Privacy Policy

3.1 Personal Information

We collect personal information that you provide directly to us:

• Account Information: Name, email address, password (encrypted)
• Professional Credentials: Credential type (dermatologist, plastic surgeon, etc.), credential number (optional), healthcare facility affiliations
• Profile Information: Profile photo (optional), professional bio
• Billing Information: Handled by RevenueCat - we do NOT store credit card numbers or payment details

3.2 Medical Images and Data

As a healthcare application, we process medical information you upload:

• Patient Records: Patient ID (user-defined), full name, date of birth, gender, clinical notes
• Medical Images: Photos captured via app or uploaded from device gallery
• Medical Videos: Videos captured via app (max 60 seconds)
• Treatment Logs: Date, title, notes, observations, treatment plans
• Annotations: Text labels, arrows, rulers, measurements, markers added to images
• Progress Data: Before/after comparisons, treatment timelines

3.3 Technical Information

We automatically collect certain technical information when you use our application:

• Device Information: Device type, operating system version, unique device identifiers, mobile network information
• Connection Information: IP address (anonymized), general location (country/city level), timezone
• Usage Data: Features accessed, session duration, screen views
• Performance Data: Crash reports, error logs, performance metrics
• Authentication Data: Login timestamps, session tokens (encrypted), MFA verification codes

3.4 Third-Party Service Data

We receive limited information from third-party services that integrate with PixioDoc:

• Supabase (Infrastructure): Database connection logs, storage usage metrics
• RevenueCat (Payments): Subscription status, transaction IDs, purchase receipts (no credit card data)
• Firebase (Notifications): Device tokens for push notifications, delivery status
• ZeptoMail (Email): Email delivery status, open/click tracking (if enabled)

3.5 Data Storage Location

4.1 Primary Healthcare Functions

• Medical Image Tracking: Capture, organize, and track patient medical images over time
• Progress Monitoring: Enable healthcare professionals to monitor patient progress and treatment outcomes
• Secure Sharing: Facilitate secure sharing and collaboration between healthcare professionals (Pro plans only)
• Treatment Documentation: Support comprehensive medical record keeping and documentation
• Comparison Tools: Provide before/after comparison features for visual progress tracking
• Timeline View: Display chronological patient progress over treatment periods

4.2 Application Operations

• Service Delivery: Provide, maintain, and improve our application services
• Authentication: Verify user identity and ensure secure access to medical data
• Billing: Process subscription payments via RevenueCat (we don't handle payment details directly)
• Support: Provide technical support and customer service
• Communications: Send important updates, security notifications, and service announcements
• Performance: Monitor and improve application performance and user experience

4.3 Security & Compliance

• Regulatory Compliance: Comply with HIPAA, GDPR, Swiss FADP, and other applicable healthcare regulations
• Legal Obligations: Respond to legal requests, court orders, and regulatory inquiries
• Security Monitoring: Detect and prevent fraud, abuse, and security threats
• Audit Logging: Maintain comprehensive audit trails for 1 year (HIPAA requirement)
• Compliance Audits: Conduct security audits and compliance monitoring

5.1 GDPR Legal Bases

• Consent (Article 6(1)(a) & Article 9(2)(a)): Where you have provided explicit consent for specific processing activities, particularly for processing sensitive health data
• Contract (Article 6(1)(b)): To provide the healthcare services you have requested and to fulfill our contractual obligations
• Legal Obligation (Article 6(1)(c)): To comply with healthcare regulations, court orders, and legal requirements
• Vital Interests (Article 6(1)(d) & Article 9(2)(c)): To protect the health and safety of individuals in emergency situations
• Legitimate Interests (Article 6(1)(f)): For improving healthcare outcomes, application functionality, and security (balanced against your privacy rights)
• Healthcare Services (Article 9(2)(h)): For the provision of healthcare services by healthcare professionals

5.2 Swiss FADP Compliance

• Processing is necessary for the performance of healthcare services
• Processing serves legitimate interests that outweigh privacy concerns
• Processing is required by law or regulation
• Explicit consent has been obtained where required for sensitive health data

5.3 HIPAA Compliance

For US-based healthcare professionals, we process PHI as a Business Associate under HIPAA. Our processing is covered by a Business Associate Agreement (BAA) and is limited to Treatment, Payment, and Healthcare Operations (TPO) as defined by HIPAA.

6.1 Technical Safeguards

• Row Level Security (RLS): PostgreSQL database-level policies ensure you can ONLY access your own patients - enforced by the database itself, impossible to bypass even with direct database access
• Multi-Factor Authentication (MFA): Email verification codes required for sensitive actions (password reset, email change)
• Biometric Authentication: Optional Face ID/Touch ID for app unlock (device-level security)
• Session Management: Automatic 15-minute timeout, secure session tokens (httpOnly cookies), immediate invalidation on logout
• API Security: Advanced authentication and authorization for all data access, rate limiting to prevent abuse
• Regular Updates: Continuous monitoring and patching of security vulnerabilities, dependency updates applied immediately

6.2 Administrative Safeguards

• Access Controls: Role-based access limitations to medical data (Owner, Editor, View Only for shared patients)
• Staff Training: Regular security awareness training for all PixioDoc personnel
• Incident Response: Established procedures for security breach response, including notification within 72 hours
• Business Associate Agreements: Contractual protections with all third-party vendors (Supabase, RevenueCat, Firebase, ZeptoMail)
• Compliance Monitoring: Regular audits and compliance reviews

6.3 Physical Safeguards

• Secure Data Centers: Medical-grade physical security for data storage facilities (managed by Supabase in EU region)
• Device Security: Secure authentication and data protection on mobile devices (biometric locks recommended)
• Backup and Recovery: Secure backup systems with encrypted storage, automatic replication within EU
• Disaster Recovery: Comprehensive disaster recovery and business continuity planning

6.4 Security Monitoring & Incident Response

6.5 Data Breach Notification

In the unlikely event of a data breach affecting your personal or medical information, we will:

• Rapid Detection: 24/7 automated security monitoring with real-time alerts for suspicious activity
• Timely Notification: Within 72 hours of discovery (GDPR requirement) via email and in-app notification
• Information Provided: Nature of breach, data affected, number of records, potential consequences, remediation steps, mitigation measures, contact point
• Regulatory Reporting: Notify Swiss FDPIC, EU DPAs, and comply with HIPAA breach notification requirements
• Support Services: Credit monitoring, identity theft protection (if applicable), dedicated support email

Prevention Measures: Regular security audits (quarterly), penetration testing (annual), security training, incident response drills, third-party assessments

Historical Record: Last Security Audit: November 8, 2025 | Next Scheduled Audit: February 8, 2026 | Data Breaches to Date: Zero (0)

7.1 Healthcare Collaboration (Your Authorization)

• Authorized Sharing: With healthcare professionals you explicitly authorize for collaboration (Pro plans only)
• Access Levels: View Only (view patient data only), Editor (view and add photos, cannot delete), Admin (full access except ownership transfer)
• Treatment Purposes: To facilitate patient care and treatment coordination
• Continuity of Care: To ensure seamless healthcare delivery across providers
• Audit Trail: All sharing activity logged in activity logs
• Consent Confirmation: You must confirm patient consent before sharing

7.2 Third-Party Service Providers

We share limited data with the following trusted service providers who help us operate PixioDoc:

Third-Party Requirements: All service providers are required to sign Business Associate Agreements (BAA) for HIPAA compliance, maintain SOC 2 or ISO 27001 certification, use EU servers for data processing (where applicable), and comply with GDPR and Swiss FADP.

7.3 Legal and Regulatory Requirements

• Legal Compliance: To comply with court orders, subpoenas, or legal obligations
• Regulatory Reporting: To meet healthcare regulatory reporting requirements
• Public Health: To protect public health and safety as required by law
• Law Enforcement: To assist law enforcement in legitimate investigations (with valid legal process)
• Vital Interests: To protect the vital interests of individuals in emergency situations

7.4 What We Do NOT Do

8.1 GDPR Compliance

• Adequacy Decisions: Transfers only to countries with adequate data protection as determined by EU Commission
• Standard Contractual Clauses (SCCs): EU-approved contracts for international transfers
• Binding Corporate Rules: Internal data protection standards for international operations
• Explicit Consent: Where required for specific international transfers

8.2 Swiss FADP Compliance

• Adequate Protection: Ensuring recipient countries provide adequate data protection equivalent to Swiss standards
• Contractual Safeguards: Agreements ensuring Swiss-equivalent data protection
• Consent Mechanisms: Explicit consent for transfers where required

8.3 Data Processing Agreement

For healthcare organizations requiring a formal Data Processing Agreement (DPA), we provide a comprehensive DPA that includes:

• Scope and purpose of data processing
• Types of personal data processed and categories of data subjects
• Security measures and safeguards
• Sub-processor arrangements (Supabase, RevenueCat, etc.)
• Data subject rights procedures
• Assistance with data protection impact assessments
• Notification of personal data breaches
• Deletion and return of data procedures

How to Obtain DPA: Email support@pixiodoc.com with subject "DPA Request" and provide your organization name and contact details. We will send an executed DPA within 5 business days.

9.1 Active Data (While Account is Active)

• Patient Records: Retained indefinitely while your account is active
• Medical Images & Videos: Retained indefinitely while your account is active
• Treatment Logs: Retained indefinitely while your account is active
• Activity Logs: Retained for 1 year from creation date (HIPAA requirement), then automatically deleted

9.2 Deleted Data

• Soft Delete Period: When you delete a patient, it's hidden (not permanently deleted) for 30 days
• Recovery Window: You can restore deleted patients within 30 days by contacting support@pixiodoc.com
• Permanent Deletion: After 30 days, deleted patients are cryptographically erased and cannot be recovered
• Activity Log Deletion: Automatically deleted after 1 year via scheduled job (runs daily at 2 AM UTC)

9.3 Account Deletion

When you delete your account (Settings → Account & Security → Delete Account):

Important: Export your data BEFORE deleting account (Settings → Export Data)

9.4 Impact on Shared Patients

• Patients you shared: Others lose access immediately, receive notification
• Patients shared with you: You lose access, but owner keeps their data

9.5 Subscription Expiration (Unpaid Account)

• Data NOT deleted automatically when subscription expires
• Account becomes read-only after 30 days of non-payment
• Data retained for 120 days to allow reactivation
• After 120 days: Email notification sent, then deletion process begins

10.1 Access and Portability

• Data Access: Right to access and review your personal and medical information anytime in the app
• Data Portability: Right to receive your data in a portable format (JSON, CSV, original files)
• Data Transparency: Clear information about how your data is processed
• Account Dashboard: Self-service access to your data and privacy settings

10.2 Control and Correction

• Data Correction: Right to request corrections to inaccurate information (Settings → Edit Profile, Edit Patient)
• Sharing Controls: Granular control over medical data sharing permissions (3 access levels: View Only, Editor, Admin)
• Consent Management: Ability to modify or withdraw consent for data processing
• Preference Management: Control over communications and notifications (Settings → Notifications)
• Biometric Settings: Enable/disable Face ID/Touch ID for app unlock

10.3 Deletion and Restriction

• Data Deletion: Right to request deletion of your account and associated data (Settings → Delete Account)
• Processing Restriction: Right to limit how your data is processed
• Objection Rights: Right to object to certain types of data processing
• Complaint Procedures: Right to lodge a complaint with supervisory authority (Swiss FDPIC, EU DPAs)

10.4 HIPAA Rights (US Users)

• Access to PHI: Right to access your Protected Health Information
• Accounting of Disclosures: Right to receive an accounting of PHI disclosures (activity logs)
• Request Restrictions: Right to request restrictions on uses and disclosures of PHI
• Confidential Communications: Right to request confidential communications

12.1 Essential Cookies

• Authentication: Secure session management and user authentication (httpOnly cookies, encrypted session tokens)
• Security: Protection against security threats and unauthorized access (CSRF tokens, rate limiting)
• Functionality: Core application features and user preferences
• Performance: Application performance monitoring and optimization (error tracking, crash reports)

12.2 Optional Tracking

• Analytics: Application usage analytics (with consent) - anonymized and aggregated only
• Preferences: User interface and preference settings
• Communications: Email and notification preferences
• Opt-out: Easy opt-out mechanisms for non-essential tracking (Settings → Privacy)

12.3 What We Do NOT Track

13.1 HIPAA Compliance

PixioDoc is fully compliant with the Health Insurance Portability and Accountability Act (HIPAA). We implement appropriate administrative, physical, and technical safeguards to protect your Protected Health Information (PHI) in accordance with HIPAA requirements.

Business Associate Agreement: Available upon request for covered entities. Email support@pixiodoc.com with subject "BAA Request"

13.2 GDPR Compliance

For users in the European Union, we comply with the General Data Protection Regulation (GDPR). We implement privacy by design principles, provide comprehensive user rights, and ensure lawful bases for all data processing activities.

Data Processing Agreement: Email support@pixiodoc.com with subject "DPA Request" - executed DPA sent within 5 business days

13.3 Swiss FADP Compliance

For users in Switzerland, we comply with the Swiss Federal Act on Data Protection (FADP). We ensure adequate protection for Swiss residents' personal data and provide equivalent rights to those under GDPR.

13.4 SOC 2 Controls Implemented

We implement SOC 2 Type II controls for:

• Security (access controls, encryption, monitoring)
• Availability (uptime, disaster recovery)
• Processing Integrity (data accuracy, error handling)
• Confidentiality (data protection, non-disclosure)
• Privacy (GDPR/HIPAA compliance, user rights)

14.1 Notification Methods

Material changes will be announced at least 30 days before taking effect via:

• Email notification: Direct notification to your registered email address
• Application notice: Prominent notice within the PixioDoc application upon next login
• Website posting: Updated policy posted on our website with revision date
• Version tracking: "Last Updated" date displayed prominently

14.2 Your Choices

Your continued use of the Service after the effective date constitutes acceptance of the revised Privacy Policy. If you do not agree to the changes, you must stop using the Service and may delete your Account.

14.3 Review Recommendation

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. You can view your consent history in Settings → Privacy & Security → Legal Agreements.