Dermi
Back to Legal
Legal Document

Dermi Privacy Policy

How we protect your privacy and handle your data

Last updated: May 25, 2026

Dermi Privacy Policy

Last Updated: May 25, 2026

1. Introduction

Dermi Inc. ("Dermi," "we," "us") collects and manages user data according to this Policy.

Compliance Framework:

  • For Dermi: As a Canadian commercial organization, Dermi complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws (including the Act Respecting the Protection of Personal Information in the Private Sector in Quebec) regarding the collection of your Account Data. Where Dermi collects or handles personal information of Australian users, Dermi also complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
  • For Users: This policy addresses users in Canada, the United States, and Australia.

This policy covers data collected through:

  1. Dermi Portal and Dermi Atlas Cloud Demo (Cloud Services)
  2. Dermi Atlas Professional and Dermi Atlas Manager (On-Premises Software)
  3. Dermi Atlas Companion (iOS Mobile Application)
  4. The Dermi website (dermi.ai), including newsletter subscriptions

2. Information Collection

A. Cloud Services (Portal & Cloud Demo)

We collect:

  • Account Data: Name, email, hashed password, organization details.
  • Billing Data: Payment method details are collected and processed by our third-party payment processor, Stripe, Inc. Dermi does not store or have access to full card numbers. Stripe's collection and use of your payment information is governed by the Stripe Privacy Policy.
  • Usage Logs: Login history, IP addresses, interaction logs.
  • Marketing Communications Data: If you subscribe to the Dermi newsletter through the dermi.ai website, Dermi collects your email address together with the IP address and User-Agent of the submitting browser, used solely for delivery, anti-abuse, and rate-limiting purposes. You may unsubscribe at any time by contacting privacy@dermi.ai.

B. On-Premises Software (Atlas Professional & Atlas Manager)

  • Local Data Separation: Patient data, medical images, and clinical notes entered into Dermi Atlas Professional are stored LOCALLY on your infrastructure. Dermi does not access, collect, or store this data on our servers.
  • Administrative & Security Telemetry: To provide license verification and account security features (such as 2FA configuration, password resets, and account change confirmations), the software transmits specific administrative data to Dermi infrastructure.
    • Data Transmitted: License token, username, email address, request type, non-sensitive confirmation tokens (for link validation), and technical client metadata (IP address, User Agent, Timezone).
    • No Health Information: Protected Health Information (PHI), Personal Health Information, and Australian "sensitive information" (including "health information") as defined under the Privacy Act 1988 (Cth) and applicable Australian state and territory health records legislation are never included in these requests.

C. Dermi Atlas Companion (iOS Application)

The Dermi Atlas Companion is a native iOS application that connects to a Dermi Atlas Professional server on your local network, or, optionally, to the Dermi Atlas Cloud Demo. The Companion App operates as a thin client. Health Information accessed through the Companion App is fetched from, and remains on, the Atlas server you connect to. The Companion App does not transmit Health Information to Dermi.

  • Layered Consent. The Companion App is downloadable and installable without account creation. Before any account-bearing or data-bearing feature is available, you must complete an explicit acceptance step: account registration in the Dermi Atlas Cloud Demo or in a Dermi Atlas Professional instance, each of which requires you to affirmatively accept the Terms of Service and this Privacy Policy at the point of registration; or, for each session of Cloud Demo use, the Dermi Atlas Cloud Demo Disclaimer.
  • Data Stored on the Device. Server names, hostnames, ports, color and icon preferences, certificate fingerprints, LAN certificates that you have trusted, and user preferences. No patient data, no images, and no account credentials are persisted to the device filesystem outside the iOS WebKit session and standard browser caches.
  • iOS Permissions. Local Network access (to reach your Atlas server); Camera (only when you initiate a capture); Photo Library (only when you choose to upload). The Companion App contains no analytics, telemetry, advertising, or crash-reporting SDKs.
  • Transmission to Dermi. The Companion App does not contact Dermi-operated servers other than (i) optionally connecting to demo.atlas.dermi.ai when you enable the Cloud Demo preference, and (ii) when you tap a help or legal link that opens a Dermi-hosted page in your browser.

3. How We Use Your Information

We use collected data to:

  • Provide and secure the Services.
  • Process payments and verify licenses.
  • Deliver transactional and security emails (e.g., 2FA configuration, password resets).
  • Send administrative and support emails.
  • Comply with legal obligations.

We do not sell your personal information.

4. Disclosure of Information

We share information with:

  • Sub-Processors: Infrastructure, distribution, and analytics providers (AWS, MongoDB, Stripe, Postmark, Apple, Vercel). For a complete list and the categories of data shared with each, refer to the Dermi Sub-Processors document.
  • Legal Authorities: If required by law.
  • Business Transfers: In the event of a merger or acquisition.

5. Sub-Processors

We use third-party sub-processors. For a comprehensive list including data categories, please refer to the Dermi Sub-Processors document. Payment processing is handled by Stripe, Inc.; for details on how Stripe processes personal data, refer to the Stripe Privacy Policy.

6. Data Retention

  • Account Data: Retained while active. Deleted within 30 days after account closure.
  • Demo Data: Patient records, entries, images, and clinical metadata uploaded to the Dermi Atlas Cloud Demo are purged on a regular schedule (no less frequently than once per week) and may also be wiped without notice for maintenance or operational reasons. Account credentials, user preferences, and acceptance logs in the Cloud Demo are preserved separately and follow the Account Data retention rule above.
  • Newsletter Data: Email addresses are retained until you unsubscribe. The IP address and User-Agent associated with a subscription event are retained for no longer than 12 months and used solely for anti-abuse and rate-limiting purposes.
  • Transmission Logs: Logs regarding emails sent and API requests processed are retained for no longer than 90 days for security auditing and delivery troubleshooting.
  • Billing Records: Billing and transaction records are retained for a minimum of 7 years after the end of the applicable subscription period, as required for tax and audit compliance.

7. Security

We use HTTPS/TLS encryption and industry-standard security practices to protect your information.

Payment Security: All payment transactions are processed by Stripe, Inc., which is certified as a PCI-DSS Level 1 Service Provider (the highest level of certification in the payment card industry). Dermi does not store, process, or have access to full credit card numbers. Payment data is transmitted directly from your browser to Stripe over encrypted connections. For more information, refer to Stripe's security documentation.

Customer Security Responsibility: You are responsible for securing the server where Dermi Atlas Professional is installed to protect the Health Information stored locally. You agree to act as the custodian/trustee of such data in accordance with the privacy laws applicable to your jurisdiction (e.g., HIPAA, PHIPA, the Act Respecting the Protection of Personal Information in the Private Sector in Quebec, or the Privacy Act 1988 (Cth) and applicable Australian state and territory health records legislation).

Mobile Device Security. Where you use the Dermi Atlas Companion on iOS, you are solely responsible for the physical and logical security of the device, including but not limited to device passcode or biometric lock, screen visibility, screenshot and screen-recording controls, AirDrop policy, and, where required by the privacy laws applicable to your practice, disabling iCloud Backup of the Companion App. Dermi has no control over iOS-level mechanisms that may persist or transmit content rendered from your Atlas server. Communications between the Companion App and your Atlas Professional server traverse your local network; Dermi has no visibility into, control over, or responsibility for the security of your local network or for any interception, modification, or loss of data occurring on that network.

8. Your Rights

You may request access to, correction of, or deletion of, your personal account data by contacting our Privacy Officer at privacy@dermi.ai. The right of correction is recognised under PIPEDA, applicable Canadian provincial privacy laws, U.S. state privacy laws, and Australian Privacy Principle 13.

Right to Withdraw Consent: You may withdraw your consent to the collection, use, or disclosure of your personal information at any time by contacting privacy@dermi.ai. Withdrawal of consent may require termination of your account if the consent relates to processing that is essential for providing the Services. Withdrawal of consent is subject to legal or contractual restrictions and reasonable notice.

Right to Complain: If you believe that your privacy rights have been violated, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca. Users in the United States may contact the applicable state attorney general or regulatory authority. Users in Australia may file a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

Note: Requests regarding patient records must be handled by you (the clinic/provider), as Dermi does not hold this data.

9. Data Breach Notification

In the event of a breach of security safeguards involving personal information under Dermi's control that creates a real risk of significant harm, Dermi will:

  • Notify affected individuals as soon as feasible after the breach is confirmed, by email to the address associated with the affected account.
  • Report the breach to the Office of the Privacy Commissioner of Canada as required under PIPEDA.
  • Where the breach is an "eligible data breach" affecting Australian users under Part IIIC of the Privacy Act 1988 (Cth), notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required under the Notifiable Data Breaches (NDB) scheme.
  • Maintain records of all breaches of security safeguards as required by applicable law.

Users located in the United States should review applicable state breach notification laws regarding obligations for locally stored data within Dermi Atlas Professional installations. Users located in Australia should review the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth) and applicable state and territory health records legislation regarding their own obligations for locally stored data within Dermi Atlas Professional installations.

10. International Data Transfers

Personal information collected by Dermi may be processed in the United States by our sub-processors. Data processed in the United States may be subject to U.S. law, including lawful access by U.S. courts, law enforcement, or national security authorities.

Dermi maintains contractual protections with each sub-processor to ensure a comparable level of protection for personal information as required under PIPEDA. For Australian users, Dermi takes reasonable steps in accordance with Australian Privacy Principle 8.1 to ensure that overseas recipients of personal information handle that information in a manner consistent with the Australian Privacy Principles, and identifies Canada and the United States as the destination countries for such transfers. For a complete list of sub-processors and their locations, refer to the Dermi Sub-Processors document.

11. Cookies and Analytics

The Dermi Portal, the Dermi Atlas Cloud Demo, and the Dermi Atlas Companion use only essential session and authentication cookies required for the operation of the Services. The dermi.ai marketing website uses Vercel Web Analytics, a cookieless, first-party analytics service that records aggregated pageview metrics (page path, referrer, country, and an anonymized visitor hash). Vercel Web Analytics does not set tracking cookies, does not retain raw IP addresses at rest, and is not used for advertising or cross-site profiling. Dermi does not use advertising cookies or third-party tracking cookies on any of the Services.

12. Children's Data

The Services are not directed to individuals under the age of 18. Dermi does not knowingly collect personal information from minors. If Dermi becomes aware that personal information has been collected from an individual under 18, that information will be deleted promptly.

Contact

Dermi Inc.
Attention: Privacy Officer
18 King Street East, Suite 1400
Toronto, ON M5C 1C4
Canada

Telephone: +1 647-600-3140
Privacy Inquiries: privacy@dermi.ai
General Inquiries: info@dermi.ai

Need clarification?

Contact us if you have questions about this document

Contact Us
View all legal documents