Dermi Privacy Policy
How we protect your privacy and handle your data
1. Introduction
Dermi Inc. ("Dermi," "we," "us") collects and manages user data according to this Policy.
Compliance Framework:
- For Dermi: As a Canadian commercial organization, Dermi complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws (including the Act Respecting the Protection of Personal Information in the Private Sector in Quebec) regarding the collection of your Account Data. Where Dermi collects or handles personal information of Australian users, Dermi also complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where Dermi collects or handles personal information of New Zealand users, Dermi also complies with the Privacy Act 2020 (New Zealand) and its Information Privacy Principles. Where Dermi collects or handles personal data of Swiss users, Dermi also complies with the Swiss Federal Act on Data Protection (FADP).
- For Users: This policy addresses users in Canada, the United States, Australia, New Zealand, and Switzerland.
This policy covers data collected through:
- Dermi Portal and Dermi Atlas Cloud Demo (Cloud Services)
- Dermi Atlas Professional and Dermi Atlas Manager (On-Premises Software)
- Dermi Atlas Companion (iOS Mobile Application)
- The Dermi website (
dermi.ai), including newsletter subscriptions
2. Information Collection
A. Cloud Services (Portal & Cloud Demo)
We collect:
- Account Data: Name, email, hashed password, organization details.
- Billing Data: Payment method details are collected and processed by our third-party payment processor, Stripe, Inc. Dermi does not store or have access to full card numbers. Stripe's collection and use of your payment information is governed by the Stripe Privacy Policy.
- Usage Logs: Login history, IP addresses, interaction logs.
- Anti-Abuse Verification Data: Sign-in, registration, and password-recovery pages in the Cloud Services are protected by Cloudflare Turnstile, a bot-protection service operated by Cloudflare, Inc. When a protected page is used, Cloudflare processes technical signals from the browser (IP address and browser and device characteristics) to distinguish human visitors from automated traffic. Turnstile does not use advertising cookies and is not used for cross-site profiling.
- Marketing Communications Data: If you subscribe to the Dermi newsletter through the
dermi.aiwebsite, Dermi collects your email address together with the IP address and User-Agent of the submitting browser, used solely for delivery, anti-abuse, and rate-limiting purposes. You may unsubscribe at any time by contacting privacy@dermi.ai.
B. On-Premises Software (Atlas Professional & Atlas Manager)
- Local Data Separation: Patient data, medical images, and clinical notes entered into Dermi Atlas Professional are stored LOCALLY on your infrastructure. Dermi does not access, collect, or store this data on our servers.
- Administrative & Security Telemetry: To provide license verification and account security features (such as 2FA configuration, password resets, and account change confirmations), the software transmits specific administrative data to Dermi infrastructure.
- Data Transmitted: License token, username, email address, request type, non-sensitive confirmation tokens (for link validation), and technical client metadata (IP address, User Agent, Timezone).
- No Health Information: Protected Health Information (PHI), Personal Health Information, Australian "sensitive information" (including "health information") as defined under the Privacy Act 1988 (Cth) and applicable Australian state and territory health records legislation, "health information" as defined by the Health Information Privacy Code 2020 (New Zealand), and personal data concerning health as defined by the Swiss Federal Act on Data Protection are never included in these requests.
C. Dermi Atlas Companion (iOS Application)
The Dermi Atlas Companion is a native iOS application that connects to a Dermi Atlas Professional server on your local network, or, optionally, to the Dermi Atlas Cloud Demo. The Companion App operates as a thin client. Health Information accessed through the Companion App is fetched from, and remains on, the Atlas server you connect to. The Companion App does not transmit Health Information to Dermi.
- Layered Consent. The Companion App is downloadable and installable without account creation. Before any account-bearing or data-bearing feature is available, you must complete an explicit acceptance step: account registration in the Dermi Atlas Cloud Demo or in a Dermi Atlas Professional instance, each of which requires you to affirmatively accept the Terms of Service and this Privacy Policy at the point of registration; or, for each session of Cloud Demo use, the Dermi Atlas Cloud Demo Disclaimer.
- Data Stored on the Device. Server names, hostnames, ports, color and icon preferences, certificate fingerprints, LAN certificates that you have trusted, and user preferences. No patient data, no images, and no account credentials are persisted to the device filesystem outside the iOS WebKit session and standard browser caches.
- iOS Permissions. Local Network access (to reach your Atlas server); Camera (only when you initiate a capture); Photo Library (only when you choose to upload). The Companion App contains no analytics, telemetry, advertising, or crash-reporting SDKs.
- Transmission to Dermi. The Companion App does not contact Dermi-operated servers other than (i) optionally connecting to
demo.atlas.dermi.aiwhen you enable the Cloud Demo preference, and (ii) when you tap a help or legal link that opens a Dermi-hosted page in your browser.
3. How We Use Your Information
We use collected data to:
- Provide and secure the Services.
- Process payments and verify licenses.
- Deliver transactional and security emails (e.g., 2FA configuration, password resets).
- Send administrative and support emails.
- Comply with legal obligations.
We do not sell your personal information. We do not disclose personal information to third parties for their advertising purposes, except for the advertising and conversion measurement described in Section 11 (Cookies and Analytics).
4. Disclosure of Information
We share information with:
- Sub-Processors: Infrastructure, distribution, anti-abuse, analytics, and advertising measurement providers (AWS, MongoDB, Stripe, Postmark, Cloudflare, Apple, Vercel, Google). For a complete list and the categories of data shared with each, refer to the Dermi Sub-Processors document.
- Legal Authorities: If required by law.
- Business Transfers: In the event of a merger or acquisition.
5. Sub-Processors
We use third-party sub-processors. For a comprehensive list including data categories, please refer to the Dermi Sub-Processors document. Payment processing is handled by Stripe, Inc.; for details on how Stripe processes personal data, refer to the Stripe Privacy Policy.
6. Data Retention
- Account Data: Retained while active. Deleted within 30 days after account closure.
- Demo Data: Patient records, entries, images, and clinical metadata uploaded to the Dermi Atlas Cloud Demo are purged on a regular schedule (no less frequently than once per week) and may also be wiped without notice for maintenance or operational reasons. Account credentials, user preferences, and acceptance logs in the Cloud Demo are preserved separately and follow the Account Data retention rule above.
- Newsletter Data: Email addresses are retained until you unsubscribe. The IP address and User-Agent associated with a subscription event are retained for no longer than 12 months and used solely for anti-abuse and rate-limiting purposes.
- Transmission Logs: Logs regarding emails sent and API requests processed are retained for no longer than 90 days for security auditing and delivery troubleshooting.
- Billing Records: Billing and transaction records are retained for a minimum of 7 years after the end of the applicable subscription period, as required for tax and audit compliance.
7. Security
We use HTTPS/TLS encryption and industry-standard security practices to protect your information.
Payment Security: All payment transactions are processed by Stripe, Inc., which is certified as a PCI-DSS Level 1 Service Provider (the highest level of certification in the payment card industry). Dermi does not store, process, or have access to full credit card numbers. Payment data is transmitted directly from your browser to Stripe over encrypted connections. For more information, refer to Stripe's security documentation.
Customer Security Responsibility: You are responsible for securing the server where Dermi Atlas Professional is installed to protect the Health Information stored locally. You agree to act as the custodian/trustee of such data in accordance with the privacy laws applicable to your jurisdiction (e.g., HIPAA, PHIPA, the Act Respecting the Protection of Personal Information in the Private Sector in Quebec, the Privacy Act 1988 (Cth) and applicable Australian state and territory health records legislation, the Privacy Act 2020 and the Health Information Privacy Code 2020 in New Zealand, or the Swiss Federal Act on Data Protection and applicable cantonal health legislation in Switzerland).
Mobile Device Security. Where you use the Dermi Atlas Companion on iOS, you are solely responsible for the physical and logical security of the device, including but not limited to device passcode or biometric lock, screen visibility, screenshot and screen-recording controls, AirDrop policy, and, where required by the privacy laws applicable to your practice, disabling iCloud Backup of the Companion App. Dermi has no control over iOS-level mechanisms that may persist or transmit content rendered from your Atlas server. Communications between the Companion App and your Atlas Professional server traverse your local network; Dermi has no visibility into, control over, or responsibility for the security of your local network or for any interception, modification, or loss of data occurring on that network.
8. Your Rights
You may request access to, correction of, or deletion of, your personal account data by contacting our Privacy Officer at privacy@dermi.ai. The right of correction is recognized under PIPEDA, applicable Canadian provincial privacy laws, U.S. state privacy laws, Australian Privacy Principle 13, Information Privacy Principle 7 of the New Zealand Privacy Act 2020, and the Swiss Federal Act on Data Protection.
Right to Withdraw Consent: You may withdraw your consent to the collection, use, or disclosure of your personal information at any time by contacting privacy@dermi.ai. Withdrawal of consent may require termination of your account if the consent relates to processing that is essential for providing the Services. Withdrawal of consent is subject to legal or contractual restrictions and reasonable notice.
Right to Complain: If you believe that your privacy rights have been violated, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca. Users in the United States may contact the applicable state attorney general or regulatory authority. Users in Australia may file a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. Users in New Zealand may file a complaint with the Office of the Privacy Commissioner (New Zealand) at www.privacy.org.nz. Users in Switzerland may contact the Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch.
Quebec Residents: In accordance with the Act Respecting the Protection of Personal Information in the Private Sector, Quebec residents may also request that computerized personal information collected from them be communicated in a structured, commonly used technological format (data portability), and may file a complaint with the Commission d'accès à l'information du Québec (CAI) at www.cai.gouv.qc.ca. The Privacy Officer identified in the Contact section below is the person in charge of the protection of personal information for the purposes of that Act.
Note: Requests regarding patient records must be handled by you (the clinic/provider), as Dermi does not hold this data.
9. Data Breach Notification
In the event of a breach of security safeguards involving personal information under Dermi's control that creates a real risk of significant harm, Dermi will:
- Notify affected individuals as soon as feasible after the breach is confirmed, by email to the address associated with the affected account.
- Report the breach to the Office of the Privacy Commissioner of Canada as required under PIPEDA.
- Where the breach is an "eligible data breach" affecting Australian users under Part IIIC of the Privacy Act 1988 (Cth), notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required under the Notifiable Data Breaches (NDB) scheme.
- Where the incident involves personal information of Quebec residents and presents a risk of serious injury, notify the Commission d'accès à l'information du Québec (CAI) and the affected individuals, and record the incident in the confidentiality incident register maintained under the Act Respecting the Protection of Personal Information in the Private Sector.
- Where the breach is a notifiable privacy breach affecting New Zealand users under the Privacy Act 2020 (New Zealand), notify the Office of the Privacy Commissioner (New Zealand) and affected individuals where the breach has caused, or is likely to cause, serious harm.
- Where the breach affects Swiss users and is likely to result in a high risk to their personality or fundamental rights, notify the Federal Data Protection and Information Commissioner (FDPIC) as required by the Swiss Federal Act on Data Protection, and inform affected individuals where necessary for their protection or where the FDPIC so requests.
- Notify affected individuals residing in the United States, and the applicable state authorities, as required by U.S. state breach notification laws with respect to the account data held by Dermi.
- Maintain records of all breaches of security safeguards as required by applicable law.
Users located in the United States should review applicable state breach notification laws regarding obligations for locally stored data within Dermi Atlas Professional installations. Users located in Australia should review the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth) and applicable state and territory health records legislation regarding their own obligations for locally stored data within Dermi Atlas Professional installations. Users located in New Zealand should review the notifiable privacy breach provisions of the Privacy Act 2020 and the Health Information Privacy Code 2020, and users located in Switzerland should review the breach reporting duties under the Swiss Federal Act on Data Protection, regarding their own obligations for locally stored data within such installations.
10. International Data Transfers
Personal information collected by Dermi may be processed in the United States and in Canada by our sub-processors. Data processed in the United States may be subject to U.S. law, including lawful access by U.S. courts, law enforcement, or national security authorities.
Dermi maintains written data processing agreements or equivalent contractual protections with its sub-processors, where commercially available, that require safeguards for personal information comparable to the protections required under PIPEDA. Personal information relating to Quebec residents may be communicated outside Quebec, including to sub-processors located elsewhere in Canada and in the United States; such communications are made in accordance with the assessment and contractual requirements of the Act Respecting the Protection of Personal Information in the Private Sector. For Australian users, Dermi takes reasonable steps in accordance with Australian Privacy Principle 8.1 to ensure that overseas recipients of personal information handle that information in a manner consistent with the Australian Privacy Principles, and identifies Canada and the United States as the destination countries for such transfers. For New Zealand users: under section 11 of the Privacy Act 2020 (New Zealand), personal information held by a sub-processor solely as an agent on behalf of Dermi is treated as held by Dermi, the transfer is not a disclosure under Information Privacy Principle 12, and Dermi remains responsible for the security of the information. Where a sub-processor also uses personal information for its own purposes (such as Stripe, Apple, or Google), the disclosure is made on the basis that the recipient is required, including under its agreement with Dermi, to protect the information in a way that, overall, provides comparable safeguards to those in that Act. For Swiss users, personal data is disclosed to recipients in Canada, a jurisdiction recognized by Switzerland as providing an adequate level of data protection for private-sector entities, and to sub-processors in the United States on the basis of certification under the Swiss-U.S. Data Privacy Framework or standard contractual clauses recognized by the Federal Data Protection and Information Commissioner, with the adaptations required for transfers subject to Swiss law, as applicable. For a complete list of sub-processors and their locations, refer to the Dermi Sub-Processors document.
11. Cookies and Analytics
The Dermi Portal, the Dermi Atlas Cloud Demo, and the Dermi Atlas Companion use only essential session and authentication cookies required for the operation of the Services, and do not use advertising cookies or third-party tracking cookies.
The dermi.ai marketing website uses Vercel Web Analytics, a cookieless, first-party analytics service that records aggregated pageview metrics (page path, referrer, country, and an anonymized visitor hash). Vercel Web Analytics does not set tracking cookies, does not retain raw IP addresses at rest, and is not used for advertising or cross-site profiling.
The dermi.ai marketing website also uses the Google tag (gtag.js) for Google Ads advertising and conversion measurement, operated by Google LLC. The Google tag processes IP address, browser information, and page and referrer URLs; where advertising storage is permitted, it may also set advertising cookies and process online identifiers. Advertising storage defaults to denied for visitors in the European Economic Area, the United Kingdom, Switzerland, and Quebec, and for browsers that send a Global Privacy Control signal. Visitors may opt out of advertising storage by enabling a Global Privacy Control signal in their browser or through a browser extension (effective from the next page visit), or by blocking cookies for the dermi.ai website in their browser settings; previously set cookies may be deleted at any time. Visitors may also manage how Google personalizes advertising through Google Ads Settings. Google's processing of this data is described in the Google Privacy Policy.
12. Children's Data
The Services are not directed to individuals under the age of 18. Dermi does not knowingly collect personal information from minors. If Dermi becomes aware that personal information has been collected from an individual under 18, that information will be deleted promptly.
Contact
Dermi Inc.
Attention: Privacy Officer
18 King Street East, Suite 1400
Toronto, ON M5C 1C4
Canada
Telephone: +1 647-600-3140
Privacy Inquiries: privacy@dermi.ai
General Inquiries: info@dermi.ai
Need clarification?
Contact us if you have questions about this document