Dermi
Back to Legal
Legal Document

Dermi Privacy Policy

How we protect your privacy and handle your data

Last updated: February 10, 2026

Dermi Privacy Policy

Last Updated: February 10, 2026

1. Introduction

Dermi Inc. ("Dermi," "we," "us") collects and manages user data according to this Policy.

Compliance Framework:

  • For Dermi: As a Canadian commercial organization, Dermi complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws (including the Act Respecting the Protection of Personal Information in the Private Sector in Quebec) regarding the collection of your Account Data.
  • For Users: This policy addresses users in Canada and the United States.

This policy covers data collected through:

  1. Dermi Portal and Dermi Atlas Cloud Demo (Cloud Services)
  2. Dermi Atlas Professional and Dermi Atlas Manager (On-Premises Software)

2. Information Collection

A. Cloud Services (Portal & Cloud Demo)

We collect:

  • Account Data: Name, email, hashed password, organization details.
  • Billing Data: Payment method details are collected and processed by our third-party payment processor, Stripe, Inc. Dermi does not store or have access to full card numbers. Stripe's collection and use of your payment information is governed by the Stripe Privacy Policy.
  • Usage Logs: Login history, IP addresses, interaction logs.

B. On-Premises Software (Atlas Professional & Atlas Manager)

  • Local Data Separation: Patient data, medical images, and clinical notes entered into Dermi Atlas Professional are stored LOCALLY on your infrastructure. Dermi does not access, collect, or store this data on our servers.
  • Administrative & Security Telemetry: To provide license verification and account security features (such as 2FA configuration, password resets, and account change confirmations), the software transmits specific administrative data to Dermi infrastructure.
    • Data Transmitted: License token, username, email address, request type, non-sensitive confirmation tokens (for link validation), and technical client metadata (IP address, User Agent, Timezone).
    • No Health Information: Protected Health Information (PHI) and Personal Health Information are never included in these requests.

3. How We Use Your Information

We use collected data to:

  • Provide and secure the Services.
  • Process payments and verify licenses.
  • Deliver transactional and security emails (e.g., 2FA configuration, password resets).
  • Send administrative and support emails.
  • Comply with legal obligations.

We do not sell your personal information.

4. Disclosure of Information

We share information with:

  • Sub-Processors: Infrastructure providers (AWS, MongoDB, Stripe, Postmark).
  • Legal Authorities: If required by law.
  • Business Transfers: In the event of a merger or acquisition.

5. Sub-Processors

We use third-party sub-processors. For a comprehensive list including data categories, please refer to the Dermi Sub-Processors document. Payment processing is handled by Stripe, Inc.; for details on how Stripe processes personal data, refer to the Stripe Privacy Policy.

6. Data Retention

  • Account Data: Retained while active. Deleted within 30 days after account closure.
  • Demo Data: Data in Dermi Atlas Cloud Demo is purged weekly.
  • Transmission Logs: Logs regarding emails sent and API requests processed are retained for no longer than 90 days for security auditing and delivery troubleshooting.
  • Billing Records: Billing and transaction records are retained for a minimum of 7 years after the end of the applicable subscription period, as required for tax and audit compliance.

7. Security

We use HTTPS/TLS encryption and industry-standard security practices to protect your information.

Payment Security: All payment transactions are processed by Stripe, Inc., which is certified as a PCI-DSS Level 1 Service Provider (the highest level of certification in the payment card industry). Dermi does not store, process, or have access to full credit card numbers. Payment data is transmitted directly from your browser to Stripe over encrypted connections. For more information, refer to Stripe's security documentation.

Customer Security Responsibility: You are responsible for securing the server where Dermi Atlas Professional is installed to protect the Health Information stored locally. You agree to act as the custodian/trustee of such data in accordance with the privacy laws applicable to your jurisdiction (e.g., HIPAA, PHIPA, or the Act Respecting the Protection of Personal Information in the Private Sector in Quebec).

8. Your Rights

You may request access to, or deletion of, your personal account data by contacting our Privacy Officer at privacy@dermi.ai.

Right to Withdraw Consent: You may withdraw your consent to the collection, use, or disclosure of your personal information at any time by contacting privacy@dermi.ai. Withdrawal of consent may require termination of your account if the consent relates to processing that is essential for providing the Services. Withdrawal of consent is subject to legal or contractual restrictions and reasonable notice.

Right to Complain: If you believe that your privacy rights have been violated, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca. Users in the United States may contact the applicable state attorney general or regulatory authority.

Note: Requests regarding patient records must be handled by you (the clinic/provider), as Dermi does not hold this data.

9. Data Breach Notification

In the event of a breach of security safeguards involving personal information under Dermi's control that creates a real risk of significant harm, Dermi will:

  • Notify affected individuals as soon as feasible after the breach is confirmed, by email to the address associated with the affected account.
  • Report the breach to the Office of the Privacy Commissioner of Canada as required under PIPEDA.
  • Maintain records of all breaches of security safeguards as required by applicable law.

Users located in the United States should review applicable state breach notification laws regarding obligations for locally stored data within Dermi Atlas Professional installations.

10. International Data Transfers

Personal information collected by Dermi may be processed in the United States by our sub-processors. Data processed in the United States may be subject to U.S. law, including lawful access by U.S. courts, law enforcement, or national security authorities.

Dermi maintains contractual protections with each sub-processor to ensure a comparable level of protection for personal information as required under PIPEDA. For a complete list of sub-processors and their locations, refer to the Dermi Sub-Processors document.

11. Cookies

The Dermi Portal and website use only essential session and authentication cookies required for the operation of the Services. Dermi does not use analytics cookies, advertising cookies, or third-party tracking cookies.

12. Children's Data

The Services are not directed to individuals under the age of 18. Dermi does not knowingly collect personal information from minors. If Dermi becomes aware that personal information has been collected from an individual under 18, that information will be deleted promptly.

Contact

Dermi Inc.
Attention: Privacy Officer
18 King Street East, Suite 1400
Toronto, ON M5C 1C4
Canada

Privacy Inquiries: privacy@dermi.ai
General Inquiries: info@dermi.ai

Need clarification?

Contact us if you have questions about this document

Contact Us
View all legal documents