Yukon, Northwest Territories, Nunavut (YT / NT / NU): Office of the Privacy Commissioner of Canada acts as the federal supervisory authority, https://www.priv.gc.ca/.

EU

  • France (Universkin leg): Commission Nationale de l'Informatique et des Libertés (CNIL), https://www.cnil.fr/.

United Kingdom

  • Information Commissioner's Office (ICO), https://ico.org.uk/.

Switzerland

  • Federal Data Protection and Information Commissioner (FDPIC), https://www.edoeb.admin.ch/.

For related documents, see the Cookie & Tracking Notice, the Sub-Processors page, the HIPAA Business Associate Agreement, the Data Processing Agreement, and the PHIPA Audit Summary.

14. French-language version

A French version of this notice is in progress and will be made available for Quebec practitioners who prefer to receive it in French. As permitted by the Charter of the French Language art. 55 (as amended by Bill 96), Quebec practitioners may also expressly consent to receive this notice in English; English signup remains available in the meantime.