Privacy Notice (Patients)

This notice explains what information your practitioner's office records about you when it uses the Phiusion application, what Phiusion Labs does with that information on your practitioner's behalf, and what you can ask us to do about it. It is being delivered to you at the moment your practitioner first takes a photo of you on Phiusion, which is the point at which information about you starts to flow into the application.

Phiusion is general wellness software that your practitioner uses in his or her practice. Phiusion is not a medical device. Phiusion does not make decisions about your care; your practitioner does. The skin assessment that the application shows your practitioner is information for your practitioner to consider, not an instruction. The rest of this notice covers the detail.

If you have any questions about this notice, you can raise them with your practitioner at any time, or write directly to privacy@phiusionlabs.app.

1. Who this notice is about, and who handles your information

Three parties handle information about you when your practitioner uses Phiusion. It is easier to follow the rest of this notice if you know which one is which.

• Your treating practitioner (or your practitioner's clinic) is the party that has a direct relationship with you. Your practitioner is the controller of your records in EU language; the HIPAA covered entity in US language; the health information custodian in Ontario language under the Personal Health Information Protection Act ("PHIPA"); the custodian under Alberta's Health Information Act ("HIA"); the trustee under Manitoba's and Atlantic Canada's PHIA-equivalent statutes; and the enterprise under Quebec's Law 25. Which of those titles applies to your practitioner depends on where your practitioner practises. Your practitioner decides what goes into your wellness record and what comes out of it.
• Phiusion Labs (Ontario, Canada) is the company that builds and supplies the application your practitioner uses. Phiusion acts as the processor / business associate / Health Information Network Provider ("HINP", a defined role under Ontario Regulation 329/04 s.6 for vendors that supply electronic services to a health-information custodian) on your practitioner's behalf. Phiusion handles your information only on your practitioner's instructions, except where the law independently requires Phiusion to act (for example, responding to a court order, or notifying a regulator about a security incident).
• Universkin SAS (France) is Phiusion's platform operator that runs the application from France as a sub-processor. Universkin also operates the SkinXS skin-assessment service that your practitioner uses inside the application. For most of the information described in this notice, Universkin acts on Phiusion's instructions, which are themselves your practitioner's instructions. The one exception is if you tap "Yes" to the separate AI-improvement consent, in which case Universkin SAS becomes a controller in its own right for the limited purpose of improving its model — that arrangement is described in §5 and in the AI Improvement Consent.

Your practitioner's regulatory status — HIPAA covered entity, Ontario PHIPA custodian, Alberta HIA custodian, Manitoba or Atlantic trustee, Quebec enterprise, EU controller, and so on — determines which of the rules in this notice applies to your record. Where your practitioner practises matters as much as where you live.

2. What we collect about you

When your practitioner uses Phiusion during your visit, the following categories of information about you may be recorded in the application. Some categories are collected only if your practitioner enters them; others are collected automatically when your practitioner takes a photo of you.

• Photographs of your face. A frontal photograph and a profile photograph. Your practitioner takes these on the device he or she uses for Phiusion (typically a tablet or phone). Background pixels in the photograph are removed automatically through a service called remove.bg, so the version of the photograph stored in your record is the face only.
• Skin assessment results. When the photograph is taken, the application sends it to a service called SkinXS, which is operated by Universkin SAS in France. SkinXS produces a structured set of skin-condition indicators (for example, hydration, redness, oiliness, fine lines, age signals) and returns them to the application for your practitioner to consider. SkinXS also produces a transient face-geometry vector (sometimes called a "biometric identifier" under US state law) as part of generating those indicators — see §7 for how that vector is handled.
• Health background. Information your practitioner records about your general health, prior procedures, medications, allergies, and anything else that informs the skin wellness conversation. The Phiusion application calls this category "Health Background" — some jurisdictions and earlier versions of the software used the term "Medical History"; the underlying data is the same.
• Skin concerns and skin wellness goals. What you have told your practitioner you would like to address (for example, a specific area, a specific concern, or an overall outcome). Your practitioner selects from a list inside the application and adds notes.
• Your identity. Your first name and last name are required to create your record in the application — your practitioner cannot start a wellness session without them. The following fields are optional and are collected only if your practitioner enters them, with your permission: date of birth, sex, phone number, email address, postal address, and free-text notes. Phiusion does not have any of the optional fields unless your practitioner entered them.
• Wellness session record. The notes, observations, and selections your practitioner makes during the visit are saved together as a wellness session record, which the application also calls "skin wellness documentation." Your practitioner decides what goes into that record.

We do not buy any information about you from data brokers, social media, or any other outside source. Everything Phiusion holds about you was either entered by your practitioner, captured from your photograph, or generated by SkinXS during your visit.

3. What Phiusion is, and what it is not

Phiusion is software that supports your practitioner's professional judgment. It is not a medical device. It is not a diagnostic tool. The information it shows your practitioner — including the SkinXS skin assessment — is general wellness information for your practitioner to consider; it is not a clinical opinion in itself. Your practitioner reviews everything the application generates and applies his or her own professional judgment before saying or doing anything about your care. The application uses the term "skin wellness documentation" to describe the record because that is what it is: a wellness-focused record kept by your practitioner, with Phiusion as the software vendor underneath.

The application does not analyse you to detect, diagnose, treat, cure, or prevent disease. If your practitioner uses information from the application to support a clinical conversation with you, that conversation happens under your practitioner's license and professional rules, not under the software.

4. Why your practitioner and Phiusion collect this information

Information collected through Phiusion is used for the following purposes:

• To deliver your practitioner's wellness service to you. Your practitioner uses the photographs, the SkinXS results, your health background, and your skin concerns to have a more informed conversation with you and to keep a record of that conversation. This is the primary purpose. The legal basis depends on where you and your practitioner are: HIPAA's "treatment, payment, and health-care operations" rules in the US (HIPAA §§164.502 and 164.506); GDPR Art. 9(2)(h) for preventive and occupational medicine where the EU regime is engaged; Ontario PHIPA ss. 29–37 for delivery of health care; Quebec Law 25 art. 12 for ordinary use by a private-sector enterprise.
• To improve the SkinXS model — only if you opt in. Universkin SAS may use your photograph and the corresponding face-geometry vector to train and improve the SkinXS model only if you tap "Yes" on the separate AI-improvement consent screen. The legal basis for this use is your express consent under GDPR Art. 9(2)(a), your HIPAA authorization under §164.508, and (where you reside in Washington State) your separate authorization under WA-MHMDA §19.373.030. You can withdraw this consent at any time without affecting your care — see §11.
• To meet biometric-information laws in certain US states. If you live in Illinois, Texas, Washington State, or another state with a biometric or consumer-health regime listed in §8, additional rules apply to how the face-geometry vector and other "biometric identifiers" are handled, even when the vector is not retained. Those rules are described in §7 and §8.
• To secure the application and detect incidents. Phiusion logs access to your record and monitors for security incidents. The legal basis is the HIPAA Security Rule (§§164.302–318), GDPR Art. 32, and PIPEDA Schedule 1 Principle 7.
• To meet legal obligations. Where the law requires Phiusion (or your practitioner) to keep certain records, respond to subpoenas, or notify a regulator about a security incident, we do so. The legal basis is the relevant statute itself.

Phiusion does not use your information for advertising, does not sell your information, and does not share your information with social-media platforms or data brokers.

Required vs. optional, and what happens if you say no (GDPR Art. 13(2)(e)). Your first name and last name are required for your practitioner to create your record in the application; without them, the practitioner cannot start a wellness session for you. The photograph and the skin assessment are required for the SkinXS-supported wellness workflow; if you decline the photograph, your practitioner will offer you the same care through his or her normal non-application process. Your health background and skin concerns are required only to the extent your practitioner needs them for your care; you can decline any individual question. The remaining contact fields (date of birth, sex, phone, email, postal address, notes) are optional. The AI-improvement consent is entirely optional and has no effect on your care.

5. Who handles your information, and where

Your information stays inside a small set of named service providers.

• Universkin SAS (France) operates the Phiusion application and the SkinXS service from France. Storage region: EU.
• Supabase, Vercel, Sentry, Stripe, SendGrid (Twilio), AfterShip, remove.bg, Google Maps — the named vendors Phiusion uses to keep the application running. Each one is listed by service, storage region, and contractual safeguards on the Sub-Processors page.
• Anthropic (Claude) — Phiusion uses Anthropic's language model to help generate plain-language summaries of skin-assessment categories. Only text — not photographs — is sent to Anthropic, and the Zero Data Retention setting is on; see the sub-processors page.

We do not share your information with anyone else except where we are required to by law (a subpoena, court order, or comparable instrument), or with your written authorization. The BAA (the HIPAA-required contract between a covered entity and a vendor handling protected health information) and DPA (the GDPR Art. 28 equivalent) between Phiusion Labs and Universkin SAS are available to regulators and to data subjects exercising access rights on request.

5.1 Cross-border data flows in plain language

Your information may travel between three regions, depending on the service:

• Your practitioner's office → Phiusion Labs (Canada): this is the customer-to-vendor leg. If your practitioner is in the US, this is a US-to-Canada flow.
• Phiusion Labs (Canada) → Universkin SAS (France): Phiusion's platform operator operates the application from France, so most of the application's data path passes through France.
• Universkin SAS (France) → US-based sub-processors (Supabase, Vercel, Stripe, SendGrid, Sentry, AfterShip, Anthropic, Google Maps): some of the named vendors store data in the United States.

Each of those flows is covered by a specific legal mechanism, and these mechanisms are distinct (not interchangeable):

• Canada → EU (France): the European Commission's PIPEDA-adequacy decision permits the transfer without a further mechanism.
• EU (Universkin SAS) → US sub-processors: Standard Contractual Clauses ("SCCs", the European Commission's pre-approved contractual safeguards; Module 2 controller-to-processor or Module 3 processor-to-processor as appropriate), plus EU-US Data Privacy Framework ("DPF", a self-certification regime that legitimises EU-to-US transfers to participating US vendors) where the vendor participates, plus a per-vendor Transfer Impact Assessment ("TIA", a documented analysis of US law and supplementary measures) on file. Supplementary measures (encryption in transit and at rest, pseudonymisation of telemetry, contractual challenge-and-notify obligations) are applied per European Data Protection Board Recommendations 01/2020 — issued in response to the EU's case-law requirement for extra safeguards when personal data leaves the EU for the United States, commonly called "Schrems II."
• Canada (Phiusion Labs) → US sub-processors: PIPEDA Schedule 1 Principle 4.1.3 contractual flowdowns ensuring a comparable level of protection. This is not the same mechanism as EU SCCs.
• UK → US sub-processors: the UK International Data Transfer Agreement ("IDTA") or the UK Addendum to the EU SCCs.
• Switzerland → US sub-processors: SCCs recognised by the Swiss Federal Data Protection and Information Commissioner ("FDPIC"), or the Swiss extension of the EU-US DPF.

For patients in Quebec: before Phiusion enables Quebec onboarding, a written Privacy Impact Assessment ("PIA", required under Law 25 art. 17) covering the cross-border processing of Quebec patients' information will be filed. The French-language version of this notice will also be published before the Quebec launch; see §17.

6. US state consumer-health and consumer-privacy laws

Several US states have laws that add to HIPAA's rules. Those laws are keyed to your state of residence, not where your practitioner practises. The table below lists each state law and the additional rights it gives you if you live in that state.

Phiusion does not ask your practitioner to record your state of residence. Asking would add friction at intake and would still be wrong some of the time (travel, recent moves, walk-ins). Instead, Phiusion applies the strictest of these state-law protections to every patient, universally, regardless of where you live — so that the same high-bar treatment reaches everyone, and so that no patient is under-protected because of an intake form. The state-specific rights (access, correction, deletion, portability, opt-out signals, private rights of action, etc.) are still yours to exercise based on your actual residence — you just need to tell us where you live when you reach out (see §11). Phiusion will then handle the request under the state law that applies to you.

What the "universal high-bar" looks like in practice:

• We treat every patient's photos and skin assessment as if WA-MHMDA applied — sharing for AI improvement requires the separate opt-in described in §4 and §7.
• We treat every patient's biometric handling as if BIPA applied — ephemeral by default; retained only with explicit written release; described in §7 and §8.
• We treat every sensitive-data category as if CT/CO/OR/MD opt-in rules applied — opt-in consent is the default for AI improvement and any optional processing.
• We never sell or share personal information for cross-context behavioural advertising (as those terms are defined under CCPA/CPRA, Cal. Civ. Code §§ 1798.140(ad) and 1798.140(ah)) — for any patient, anywhere.
• We do not operate geofencing of health facilities (relevant under WA-MHMDA and NV-SB370) — for any patient, anywhere.
• We honour the Global Privacy Control ("GPC", a browser-set universal-opt-out signal) on any non-essential category that would otherwise be on by default. This is explicitly required for California, Colorado, and Connecticut residents (CCPA Reg. §7025; CO-CPA + 4 CCR 904-3 Rule 5.06; CT-DPA §6(e)(1)(A)); we apply it everywhere. See the Cookie & Tracking Notice §3.1.

7. Biometric information — what happens to your face-geometry vector

When SkinXS analyses your photograph, it computes a face-geometry vector — a numerical representation of the geometry of your face that is used to derive the skin-assessment indicators in §2. Several US state laws treat that vector as a regulated "biometric identifier" even though Phiusion does not use it to identify you and does not match it against any database. Quebec Law 25 art. 12 also imposes specific rules on biometric processing.

Phiusion handles this vector in one of two modes:

• Default — ephemeral. The vector is computed during the SkinXS API call and is not persisted past the request. It exists in memory only long enough to produce the assessment, and is then discarded. This is the default for every patient.
• Opt-in — retained for AI-model improvement. If you tap "Yes" on the AI Improvement Consent, the vector and the underlying photograph are retained by Universkin SAS for up to five years from the date you gave consent, or until 30 days after you withdraw consent — whichever comes first.

Because the default is ephemeral, Phiusion's BIPA §15(a) destruction obligation is satisfied through non-persistence for every patient who does not opt in.

The full retention and destruction policy is published at the Biometric Retention & Destruction Policy, as required by Illinois BIPA §15(a) for any business that handles biometric identifiers.

8. Biometric and consumer-health protections we apply universally

Phiusion applies the protections below to every patient, regardless of state of residence. Each protection is sourced from a state law that would otherwise apply only to residents of that state; we extend it to everyone so that no patient is under-protected because the intake form didn't ask their state.

Where capture-location-keyed laws apply (BIPA in Illinois; CUBI in Texas; WA RCW 19.375 in Washington), the relevant trigger is where the photograph is taken — that is the location your practitioner is in when they take your photograph, which Phiusion already records.

• BIPA-equivalent biometric handling (sourced from Illinois 740 ILCS 14). Phiusion processes face-geometry vectors through SkinXS. Default-ephemeral vectors are destroyed within the SkinXS request lifetime, well within BIPA §15(a)'s three-year-or-purpose-fulfilled outer limit. Where you opt in to AI-model improvement, a written release is obtained through the AI Improvement Consent. The public retention and destruction policy is the Biometric Retention & Destruction Policy. Disclosure to third parties is limited to the named sub-processors in §5 acting on Phiusion's instructions. If you are an Illinois resident, you have a private right of action under BIPA §20 against any violation.
• CUBI-equivalent retention discipline (sourced from Texas Bus. & Com. Code §503.001). Retained vectors are destroyed within one year of the purpose being fulfilled or consent being withdrawn, whichever comes first.
• WA-19.375 HIPAA exemption framing (sourced from Washington RCW 19.375). Where your photograph is captured by your practitioner as a HIPAA covered entity for treatment, payment, or health-care operations, the statutory HIPAA exemption from WA-19.375 applies. Outside that scope (for example, the AI-improvement-opt-in leg), retained vectors are handled under the BIPA-equivalent destruction rules above.
• WA-MHMDA-equivalent authorization for sharing consumer-health data (sourced from Washington RCW 19.373). A separate consumer-health-data authorization is obtained through the AI Improvement Consent for any sharing beyond what the law permits without authorization. Phiusion does not operate geofencing of health-care facilities (RCW 19.373.060). If you are a Washington resident, you have a private right of action under WA-MHMDA via the Consumer Protection Act (RCW 19.86).
• CT-DPA / CO-CPA / OR-OCPA / MD-MODPA-equivalent sensitive-data opt-in (sourced from Conn. Gen. Stat. §42-515; Colo. Rev. Stat. §6-1-1304; ORS 646A.578; Md. Code Com. Law §14-4607). Sensitive data — which includes the biometric and health categories described in §2 — is collected on an opt-in basis. The opt-in surface is this notice plus the AI Improvement Consent surface it cross-references.
• CO-CPA + GPC-equivalent universal-opt-out recognition (sourced from 4 CCR 904-3 Rule 5.06; CCPA Reg. §7025; CT-DPA §6(e)(1)(A)). We honour the Global Privacy Control browser signal on any non-essential category that would otherwise be on by default; see Cookie & Tracking Notice §3.1.
• NV-SB370-equivalent no-sale-of-consumer-health-data (sourced from NRS 603A.300–360). Phiusion does not sell consumer health data and does not deploy geofencing of health-care facilities. Our consumer-health-data definition matches the NRS 603A.300–360 scope.
• MD-MODPA-equivalent minor-protection (sourced from Maryland Md. Code Com. Law §14-4607). If you are a minor (under 18, or under the age of majority where your practitioner practises, whichever is higher), additional protections in §12 apply.
• CMIA-equivalent medical-information disclosure limits (sourced from California Cal. Civ. Code §§ 56–56.37). Disclosure of "medical information" is limited to the purposes authorized by CMIA §56.10, including treatment, payment, and health-care operations through your practitioner.
• SHIELD-equivalent safeguards (sourced from New York Gen. Bus. Law §§ 899-aa and 899-bb). Reasonable safeguards (encryption, access control, breach detection) and breach-notification obligations are in place; see §13 and the internal Breach Notification Playbook (available to regulators and to data subjects on request).
• MA 201 CMR 17-equivalent Information Security Program (sourced from Massachusetts 201 CMR 17.03). A written Information Security Program is maintained and reviewed annually.

How residents exercise state-specific rights. The state-specific rights listed in §6 (access, correction, deletion, portability, etc.) are still residence-keyed by law. To exercise them, write to privacy@phiusionlabs.app and tell us which state you live in — we will handle the request under that state's law. See §11 for the full procedure.

9. If you live in Canada

Different provinces have different rules. Read the row that matches where you live.

• Federal — PIPEDA. Right of access (PIPEDA Schedule 1 Principle 9) and right of correction (Principle 4.9) apply through your practitioner.
• Ontario — PHIPA. Your treating practitioner is the custodian of your personal health information. PHIPA s.52 gives you the right to request access; PHIPA s.55 gives you the right to request correction. Phiusion publishes its PHIPA s.6(3) services description, safeguards summary, and audit summary at the PHIPA Audit Summary.
• Quebec — Law 25. You have the right of access (arts. 27–30), the right of rectification, and the right to data portability (art. 28.1; in force since 22 September 2024). Biometric processing — including the SkinXS face-geometry vector — is regulated by Law 25 art. 12, which requires express consent. A 60-day pre-notification to the Commission d'accès à l'information du Québec ("CAI") will be filed before any biometric processing of Quebec patients begins. Phiusion will also file a PIA (Privacy Impact Assessment, required under Law 25 art. 17) and publish a French-language version of this notice (Charter of the French Language arts. 51–52, as amended by Bill 96; Law 25 art. 8) before any Quebec patient is invited onto the platform — see §17.
• British Columbia / Alberta. Right of access and correction under BC PIPA s.23 and AB PIPA s.24, plus, in Alberta, the Health Information Act ("HIA") where your practitioner is a custodian under that statute.
• Manitoba / New Brunswick / Newfoundland and Labrador / Nova Scotia / Prince Edward Island / Saskatchewan. Equivalent provincial rights apply, including under the PHIA-equivalent statutes where your practitioner is a trustee under the relevant provincial Personal Health Information Act.

If your practitioner practises in a province with a public-sector or trustee-style health-information statute (Alberta HIA, Manitoba PHIA, the Atlantic provinces' PHIA-equivalents), your practitioner is the trustee or custodian of your record under that statute, and Phiusion supports your practitioner as a vendor with a bilateral agreement.

10. If you are in the EU/EEA, the UK, or Switzerland

Phiusion is not marketing the application to patients in the EU, the EEA, the UK, or Switzerland today. The reason this notice covers those regions is that Universkin SAS, the company that operates the application from France, is established in the EU and is therefore in scope of GDPR when it processes information about you. If your practitioner uses Phiusion while you are present in one of those regions, you can exercise the following rights against the Universkin processing leg by writing to dpo@universkin.com:

• Access (GDPR Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21).
• Withdrawal of consent for any processing whose lawful basis is your consent (Art. 7(3)) — withdrawal does not affect anything done before you withdrew.
• The right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects (Art. 22). Phiusion does not make such decisions about you; SkinXS suggests, your practitioner decides — see §14 for the conditional disclosure that Art. 22(3) requires if that ever changed.
• The right to lodge a complaint with a supervisory authority — see §16.

Equivalent rights apply under UK GDPR and the revised / new Swiss Federal Act on Data Protection ("revFADP" / "nFADP").

11. How to exercise your rights

The primary route is through your practitioner, because your practitioner is the controller / covered entity / custodian / trustee of your record. Your practitioner has direct access to your information through the application and can answer access, correction, and amendment requests.

If your practitioner is unable to respond, or if your request relates to Phiusion's own processing (for example, security logs, or the cross-border flow described in §5), you can write directly to:

• Privacy Officer (Phiusion Labs): Jonathan Garbutt, privacy@phiusionlabs.app.
• Data Protection Officer (Universkin SAS, France): Maître Eric ELABD, +33 (4) 93.00.11.96, dpo@universkin.com.

We will respond within 30 days. We may extend the deadline where the law allows — HIPAA §164.524(b)(2) permits a 30-day extension; GDPR Art. 12(3) permits a 60-day extension for complex requests; PHIPA s.54 has its own timeline. If we extend, we will tell you why.

Tell us where you live. Phiusion does not record your state or province of residence at intake (see §6 for why). When you contact us to exercise a state- or province-specific right, please include your current state or province so we can handle the request under the law that applies to you. If we cannot confirm your residence, we will still process the request under HIPAA + the practitioner's province (Canada) — that may give you fewer rights than the law of your actual residence would, which is why it helps to tell us.

The specific rights you can exercise depend on where you live:

• US — HIPAA. Right of access to your designated record set (HIPAA §164.524); right of amendment (§164.526); right to an accounting of disclosures (§164.528); right to revoke an authorization you have given for non-routine uses, including the AI-improvement authorization (§164.508(b)(5)). These rights are exercised through your practitioner as the covered entity; Phiusion as the business associate supports your practitioner in fulfilling them.
• US — state. The state-consumer-health rights in §6 and §8 (CCPA / CPRA, CMIA, WA-MHMDA, CT-DPA, CO-CPA, NV-SB370, OR-OCPA, MD-MODPA, NY-SHIELD, MA 201 CMR 17).
• Canada. PIPEDA, PHIPA, Law 25, BC PIPA, AB PIPA, and the other provincial regimes in §9.
• EU / EEA / UK / CH. GDPR Arts. 15–22 (and UK / Swiss equivalents) on the Universkin processing leg — see §10.

You can also withdraw any consent you have given (for example, the AI Improvement Consent) at any time through the Consent Withdrawal flow, by asking your practitioner, or by writing to the Privacy Officer. Withdrawing consent does not affect anything done before the withdrawal, and does not affect your care.

12. If the patient is a minor

If the patient is under the age of majority in the jurisdiction where care is delivered, a parent or legal guardian acts on the patient's behalf under HIPAA's personal-representative rules (§164.502(g)), Quebec's age-of-consent rules under the Civil Code, and equivalent provincial provisions. Phiusion does not knowingly process information about a minor patient without the proper authorization from a parent or guardian (or, where applicable, the mature-minor consent permitted by the relevant province). Maryland's MD-MODPA provides additional minor-protection rules where the minor is a Maryland resident.

13. How your information is protected

Phiusion applies the controls required by the HIPAA Security Rule (§§164.302–318), PIPEDA Schedule 1 Principle 7, and GDPR Art. 32. The full list lives in the Privacy Notice for Practitioners §8; the headline controls are: TLS 1.2 or higher in transit, AES-256 at rest, Row-Level Security ("RLS", a database-level access control that limits each row to its rightful owner) so a practitioner only sees his or her own patients, MFA required on every practitioner account, access logging on every read and write of your record, annual penetration testing, and an incident-response plan with the notification timelines published in our internal Breach Notification Playbook (available to regulators and to data subjects on request).

In the event of a confidentiality incident affecting your information, the timelines and notification routes that apply to you are:

• HIPAA Breach Notification Rule (§§164.400–414): US patients are notified by their practitioner (the covered entity) without unreasonable delay and within 60 days, with Phiusion supporting your practitioner's notification.
• Quebec Law 25 art. 3.5: Quebec patients are notified directly where a serious risk of injury exists, and the incident is logged in the register required by art. 3.8.
• State breach laws (NY SHIELD, MA 201 CMR 17, and equivalents): the applicable state timeline is followed.
• GDPR Art. 33–34: for the Universkin processing leg, the supervisory authority is notified within 72 hours where required, and data subjects are notified directly where a high risk to their rights exists.

14. Automated decisions

Phiusion does not make automated decisions about your care. SkinXS produces structured skin-assessment information for your practitioner to consider; your practitioner reviews that information, applies professional judgment, and decides what to discuss with you. The practitioner-curation step is mandatory in the workflow — no patient-facing output is produced from SkinXS without your practitioner's professional judgment overlaid on top of it. That framing means SkinXS is not within scope of the Colorado AI Act's "consequential decisions" category in healthcare, because the consequential decision (if there is one) is made by your practitioner under his or her license, not by the software. It also means Law 25 art. 12.1 does not require us to surface a "right to human review" prompt, because the human review is the workflow.

If Phiusion ever introduced a process that produced a decision about you by automated means alone, GDPR Art. 22(3) would give you the right to obtain human intervention, to express your point of view, and to contest the decision. No such processing happens today. We will say so in this notice if that ever changes.

15. How long your information is kept

Retention is set by your practitioner as the custodian / covered entity / controller of your record, in line with the medical-record-retention laws of the jurisdiction in which your practitioner practises (usually 6–10 years from the last visit, longer for minors). Phiusion holds your information only as long as your practitioner's record requires.

The schedule for the categories Phiusion processes on your behalf is published in our internal Retention Schedule (available to regulators and to data subjects on request). The headline rules are:

• Photographs and skin-assessment results: retained for as long as your practitioner retains the underlying wellness record, then deleted when your practitioner closes the record.
• Face-geometry vectors: ephemeral by default (not persisted past the SkinXS request); retained for up to five years from consent, or 30 days after withdrawal, on the AI-improvement-opt-in leg.
• Security and breach-detection logs: non-Quebec records 6 years (HIPAA §164.530(j)); Quebec-affected records indefinite (Law 25 art. 3.8).
• Consent records (your acceptances of this notice, the AI-improvement consent, and so on): 7 years past withdrawal.

When a retention period ends, the data is deleted, or aggregated into non-identifying form, or — where backup systems do not allow targeted deletion — isolated, access-restricted, and aged out on the backup schedule.

16. Contact and supervisory authorities

For anything covered by this notice, write to:

• Privacy Officer (Phiusion Labs): Jonathan Garbutt, privacy@phiusionlabs.app.
• Data Protection Officer (Universkin SAS, France): Maître Eric ELABD, +33 (4) 93.00.11.96, dpo@universkin.com.

Universkin SAS has appointed Maître Eric ELABD as its Data Protection Officer ("DPO") in compliance with GDPR Art. 37. The contact details above also satisfy the public-publication prong of GDPR Art. 37(7); the corresponding notification to the Commission Nationale de l'Informatique et des Libertés ("CNIL", the French supervisory authority) is administered by Universkin SAS. Phiusion Labs will name a Privacy Officer in compliance with Quebec Law 25 art. 3.1 before any Quebec patient is invited onto the platform; until that individual is named, the placeholder above is current.

If we (or your practitioner) do not resolve a concern to your satisfaction, you can also reach the supervisory authority for your jurisdiction:

United States

• US Department of Health and Human Services, Office for Civil Rights (HHS-OCR), https://www.hhs.gov/ocr/.
• Your state Attorney General handles state consumer-privacy complaints.
• Federal Trade Commission, for matters within the FTC Health Breach Notification Rule (16 CFR Part 318), https://www.ftc.gov/.

Canada — federal

• Office of the Privacy Commissioner of Canada ("OPC"), https://www.priv.gc.ca/.

Canada — provincial

• Ontario: Information and Privacy Commissioner of Ontario ("IPC"), https://www.ipc.on.ca/.
• Quebec: Commission d'accès à l'information du Québec ("CAI"), https://www.cai.gouv.qc.ca/.
• British Columbia: Office of the Information and Privacy Commissioner of BC, https://www.oipc.bc.ca/.
• Alberta: Office of the Information and Privacy Commissioner of Alberta, https://www.oipc.ab.ca/.
• Manitoba: Manitoba Ombudsman, https://www.ombudsman.mb.ca/.
• Other provinces (NB / NL / NS / PE / SK): see your provincial commissioner's website.

Canada — territorial

• Yukon, Northwest Territories, Nunavut (YT / NT / NU): the OPC acts as the federal supervisory authority, https://www.priv.gc.ca/.

EU

• France (Universkin leg): CNIL, https://www.cnil.fr/.

United Kingdom

• Information Commissioner's Office ("ICO"), https://ico.org.uk/.

Switzerland

• FDPIC, https://www.edoeb.admin.ch/.

For related documents, see the Privacy Notice for Practitioners, the Cookie & Tracking Notice, the Sub-Processors page, the Patient Photo Consent, the AI Improvement Consent, the Biometric Retention & Destruction Policy, the Consent Withdrawal flow, and the PHIPA Audit Summary.

17. French-language version

A French version of this notice will be published before any Quebec patient receives it. Patient-facing notices in Quebec must be available in French under the Charter of the French Language arts. 51–52 (as amended by Bill 96) and Quebec Law 25 art. 8; we treat this as a hard precondition for the Quebec patient surface. Practitioner-facing onboarding is not gated on this work.

18. Updates to this notice

We use semantic versioning to manage updates:

• Major version (X.0.0) — material change to what we collect, why, or who we share with. The next time the application is used to record a wellness session for you, the new version will be delivered to you and your acknowledgment will be recorded again before any new information is added to your record.
• Minor version (1.X.0) — clarifications, new sub-processors that do not change processing categories, new statutory anchors. An in-app banner notifies your practitioner; the changelog is available at your own pace.
• Patch version (1.0.X) — typos, formatting, broken links. No banner.

Every version is logged at /legal/changelog with the effective date and a plain-language summary of what changed.

Appendix A — Delivery evidence

When this notice is delivered to you at first photo capture, the application records a timestamped acknowledgment with:

• The exact version of this notice that was on screen (so you can come back and read the precise text you saw).
• The timestamp of the acknowledgment.
• The capture method (in-application acknowledgment vs. printed copy initialled in-clinic vs. emailed PDF copy).
• An immutable PDF snapshot of the notice as rendered to you, archived alongside the acknowledgment record (so that even if this page is later updated, the version you saw is preserved).

You can ask your practitioner or the Privacy Officer for a copy of your acknowledgment record at any time.