Privacy Policy

Dear User of this Web App,

Protecting your personal data is not only important to you but also to us, SkinTech Corp. GmbH, as the controller of the IQONIC.ai web app (hereinafter “we,” “us”). We greatly value your trust in our careful and legally compliant handling of your data. Your data will be treated with the utmost confidentiality.

With this Privacy Notice, we not only aim to fulfill our legal obligations under Art. 13 and 14 of the GDPR, but also to present to you in a transparent and understandable way which personal data is processed when you use our app, web app, and website – and how we handle this data.

Comprehensive Privacy Policy for IQONIC.ai

Comprehensive Privacy Policy for IQONIC.ai

Privacy Policy for IQONIC.ai

IQONIC.ai is operated by SkinTech Corp. GmbH, Zimmerstraße 50, 10117 Berlin (“IQONIC.ai,” “we”). This Privacy Policy informs you about the processing of personal data in accordance with the GDPR.

1. Controller

Responsible for data processing is:

SkinTech Corp. GmbH

Zimmerstraße 50

10117 Berlin

E-mail: info@iqonic.ai

2. Data Protection Officer

Our Data Protection Officer can be reached at info@iqonic.ai.

3. Purposes and Legal Bases of Processing

We process personal data to provide and improve our services, for user guidance, contract fulfillment, marketing optimization, and – based on your consent – for research and development purposes in the fields of skin, hair, and health analysis.

4. Research and Development (R&D)

With your explicit consent pursuant to Art. 9 (2) (a) GDPR, we process health and diagnostic data such as skin images, hair data, medical history questionnaires, vital data (HealthKit/Google Fit), diagnostic scores, usage interactions, and pseudonymized metadata. The purpose is training and further development of AI-based analysis and recommendation systems. Data will be deleted or anonymized after no more than 24 months. External partners (e.g., dermatologists, AI training providers) only receive pseudonymized data under contractual agreements.

5. Disclosure to Third Parties and Third-Country Transfers

We use, among others, Google Analytics, Firebase, Adjust, Smartlook, Meta, TikTok, Pinterest, LinkedIn, HubSpot, SendGrid, Zendesk, and Amplitude. Some data is transferred to third countries (in particular the U.S.), secured by EU Standard Contractual Clauses pursuant to Art. 46 GDPR.

6. Rights of Data Subjects

You have the right to access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), objection (Art. 21), data portability (Art. 20), and the right to withdraw consent previously given (Art. 7 (3) GDPR).

7. Storage Period

Data will only be stored for as long as necessary for the purposes stated. Research data is processed in pseudonymized form and will be anonymized or deleted after no more than 24 months.

8. Changes to this Policy

We reserve the right to amend this Privacy Policy. The current version is always available at https://www.iqonic.ai/privacy.

Supplementary details and regulations pursuant to the previous version (as of July 2024)

Privacy Policy IQONIC.ai and SQIN

As of: July 2024 – We reserve the right to amend this Privacy Policy.
Data protection is an important core value of SkinTech Corp. GmbH. We make this topic as transparent as possible and explain for what purposes and how the respective data is used. User data is handled responsibly. Data is only used within the framework of applicable data protection laws, in particular the EU General Data Protection Regulation (EU GDPR).

In particular, we strive to continuously improve IQONIC, the SQIN app, and all related offerings and services, and to better tailor them to the needs of our users. However, this can only succeed if we observe and evaluate how these offerings and services are used. The following provides users with comprehensive information on what happens with their data – especially what happens, how, and why. All information that must be provided in accordance with the EU General Data Protection Regulation is also listed here.

Responsible for protecting personal data and ensuring compliance with the EU General Data Protection Regulation is SkinTech Corp. GmbH, Zimmerstraße 50, 10117 Berlin (hereinafter: “IQONIC,” “SQIN,” or the “Provider”). It operates the services mentioned above. Further contact details, points of contact, and mandatory information about SkinTech Corp. GmbH can be found in the imprint or on the website, as well as within the SQIN app.

For questions regarding data protection, or if the user wishes to exercise their rights concerning data protection (see below), they can contact the Data Protection Officer of SkinTech Corp. GmbH. The Data Protection Officer can be reached via e-mail at [E-Mail-Adresse] or by postal mail at SkinTech Corp. GmbH, Zimmerstraße 50, 10117 Berlin.

This Privacy Policy applies to all online offerings and services accessible under the “SQIN” and “IQONIC” brands: the websites for SQIN under the domain sqin.co, for IQONIC under the domain iqonic.ai, as well as other domains that redirect to them.

The above-mentioned offerings and services are hereinafter simply referred to as “Services.”

Table of Contents:

The most important points at a glance

I. What data is collected when using the SQIN and IQONIC Services?

II. Why is this data processed?

III. Is data also transferred to third parties or outside the EU?

► The user’s rights as a data subject

► The individual data processing activities in detail

A. Data Processing for the Provision of SQIN App Services

– Register a user account and manage profile (with e-mail address)

– Contact form and support requests (via e-mail service provider)

– HealthKit and Google Fit integration

– (additional) cookie-based functionalities

B. Improvement of SQIN and IQONIC Services

– Storage and processing of usage data (via GF)

– Evaluation of usage behavior on websites and app (via Google Analytics)

– Evaluation of usage behavior within the mobile application (via Google Analytics for Firebase)

– Evaluation of user behavior of SQIN Services (via Smartlook)

C. Optimization of Our Communication and Marketing Channels

– Marketing campaigns with custom audiences (via Facebook Pixel or custom app events through Facebook SDK)

– Marketing optimization and evaluation of usage behavior in the SQIN app (via Adjust)

► Changes to the Privacy Policy

You have the right

► Contact for Data Protection and Data Protection Officer

► The most important points at a glance

I. What data is collected when using the SQIN and IQONIC Services?

Direct entry of personal data. When the user logs into the SQIN and IQONIC mobile systems, registers, purchases premium content, or uses a contact form for support requests, the provider collects personal data via the respective forms that are clearly and directly related to the user or their identity (so-called personal data).

This includes in particular name, title, e-mail address, and password. For paid services, the provider may also request further contact details (postal address, telephone number), as well as, if applicable, shopping cart details and payment data. Additionally, users may voluntarily provide further personal information, which will then also be stored, e.g., in their user profile.

There are no services or offerings specifically tailored to children.

Data enrichment. The provider may enrich user data with its own observations, but only regarding presumed interests and only to the extent described in this Privacy Policy. Example: If a user has started a unit, an interest in continuing it will be assumed, and the dataset will be enriched with this assumption in order to remind the user within the app.

Data provided by third parties. In some cases, the provider also receives personal data from third parties when using certain functions or services. This is the case, for example, if the user uses a sign-in service such as Facebook to log into the SQIN service.

Pseudonymized data. In addition, data that does not directly reveal the user’s identity is also processed (so-called pseudonymized data). Pseudonymized means that the user or their computer/browser could be recognized under an ID (“pseudonym”), but with ordinary means it is not possible to find out who the user is or how to contact them. In other words: pseudonyms are not combined with personal data such as name or e-mail address, simply because in this case we do not need to know more than necessary.

This applies, for example, when the provider wants to determine which screens of the SQIN or IQONIC Services are clicked on particularly often and which are not at all, or when the provider does not want to show the user the same content all the time.

Further details. Should the user wish to know certain things in more detail, additional information is provided in the chapter “The individual data processing activities in detail.”

II. Why is this data processed?

The processing of personal data is carried out primarily for the following purposes and on the basis of the following legitimate interests:

Personalization: to display the user’s progress, to suggest content of the SQIN app and IQONIC services that best fit their needs, or to notify the user via e-mail or push notifications about content, tips, and offers relevant to them;

Optimization: to find out what users particularly like or dislike and how services can be improved; to achieve the provider’s stated goals,

Ensuring operations: to detect and fend off attack patterns as well as uncover system errors; to prevent the user from receiving e-mails from the provider against their will;

Financing: to process user orders for premium content, or to provide users with personalized discounts, vouchers, and offers;

Maintaining customer relationships and direct marketing on our own behalf: to inform the user about new offerings and features;

Fraud prevention, verification of a provided delivery address, and credit checks, the outcome of which may influence which payment options the provider offers to the user;

Compliance with legal requirements, in particular commercial and tax obligations, if applicable also disclosure obligations to authorities, as well as defense or enforcement of claims.

The processing of personal data is carried out lawfully on the basis of the EU General Data Protection Regulation, depending on the case – on the basis of the user’s consent, a contract with the user, to fulfill legal or regulatory obligations, and/or after balancing legitimate interests in individual cases (see GDPR Article 6 (1) (a), (b), (c), and (f)).

Where the provider processes data on the basis of consent or a balancing of legitimate interests, this will only be done as long as the user does not object or withdraw consent. Further details are explained below.

III. Is data also transferred to third parties or outside the EU?

SQIN and IQONIC do not commercially pass on users’ personal data (sale, rental) to third parties and do not engage in address trading.

However, the provider does not handle everything alone and has engaged some service providers. Some of these providers must, or may at least, have access to personal data. This particularly concerns the technology with which the provider operates, monitors, and analyzes its service or individual functionalities and offerings. It also concerns, among other things, billing for orders as well as collection of outstanding invoices.

All of these service providers are engaged by the provider strictly in accordance with the requirements of the EU GDPR, in writing, and are required, for example, to explain technical and organizational measures they use to protect the entrusted personal data from misuse. Where necessary, contracts for data processing on behalf are concluded with the service provider.

Some of the IT service providers engaged by the provider are not based within the EU or the European Economic Area (EEA), or store and process personal data there. If, in these regions, the EU Commission does not already consider the level of data protection to be equivalent to that in Germany, the provider always insists on the legally required safeguards for such international transfers. Usually, this means the conclusion of EU Commission–approved data protection contracts (so-called EU Standard Contractual Clauses).

In some cases, the provider also discloses data in compliance with data protection requirements to third parties who then process the data on their own responsibility. This includes, for example, services provided by companies such as Facebook, e.g., when the user registers with the provider via Facebook Sign-In. Further details on this are explained in the next chapter.
► System Permissions

Access to your camera is necessary to create anamnesis images and is used by SQIN and IQONIC exclusively for this purpose.

If you would like to upload images from your photo gallery, the SQIN and IQONIC system requires access to your storage.

In addition, your consent to receive push notifications about changes in the status of your treatment is optional. If you do not consent to receiving push notifications, you will not receive any regarding status changes of your treatment.

If you use our services via the iOS operating system (i.e., Apple’s operating system for mobile devices), we request permission to track your activities as part of user behavior analysis (see “Processing in connection with Apple Search Ads”). This allows us to target you with advertising and evaluate actions triggered by such advertising.

► The User’s Rights as a Data Subject

In accordance with the EU General Data Protection Regulation, the user has the right to request information about their personal data (see Article 15 GDPR), as well as correction (see Article 16 GDPR), deletion (see Article 17 GDPR), or at least restriction of processing (see Article 18 GDPR) of their personal data.

The user also has the right to data portability (see Article 20 GDPR). In addition, the user has the right to withdraw previously given consent to the processing of personal data at any time (Article 7 GDPR), as well as to object to processing based on the balancing of legitimate interests (see Article 21 (4) GDPR). Furthermore, the user has the right to lodge a complaint with the competent data protection supervisory authority.

If the user has questions about this or about data protection in general, or wishes to exercise their rights regarding data protection, they may contact our Data Protection Officer. The user can reach them via e-mail at [E-Mail address] or by postal mail at SkinTech Corp. GmbH, Zimmerstraße 50, 10117 Berlin.

► Individual Data Processing Activities in Detail

To give the user an easier overview, this Privacy Policy has been structured according to whether it concerns (A) the basic provision of services and functionalities of SQIN and IQONIC, (B) the optimization of our services, or (C) the optimization of our marketing activities.

Data Processing for the Provision of SQIN and IQONIC Services

Below are details on individual areas, services, and functionalities for providing the SQIN and IQONIC mobile application services.

Registering a User Account and Managing Profile (with e-mail address)

When registering with SQIN and IQONIC services, users provide, among other things, name, gender, interests, and goal. Registration additionally requires providing an e-mail address. This creates a user account. In the case of registration, the user receives a confirmation e-mail to complete the registration. In the case of direct login, the user is sent a confirmation link once to the provided e-mail address for verification. This ensures that the provider uses the correct e-mail address for subsequent communication and can correctly associate the user with their account.

After successful login, an authorization token is stored in the app. The token is deleted from the smartphone when the user logs out of their account via the logout function. Through this authorization method, the provider prevents login credentials from being stored locally on the smartphone.

Beyond this, the app only collects inventory data that the user provides in the context of registration, login, or other contact with the app. This data is used on the basis of user consent (see GDPR Art. 6 (1) (a)).

The provider creates a user profile from this personal data in order to offer the core functionalities of the services across various platforms (iOS, WebApp, Android). The processing of this data is therefore carried out for the fulfillment of obligations under the user contract pursuant to GDPR Art. 6 (1) (b).

In addition, the provider also uses certain user account data for other purposes, such as newsletters and push notifications, orders, and support requests. Further details can be found in the respective sections of this Privacy Policy.

For storing this data, the provider has engaged an IT service provider, namely Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “GF”).

SQIN and IQONIC have concluded a data processing agreement with GF. GF stores and processes personal data strictly in accordance with the provider’s instructions. This may also take place outside the EU/EEA, in particular in the United States. Where processing takes place in the U.S., it is carried out on the basis of EU Standard Contractual Clauses.

Withdrawal / Opt-Out Option:

The user has the option at any time to delete their profile and all stored personal data by sending their withdrawal request to [E-Mail address]. The provider will forward this request to GF, which is contractually obliged to delete the relevant data.

Beyond that, the provider will also delete the user’s account if the user has not actively used any SQIN or IQONIC services for a period of three years.

If and insofar as data associated with the user’s account can and must still be used for purposes that have not yet expired at the time of the requested or planned deletion, the datasets will be blocked or restricted to specific purposes instead of being deleted. This is particularly the case with statutory retention obligations such as those under commercial or tax law. Such obligations can last up to 10 years (see Section 147 (3) of the German Fiscal Code).
Data Processing During System Installation

Purposes

When you install our system or later access the app, data is processed for an API call log during installation and with each access. This processing is carried out for the following purposes:

Enabling the use of the app,

System security,

Technical administration of the network infrastructure,

Evaluation of system security and stability,

Ensuring a smooth connection setup.

We do not cross-check the processed data with other datasets and under no circumstances do we use the data to draw conclusions about your identity.

Data Categories

During installation and with each access, the following data is collected and stored until its automated deletion after 30 days:

Date and time of installation,

Date and time of access,

Name and URL of the retrieved file or page,

Data volume transferred,

Access status (successful file transfer, file not found, etc.),

Browser and operating system of the user’s device,

Name of the user’s internet service provider.

Legal Basis

The legal basis for this processing is the performance of the user contract you entered into with us, pursuant to Art. 6 (1) (b) GDPR.

Necessity

The provision of our app is required for the performance of your user contract for our app. If you do not install and access our app, you cannot use it.

Storage Period

The data processed during installation and with each access to the app is automatically deleted after 30 days.

Recipients

For the provision of our app’s database and the storage of your doubly encrypted patient record, we use a server located in Germany.

Your Right to Object

According to Art. 21 GDPR, you have the right to object to the above-described processing of data relating to you if there are reasons arising from your particular situation or if your objection is directed against direct marketing.

Data Processing with Adjust

Purposes

We use Adjust to analyze your interactions with our system in order to further develop it and make it more user-friendly.

We also use Adjust for attribution, to improve our mobile advertising campaigns. Attribution is an analysis of the point at which you as a user last interacted with an advertisement, article, or social media post of SkinTech Corp. GmbH. For this purpose, we analyze whether you viewed an advertisement, article, or social media post of SkinTech Corp. GmbH, clicked on a link contained therein, or left a comment under the advertisement, article, or post.

Data Categories

With your consent to the analysis of your usage behavior (“marketing analysis”) of our system by Adjust, the following data about you is processed:

Your access time to our system,

Whether you are a returning user of our system,

Your access location when using our system,

Your demographic data,

The language, device model, and platform (e.g., iOS or Android) of your device,

Your IDFA (Identifier for Advertising on iOS devices) or Android Advertising ID,

Your IP address, and

Your MAC address.

Demographic Data

Demographic data includes information about the website, advertisement, or social media page that referred you to our system. This information is used to estimate your age group as well as the location from which you access our app.

With your consent to the analysis of your usage behavior of our app, the following data is transmitted to Google Analytics for further user and advertising analysis:

Your access time to our system,

Your access location when using our system,

The extent to which you are actively using our system,

Whether you are a returning user of our system,

The language, device model, and platform (e.g., iOS or Android) of your device.

The data relating to you is anonymized before processing for the above purposes so that you can no longer be identified through the aforementioned data.

You can reset or disable the IDFA and Android Advertising ID at any time through your operating system.

Legal Basis

The legal basis for the use of Adjust is your explicit consent pursuant to Art. 6 (1) (a) GDPR.

Storage Period

The above-mentioned data is deleted after 14 months.

Recipients

At no time will your health data be transmitted to the recipients listed below.

The data relating to you, processed through Adjust regarding your use of our app, is processed by Adjust GmbH, Saarbrücker Str. 38a, 10405 Berlin.

The data collected via Adjust about your use of our system is transmitted to Google Analytics. The data transmitted to Google Analytics is processed on servers of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and transferred to the United States. Google acts as our processor for this data processing, and we have concluded a data processing agreement pursuant to Art. 28 GDPR with Google. The legal basis for the transfer to a third country is the Standard Contractual Clauses pursuant to Art. 46 GDPR. Google provides appropriate safeguards for data protection, which can be reviewed at [link].

More information on how Google handles user data in connection with Google Analytics can be found in Google’s Privacy Policy: [link].

Your Right to Withdraw Consent

You have the right to withdraw your consent at any time. Withdrawal of your consent to processing activities for the purpose of user behavior analysis via Google Analytics is possible within our system via the menu in the “Marketing Analysis” section by deactivating the “Marketing Analysis” function under Menu > Edit Account > Marketing Analysis. The lawfulness of processing carried out on the basis of your consent up to the time of withdrawal remains unaffected.

Contact Form and Support Requests (via E-Mail Service Provider)

If the user contacts the SQIN or IQONIC services, the provider’s e-mail service provider, Google, represented by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, processes the contact details and the content of the inquiry.

Requests submitted via e-mail and contact forms may include communication and contract data as well as the user’s history. In addition, requests concerning the provider’s apps are also forwarded via the app store contact form to the provider by e-mail. The data provided will be treated confidentially. The data provided and the message history with the provider’s customer service are stored for follow-up inquiries and future contact.

If the user contacts the provider via e-mail or a form, the provider uses the personal data transmitted solely to respond to the user’s inquiry, based on legitimate interests.

SQIN and IQONIC have concluded a data processing agreement with Google Ireland. Google Ireland stores and processes personal data strictly according to the provider’s instructions. This may also occur outside the territory of the EU/EEA, in particular in the USA. Where processing takes place in the United States, it is carried out on the basis of the EU Standard Contractual Clauses.

Requests for deletion of the user profile and newsletter unsubscriptions submitted via our contact channels are stored in the provider’s internal systems in order to track and prove that the user’s request was successfully processed (obligation to provide proof). User data (e-mail address, name, and username) will be deleted from the provider’s system no later than one year and one month after submission.

For newsletter deletion requests, the internal system may be able to link the request to the user’s account if it concerns the user’s registration address. For user account deletion requests, no such link can be made. The data is stored in the system protected against unauthorized access and is not passed on to third parties.

Withdrawal / Opt-Out Option:

Customer inquiries are deleted after 5 years or upon direct withdrawal at [address].

If and insofar as data associated with the user’s e-mail inquiries can and must still be used for purposes that have not yet expired at the time of the requested or planned deletion, the datasets will be blocked or restricted to specific purposes instead of being deleted. This is particularly the case with statutory retention obligations, such as those under commercial and tax law. These can last up to 10 years (see Section 147 (3) German Fiscal Code).

Data Processing in AI-Supported Processes

Purposes

If, during registration of your user account or in your account settings, you have consented to processing in connection with research into AI-supported teledermatological diagnostics, we use the photos you upload and the anamnesis questionnaires you complete to research artificial intelligence that can support teledermatological diagnostics. This allows skin diseases to be detected more quickly and effectively, helping future patients faster and better.

We thank you for your support and trust if you consent to this processing. Your data will not be disclosed to third parties but will be processed under strict confidentiality and the highest security standards by an experienced IT laboratory commissioned by us for research purposes. Processing of your data takes place exclusively in Germany.

Data Categories

For research into AI-supported teledermatological diagnostics, we process the photos you upload and the anamnesis questionnaires you complete.

Legal Basis

The legal basis for this processing is your consent pursuant to Art. 9 (2) (a) GDPR.

Storage Period

We use the above-mentioned data relating to you for research into AI-supported teledermatological diagnostics until you withdraw your consent.

Recipients

For the provision of our app’s database and the storage of your doubly encrypted patient record, we use a server located in Germany.

Research into AI-supported teledermatological diagnostics takes place exclusively in Germany, under strict confidentiality and the highest security standards, in an IT laboratory specialized in AI research.

Your Right to Withdraw Consent

You have the right to withdraw your consent to the processing of the above-mentioned data for the purpose of AI-supported teledermatological diagnostics. You can do this by logging into our system and deactivating this option in your account settings under “Product Development.” The lawfulness of processing carried out on the basis of your consent until its withdrawal remains unaffected.

Data Processing for Newsletters

Purposes

Our newsletters serve to provide you, in addition to news from SQIN and IQONIC, with recommendations and information in the field of skin analysis as well as on everyday life topics.

Data Categories

To receive the newsletter, it is sufficient to provide an e-mail address. We process the time of your newsletter registration as well as your IP address as entered by your Internet Service Provider (ISP), which we convert into an anonymized user identifier. This serves to determine whether someone has misused your e-mail address for newsletter registration.

Legal Basis

The legal basis for this processing is your consent pursuant to Art. 6 (1) (a) GDPR.

Storage Period

We use your e-mail address for sending our newsletter until you withdraw your consent.

To fulfill our accountability obligations under Art. 5 (2) GDPR, we retain a deletion log of your e-mail address unsubscription for up to three years. The legal basis for this is the fulfillment of our legal obligation pursuant to Art. 6 (1) (c) GDPR.

Recipients

We use a German processor with servers located in Germany for the provision of our e-mail server.

We use a server located in Germany for the provision of our system database.

As part of our newsletter distribution, we evaluate your user behavior. This evaluation serves the demand-oriented design and ongoing optimization of our newsletter.

Data Categories

The following types of data are processed:

E-mail read and click behavior (open rate and click rate within the newsletter),

Device type used (desktop, tablet, mobile phone),

Whether you are a user or patient of our system,

The time and date of your access to specific newsletter e-mails,

Number of cases submitted in the system,

Redirect URL (i.e., which websites linked in the newsletter you open through the newsletter).

Legal Basis

The legal basis is our legitimate interest pursuant to Art. 6 (1) (f) GDPR in providing you with an effective and user-friendly newsletter.

Storage Period

We store the above-mentioned data until you withdraw your consent, i.e., unsubscribe from our newsletter.

To fulfill our accountability obligations under Art. 5 (2) GDPR, we retain a deletion log of your e-mail address unsubscription for up to three years. The legal basis for this is the fulfillment of our legal obligation pursuant to Art. 6 (1) (c) GDPR.

Recipients

We use a German processor with servers located in Germany for the provision of our e-mail server.

We use a server located in Germany for the provision of our app’s database.

Your Right to Object

According to Art. 21 GDPR, you have the right to object to the above-described processing of your data if there are reasons arising from your particular situation or if your objection is directed against direct marketing.

Data Processing for Review Requests

Purposes

To request reviews from our existing customers, you will receive a one-time review request from us after each treatment. This serves to improve our services based on your feedback.

Data Categories

For sending the review request, we process your e-mail address that you provided during registration in our “SQIN” and IQONIC services.

Legal Basis

The legal basis is our legitimate interest pursuant to Art. 6 (1) (f) GDPR in improving our service through your feedback, i.e., conducting personalized direct marketing.

Storage Period

We use your e-mail address for sending our review requests until you object to our use of your e-mail address for direct marketing.

In the event of deletion of your user account, we will delete your e-mail address, and you will no longer receive direct marketing.

Recipients

For the provision of our app’s database and the storage of your doubly encrypted patient record, we use a server located in Germany.

Data Processing for Mailings

Purposes

To keep our existing customers informed about our offers and services, provide them with valuable content, and request reviews, we regularly send you informational mailings. In this context, we evaluate your user behavior. This evaluation serves the demand-oriented design and ongoing optimization of our informational mailings and services.

Data Categories

The following types of data are processed:

E-mail read and click behavior (open rate and click rate within these informational mailings to existing customers),

Device type used (desktop, tablet, mobile phone),

Whether you are a user or patient of our system,

The time and date of access to the informational e-mails,

Redirect URL (i.e., which websites linked in the informational mailing you open).

Legal Basis

The legal basis is our legitimate interest pursuant to Art. 6 (1) (f) GDPR in carrying out personalized direct marketing.

Storage Period

Storage Period

We remove your e-mail address from our direct marketing distribution list if you object to our use of your e-mail address for the purpose of sending direct marketing.

To fulfill our accountability obligations under Art. 5 (2) GDPR, we retain a deletion log of your e-mail address unsubscription for up to three years. The legal basis for this is the fulfillment of our legal obligation pursuant to Art. 6 (1) (c) GDPR.

Recipients

For the provision of our e-mail server, we use a German processor with servers located in Germany.

We use a server located in Germany for the provision of our system’s database.

Your Right to Object

According to Art. 21 GDPR, you have the right to object to the above-described processing of your data if there are reasons arising from your particular situation or if your objection is directed against direct marketing.

Data Processing When Contacting Us via Contact Form

Purposes

Through our contact form within the system, you have the option to get in touch with us at any time if you have questions about using our system, while logged into your user account.

Data Categories

In the course of your inquiry, we process your user ID, your case ID, and the content of your request. Additional details can be provided voluntarily.

Necessity

Processing your user ID and, if applicable, case ID is necessary for handling your inquiry so it can be assigned to your patient record. If you submit your request through the contact form within the system, this information is automatically transmitted to us.

Recipients

For the provision of our app, we use a server located in Germany.

Contact by Telephone or E-Mail

Purposes

You can contact us using the e-mail addresses and telephone numbers provided on our website. Please do not use this communication channel to transmit health data to us.

Data Categories

To process your inquiry, we use the e-mail address or telephone number you provide. We only collect additional information directly from you if it is necessary and relevant for responding to your inquiry and is provided voluntarily by you.

Please do not use this communication channel to transmit health data to us.

Legal Basis

Processing for the purpose of contacting us is carried out for the performance of a contract you have with us or for the implementation of pre-contractual measures with you pursuant to Art. 6 (1) (b) GDPR.

Necessity

Processing your e-mail address or telephone number is necessary to handle your inquiry and to be able to get back in touch with you in this context. If you do not provide us with these data, we cannot process your request.

Storage Period

If the inquiry is made in the context of a treatment contract, we retain your information as part of your patient record for ten years in accordance with Sections 630a et seq. of the German Civil Code (BGB). Otherwise, the data you provide will be deleted after your inquiry has been resolved.

Recipients

For the provision of our e-mail server, we use a German processor with servers located in Germany.

Data Processing in Connection with Meta

Purposes

We use Facebook Pixel for advertising and optimization of our advertising campaigns. We use this tool to place ads on Facebook and Instagram for people who have visited our website or shown interest in certain topics. By analyzing your user behavior, we evaluate the effectiveness of our Facebook and Instagram campaigns and adapt them to the interests of our users.

Through our use of Facebook Pixel, Facebook is informed when you click on one of our ads on Facebook or when you access the corresponding webpage of our online presence.

Facebook provides us with the collected data in anonymized form, so we cannot personally identify you or draw conclusions about your identity.

Data Categories

With your consent to the marketing analysis processing activity within our system, the following data about you is collected:

Your access time and access location to our system,

The extent to which you are actively using our system,

Whether you are a returning user of our app system,

Your demographic data (gender, age group, interests),

The language, device model, and device you are using (e.g., iOS or Android).

If you maintain a user account with Facebook or Instagram, this information is associated with your Facebook or Instagram account.

If you do not maintain a user account with Facebook, Facebook stores your IP address and other identifiers.

Legal Basis

The legal basis for this processing is your explicit consent pursuant to Art. 6 (1) (a) GDPR. You grant your consent to this processing via our cookie banner by selecting and consenting to the “Marketing Analysis” category.

Storage Period

The storage period is limited to 24 months.

Recipients

Facebook Pixel is a product of Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). Facebook acts as our processor for this processing, and we have concluded a data processing agreement pursuant to Art. 28 GDPR with Facebook. The legal basis for this transfer is the Standard Contractual Clauses pursuant to Art. 46 GDPR. You can find information on the appropriate or suitable safeguards Facebook Pixel provides for international transfers here [link] and here [link].

Your Right to Withdraw Consent

Withdrawal of your consent to processing activities for the purpose of user behavior analysis is possible within our web app in the settings under “Marketing Analysis,” by deactivating the “Marketing Analysis” function. The lawfulness of processing carried out on the basis of your consent until its withdrawal remains unaffected.

Data Processing in Connection with TikTok

Purposes

We use TikTok Pixel, a service of TikTok Technology Ltd., to show our ads to TikTok users who have expressed interest in our services. TikTok Pixel enables us to determine target audiences for displaying ads. By analyzing your user behavior, we evaluate the effectiveness of our TikTok campaigns and adapt them to user interests.

Data Categories

In the context of advertising on TikTok, the following types of data are processed:

Your user behavior, if you have visited the TikTok network page or are a TikTok user, i.e.:

the number of our ads you have viewed and your clicks on our ads,

events triggered by you in our system, i.e., your registration in the system, creation of cases in our system, and payment for diagnoses of cases created in our system,

information about your operating system and device ID,

anonymized, aggregated data for creating so-called custom audiences, if you have shown interest in our services.

We process information about triggered events (registration in the system, creation of a case, purchase within the system) in our system only if you have consented to processing for the purpose of “marketing analysis” within our app.

If you have a TikTok user account and have consented within your TikTok account to processing for the purpose of personalized advertising, TikTok transmits your location and gender to us, provided you supplied your location during registration with TikTok.

Legal Basis

If you have consented to processing for the purpose of “marketing analysis” within the system, the legal basis for this processing is your consent pursuant to Art. 6 (1) (a) GDPR.

Storage Period

The personal data processed in connection with advertising is deleted after 18 months.

Recipients

The above-mentioned data relating to you is processed on our behalf by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (“TikTok”). The above-mentioned data relating to you is transferred to the United States. For this purpose, we have concluded a data processing agreement pursuant to Art. 28 (3) GDPR, incorporating the Standard Contractual Clauses pursuant to Art. 46 GDPR, with TikTok Technology Limited.

You can find information on the appropriate or suitable safeguards TikTok provides for international transfers here [link] and here [link].

Your Right to Withdraw Consent

You have the right to withdraw your consent at any time. Withdrawal of your consent to processing activities for the purpose of user behavior analysis is possible within our system via the menu under “Marketing Analysis,” by deactivating the “Marketing Analysis” function under Menu > Edit Account > Marketing Analysis. The lawfulness of processing carried out on the basis of your consent until its withdrawal remains unaffected.

Data Processing in Connection with Social Media Plugins

Purposes

Social media plugins are extensions for external pages, i.e., the modules embedded on our website allow you to directly access the corresponding social network profile with a click. We use social plugins from the platforms Instagram (part of Facebook Ltd.) and TikTok on our website to make the content of our website more informative and engaging for you.

Data Categories

If you visit a page that contains an embedded video or a social plugin and have consented to processing under “Other Media” within the consent banner, a connection to the servers of Facebook and TikTok is established. The following types of data are processed about you:

the browser you use,

the IP address of your device,

the page of this website you visited,

the content displayed to you,

the language, device model, and platform (e.g., iOS or Android) of your device.

Legal Basis

The legal basis for this processing activity is your consent to processing under “Other Media” pursuant to Art. 6 (1) (a) GDPR.

Storage Period

The above-mentioned data relating to you is stored for 24 months.

Recipients

We use a web host with servers located in Germany for the provision of our website.

Facebook Pixel is a product of Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). Facebook acts as our processor for this processing, and we have concluded a data processing agreement pursuant to Art. 28 GDPR with Facebook. The legal basis for this transfer is the Standard Contractual Clauses pursuant to Art. 46 GDPR. You can find information on the appropriate or suitable safeguards Facebook Pixel provides for international transfers here [link] and here [link].

The above-mentioned data relating to you is processed on our behalf by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (“TikTok”). The above-mentioned data relating to you is transferred to the United States. For this purpose, we have concluded a data processing agreement pursuant to Art. 28 (3) GDPR, incorporating the Standard Contractual Clauses pursuant to Art. 46 GDPR, with TikTok Technology Limited.

You can find information on the appropriate or suitable safeguards TikTok provides for international transfers here [link] and here [link].

Your Right to Withdraw

You have the right to withdraw your consent at any time. The lawfulness of processing carried out on the basis of your consent until its withdrawal remains unaffected.

Data Processing in Connection with Pinterest

Purposes

We use the Pinterest Tag, a service of Pinterest Europe Ltd., to deploy our Pinterest campaigns in a targeted manner, further optimize them, and measure their success. If you arrived at our website via a Pinterest ad, we can track your subsequent actions. By analyzing your user behavior, we evaluate the effectiveness of our Pinterest campaigns and adapt them to the interests of our users.

Data Categories

With your consent to the analysis of your usage behavior within our system, i.e., “marketing analysis,” the following data is also processed:

Your last view of our advertisement (relevant for conversions),

The number of our ads you viewed and your clicks on our ads (frequency),

Your access time and location when using our system,

The extent to which you are actively using our system,

Whether you are a returning user of our system,

Events triggered by you within the system, i.e., your registration in the system, creation of cases, and payment for the treatment of cases created by you in our system,

The language, device type, and operating system (e.g., iOS or Android) of your device,

Demographic data (gender, age, and interests).

We receive the above-mentioned data on your and other users’ last view of our ads, and the number of ads viewed and clicked per placement, from Pinterest in the form of statistical evaluations. This means we receive information about the number of users who clicked on our ad and were redirected to the App Store or Play Store.

Legal Basis

The legal basis for this processing activity is your consent to processing for the purpose of marketing analysis pursuant to Art. 6 (1) (a) GDPR, provided you gave us this consent during your account registration or through account management.

Storage Period

The personal data processed in connection with advertising is deleted after 180 days.

Recipients

The above-mentioned data relating to you is processed on our behalf by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland (“Pinterest”). The data relating to you is transferred to the United States. For this purpose, we have concluded a data processing agreement pursuant to Art. 28 (3) GDPR, incorporating the Standard Contractual Clauses pursuant to Art. 46 GDPR, with Pinterest.

You can find information on the appropriate or suitable safeguards Pinterest provides for international transfers here [link].

Your Right to Withdraw Consent

You have the right to withdraw your consent at any time. Withdrawal of your consent to processing activities for the purpose of user behavior analysis is possible within our system via the menu in the “Marketing Analysis” section by deactivating the “Marketing Analysis” function under Menu > Edit Account > Marketing Analysis. The lawfulness of processing carried out on the basis of your consent until its withdrawal remains unaffected.

Data Processing in Connection with YouTube

Purpose

To optimize our online presence, we embed videos via YouTube on our website.

Data Categories

When you access a page that contains an embedded video, a connection to YouTube’s servers is established. The following types of data are processed about you:

the browser you use,

the page of this website you visited,

device-specific information including the IP address of your device,

the YouTube content displayed to you.

We use the “enhanced privacy mode” option provided by YouTube. According to YouTube, in “enhanced privacy mode,” the above-mentioned data is transmitted to YouTube’s servers in the U.S. only if you watch the video.

Legal Basis

The legal basis for this processing is our legitimate interest pursuant to Art. 6 (1) (f) GDPR in supplementing our offering with dermatological information for you.

Storage Period

For more information, please refer to Google’s Privacy Policy.

Recipients

The above-mentioned data relating to you is processed by YouTube, LLC, 901 Cherry Ave., 94066 San Bruno, CA, USA, a company of Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA. We have concluded a data processing agreement pursuant to Art. 28 (3) GDPR with YouTube as our processor. The legal basis for the transfer to a third country is the Standard Contractual Clauses pursuant to Art. 46 GDPR. Google provides appropriate safeguards for data protection, which can be reviewed at [link].

If you have a YouTube user account and are logged in at the time of visiting the page, the data processed when accessing the page will be associated with your user account, unless you have logged out beforehand.

Further information on data protection at YouTube can be found in Google’s Privacy Policy.

HealthKit and Google Fit Integration

Apple HealthKit

The provider uses Apple’s HealthKit framework (for more information, see [link]) from Apple Inc., 1 Infinite Loop, Cupertino, CA 95014, USA (“Apple”), which provides a central storage location for health and fitness data on iPhone and Apple Watch and — with the user’s explicit consent — allows apps to communicate with the HealthKit store to access and share this data. This integration must be actively enabled by the user through their system settings. The HealthKit integration can be disabled at any time by the user through their system settings. From that point onward, no data will be exported to the provider.

The provider processes the following data obtained through the HealthKit framework and the Apple CoreMotion processor (for more information, see [link]) for the purposes described below and with the user’s explicit consent: steps, calories, distance, duration, and heart rate. New data attributes may be added to the HealthKit framework, which will then be reflected in the SQIN and IQONIC services and must be explicitly approved by the user.

Google Fit SDK

The provider uses Google’s Fit SDK (for more information, see [link]), an open platform that allows users to control their fitness data. The provider processes the following data obtained through the Google Fit SDK for the purposes described below and with the user’s explicit consent: steps, calories, distance, duration, and heart rate. New data attributes may be added to the Google Fit framework, which will then be reflected in the product and must be explicitly approved by the user.

Research and Analytics

The SQIN and IQONIC services and analytics providers of the SQIN and IQONIC services may analyze activity data for research purposes aimed at providing a personalized service and promoting healthy habits. The SQIN and IQONIC services may — with the user’s explicit consent — share the data obtained via the HealthKit framework or Google Fit SDK with third parties for medical research purposes.

The SQIN and IQONIC services do not use information obtained through HealthKit or Google Fit SDK applications for advertising or similar services. The user can prevent SQIN and IQONIC services from accessing their data at any time by changing their mobile device settings.

Anyone who uses HealthKit or Google Fit SDK for the storage and analysis of sensitive data should ensure that their smartphone is protected with a secure passcode (e.g., on iPhone, disable “simple passcode” under Touch ID & Passcode and set up a password combining uppercase letters, lowercase letters, numbers, and special characters).

Use of Cookies

To improve browsing on the SQIN and IQONIC websites, the user’s device uses so-called cookies (small files with configuration information). Cookies are used on the SQIN and IQONIC websites to increase user-friendliness and to make the website as individualized and user-oriented as possible each time it is accessed. In addition, a cookie-banner cookie is set on the SQIN and IQONIC websites. With the help of this cookie, the provider remembers whether the user has already visited the site and accepted cookies (in accordance with the “Cookie Directive” of the EU, official name: E-Privacy Directive 2009/136/EC). To spare the user repeated display of the disruptive notice, the cookie is automatically deleted after three months, meaning the user will only have to confirm the cookie banner again once the validity has expired.

Such cookies are not only set by the SQIN and IQONIC websites themselves but also on their behalf by third-party providers, such as Google.de (see below). When visiting a page on sqin.co or iqonic.ai, cookies may also be set that remain stored beyond the user’s current visit (so-called session cookies).

General Browser Data:

The SQIN and IQONIC websites also automatically collect and store information in cookies transmitted by the user’s web browser when accessing sqin.co and iqonic.ai. This includes, in particular, details about the browser and operating system used, a reference to the origin of previously visited pages (so-called referral URL), the IP address or host name of the accessing computer, and the time of the page request. These data are used for statistical analysis of the sqin.co and iqonic.ai pages.

The SQIN and IQONIC websites will not combine existing usage data with name or address data of users (so-called inventory data) collected, for example, during registration with SQIN and IQONIC services. The collected pseudonymous usage data are used for long-term analysis purposes and are deleted either at the end of the evaluation phase or as required by law.

Withdrawal / Opt-Out Option:

If the user does not wish cookies to be used or wants to delete existing cookies, they can disable and remove them via their internet browser. Help for deleting cookies in the most common browsers can be found at the following links:

• Internet Explorer

• Mozilla Firefox

• Safari

• Chrome

The SQIN and IQONIC websites also use analytical cookies from third parties for analysis purposes, e.g., from Google and Facebook. The use of analysis programs by the SQIN and IQONIC websites and the collection of data (pseudonymized data) by partner companies can be objected to at any time with effect for the future. These functions are provided by the respective operators and are described again in the associated notices.

B. Improvement of SQIN and IQONIC Services

Storage and Processing of App Usage Data (via GF)

For the storage of usage data of the SQIN and IQONIC services, the provider uses the service Google Firebase, represented by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“GF”).

In addition to the user profile (username, login data), the provider stores a user’s usage data within the services on GF’s servers, e.g., when a user logs in and which progress they make. The storage of usage data enables the provider to offer user-friendly operation of the system. This ensures that users can continue where they left off when reopening system functions, and that selected settings in the user’s personal profile do not need to be reconfigured each time.

In accordance with GDPR requirements for engaging IT service providers, we have concluded a written data processing agreement with GF. GF stores and processes personal data strictly in accordance with our instructions. This may also occur outside the territory of the EU/EEA, particularly in the U.S. To ensure a level of data protection comparable to the GDPR, the provider has concluded the EU Commission’s officially prescribed data protection contracts (so-called EU Standard Contractual Clauses) with GF.

Withdrawal / Opt-Out Option:

The user has the option at any time to delete their profile and all personal data stored within it by sending their withdrawal request to [contact address]. The provider will then forward this withdrawal request to GF, which is contractually obliged to delete the corresponding data.

Beyond this, the provider will also delete the user’s account if they have not actively used any of the SQIN or IQONIC services for a period of three years.

If and insofar as data associated with the user’s account can and must still be used for purposes that have not yet expired at the time of the requested or planned deletion, the datasets will be blocked or restricted to specific purposes instead of being deleted. This is particularly the case with statutory retention obligations, such as those under commercial and tax law. These can last up to 10 years (see Section 147 (3) German Fiscal Code).

Analysis of User Behavior on the SQIN and IQONIC Website and Web Services (via Google Analytics)

For analyzing user behavior on the SQIN and IQONIC website, the provider uses the Google Analytics service, operated by Google: Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland.

To evaluate user behavior, a cookie is set. The information generated by this cookie about use of the website (including the user’s IP address) is transmitted to Google’s servers and stored there.

SQIN, IQONIC, and Google have concluded a joint processing agreement for this purpose, which can be reviewed here: [link].

The SQIN and IQONIC website uses Google Analytics exclusively with the IP anonymization extension, so that IP addresses are only further processed in truncated form, excluding any direct personal reference. Through IP anonymization, the IP address of Google users within EU member states or other states party to the Agreement on the European Economic Area is shortened. Only in exceptional cases is the full IP address transmitted to a Google server in the United States and shortened there. Google will use this information to evaluate users’ utilization of the web services and website, to compile reports on website and web service activities, and to provide other services related to website usage and internet usage.

Withdrawal / Opt-Out Option:

Collection and storage of data by Google Analytics can be objected to at any time with effect for the future. For this, the user has the option to install a browser plugin issued by Google. This is available for various browser versions and can be downloaded at [link].

If and insofar as data associated with the user’s account can and must still be used for purposes that have not yet expired at the time of the requested or planned deletion, the datasets will be blocked or restricted to specific purposes instead of being deleted. This is particularly the case with statutory retention obligations, such as those under commercial and tax law. These may last up to 10 years (see Section 147 (3) of the German Fiscal Code).

Analysis of App User Behavior in SQIN and IQONIC Services (via Google Analytics for Firebase)

For analyzing user behavior within the SQIN and IQONIC services, the provider uses the Google Analytics for Firebase service, operated by Google LLC. Since SkinTech Corp. GmbH is based in Germany, the contractual partner is the European subsidiary of Google LLC: Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland.