Privacy Policy

Dermalapps LLC (“we,” “us,” or “our”) operates the Dermidia website (dermidia.com), the Dermidia Sense sensor dashboard (sense.dermidia.com), the DSI Forecast API request flow, and related mobile and web applications (collectively, the “Services”). This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and your choices regarding your information.

By using our Services, you acknowledge the collection and use of information as described in this policy. If you do not agree, please discontinue use of the Services.

1. Information We Collect

a. Information you provide directly

• Contact and API request submissions — name, email address, company name, requested tier, use case details, and any other information you submit through our forms or by email.
• Account credentials — if you register for Dermidia Sense, your account is managed through Amazon Cognito. We receive a unique user identifier (Cognito sub) but do not directly store your password.

b. Information collected automatically

• IP address and approximate location — when you use our public DSI tools, your browser requests a city- or region-level location estimate from Geoapify using your IP address. Our infrastructure and service providers may also process IP addresses and request metadata for security, performance, and abuse prevention. We do not intentionally store precise geolocation for public tool use.
• Usage and diagnostic data — infrastructure logs may record request timestamps, pages or routes visited, browser and device metadata, referrers, response status, and similar diagnostic information. We use this information for security, troubleshooting, and service improvement.
• Cookies and session data — we use cookies to maintain your session state. See Section 3 for details.

c. Sensor and device data (Dermidia Sense users)

If you use Dermidia Sense with a connected sensor device (DSIsense or Shelly), we collect:

• Indoor temperature and relative humidity readings uploaded by your device, typically every 15 minutes.
• Derived DSI values computed from those readings.
• Device identifier associated with your provisioned device.
• Timestamps of sensor readings.

This data is stored in our cloud infrastructure (AWS DynamoDB) and is associated with your account. See Section 5 for how we use sensor data, including our anonymized research program.

2. How We Use Your Information

We use the information we collect for the following purposes:

• To provide the Services — calculating and displaying DSI forecasts, historical analysis, and sensor dashboard data.
• To authenticate users — verifying your identity to protect access to your Sense dashboard and sensor data.
• To respond to inquiries — replying to messages, evaluating API access requests, and provisioning accounts or credentials where applicable.
• To improve the Services — analyzing usage patterns and sensor data trends (in aggregate and anonymized form) to develop more accurate DSI models and skincare guidance.
• To ensure security — detecting and preventing unauthorized access, fraud, or abuse.
• To comply with legal obligations — responding to lawful requests from government authorities or courts.

3. Cookies and Session Data

We use the following cookies. We do not use advertising cookies or cross-site tracking cookies.

You may configure your browser to refuse cookies or alert you when cookies are set. Disabling the sense_session cookie will prevent access to the authenticated Sense dashboard.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share information only in the following limited circumstances:

• Service providers — we use trusted third-party vendors who process data on our behalf under confidentiality obligations. These include cloud hosting (Amazon Web Services, Vercel), identity management (Amazon Cognito), geolocation lookup (Geoapify), transactional email (Resend), and payment processing if paid services are enabled. Each provider receives only the data necessary to perform its function.
• Legal requirements — we may disclose information when required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, prevent fraud, or ensure user safety.
• Business transfer — if Dermalapps LLC is acquired or merges with another entity, your information may be transferred as part of that transaction. We will endeavor to ensure the acquiring entity honors this Privacy Policy or notifies you of any material changes before they take effect.
• Aggregated or anonymized data — we may share aggregate, de-identified insights (for example, regional DSI trends) that cannot reasonably identify any individual.

5. Sensor Data and Anonymous Research Program

For Dermidia Sense users, sensor readings (temperature, humidity, DSI values, and timestamps) are stored in association with your account to power your personal dashboard.

With the goal of improving indoor skin health science, we may convert archived sensor readings into anonymous records by removing all account identifiers, device identifiers, and any information that could reasonably be used to re-identify you. These anonymized records may be retained indefinitely and used to:

• Develop and refine DSI calculation models.
• Study patterns of indoor environmental conditions across housing types, climates, and seasons.
• Support published research on indoor environmental factors in skin health.
• Improve skincare guidance and product recommendations within the Services.

Once anonymized, these records are no longer personal data and are not subject to deletion requests. We do not anonymize data while your account is active without notice; anonymization occurs as part of our data lifecycle management for older archived readings.

6. Data Retention

• Contact and API request messages — retained for as long as necessary to respond to your inquiry, review your request, provision service if approved, and maintain ordinary business records, typically no more than 24 months unless ongoing correspondence or an active relationship requires longer retention.
• Sensor readings (identifiable) — retained while your Dermidia Sense account is active and for up to 12 months after account closure, after which readings are either deleted or anonymized as described in Section 5.
• Session cookies — the dev_auth cookie expires when the browser session ends, and the sense_session cookie expires 30 days from issuance unless refreshed upon re-authentication.
• Server logs — retained for up to 30 days for security and operational purposes.

7. Security

We implement technical and organizational measures appropriate to the sensitivity of the data we hold. These include encryption in transit (HTTPS/TLS), encrypted storage, access controls limiting data access to authorized personnel and systems, and identity verification via Amazon Cognito for Sense users.

No method of internet transmission or electronic storage is 100% secure. In the event of a data breach that materially affects your personal information, we will notify you and relevant authorities as required by applicable law.

8. Your Privacy Rights

Depending on where you reside, you may have the following rights regarding your personal information:

• Right to know — you may request a description of the personal information we hold about you and how it is used.
• Right to delete — you may request deletion of your personal information. We will honor such requests subject to any legal obligations requiring us to retain certain data.
• Right to correct — you may request correction of inaccurate personal information we hold about you.
• Right to opt out of sale or sharing — we do not sell personal information or share it for cross-context behavioral advertising.
• Right to non-discrimination — exercising your privacy rights will not result in denial of service or different pricing.

California residents may exercise rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA. To submit a request, contact us at support@dermidia.com. We will respond within 45 days.

Our Services are not intended for users under 17. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided personal information, we will delete it promptly.

9. Third-Party Services and Links

The Services may contain links to third-party websites. This policy does not apply to those sites, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through our Services.

Our key service providers and their relevant privacy practices:

• Amazon Web Services (AWS) — cloud infrastructure, authentication (Cognito), and data storage. AWS is certified under multiple security and privacy frameworks.
• Vercel — web hosting and edge delivery. Vercel processes request logs in connection with serving the site.
• Geoapify — IP-based geolocation for DSI calculation. Your browser sends your IP address to Geoapify to obtain approximate location data for public DSI tools.
• Resend — transactional email delivery for contact and API request handling. Form submissions may include your name, email address, company, tier interest, and use case details.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page. For significant changes affecting how we use personal data, we will provide additional notice (such as a notice on the site or, for Sense users, an email notification). Continued use of the Services after the effective date constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us: