OUR ENGAGEMENT

UNIVERSKIN seeks to strictly comply with its obligations under all applicable laws and regulations, including, but not limited to, Regulation (EU) No. 2016/679 of the European Parliament and of the Council of April 27, 2016 says "GDPR", the United States Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), the Canadian Personal Information Protection and Electronic Documents Act of April 13, 2000, as amended (“PIPEDA”) and any other national law applicable in the territory of practice of the Doctor (hereinafter together the « Regulations applicable to the protection of personal data »).

This Privacy Policy is an integral part of the general conditions of use of the Platform, available at the following link: https://skinxs.com and the general conditions of use of the Doctor's Webshop, available at the following link: https://prescriptionskincare.skinxs.com. All terms identified by a capital letter, if not defined in the Privacy Policy, have the meaning given to them in the general conditions of use.

UNIVERSKIN always seeks to comply with the requirements of the Regulations applicable to the protection of personal data and to carry out processing on personal data only under the conditions provided below.

I. PROTECTION OF DOCTORS’ PERSONAL DATA

When it processes the Personal Data of Doctors registered on the Platform and the Doctor’s webshop, UNIVERSKIN implements processing of these for which it is qualified as "data controller", within the meaning of the Regulations applicable to the protection of personal data.

1. Purposes of the processing of Personal Data

The Personal Data communicated by the Doctor are necessary for the following needs :

Management of the opening and use of the Doctor's account on the Platform, in accordance with the applicable general conditions of use;
Traceability of data between the various websites published by UNIVERSKIN on which the personal data of the Doctor and/or the Patient can be processed and exchanged (the website www.universkin.com (the "Site"), the Platform and the Doctor's Webshop );
Operational management of the Platform and the Doctor’s Webshop:
- Ensure the connection between the Doctor and a User of the Platform;
- Allow the Doctor, from his account, to access the data of his Patients and manage their monitoring in this context, under the conditions provided for in Article II below;
- Respond to the Physician's requests and provide technical support in the use of the Platform, as well as its maintenance;
- In the event of validation of a prescription by the Patient, creation of unique and secure hypertext links between the Platform and the Doctor's Webshop, to allow the Patient to order the Product(s);
Improvement of the performances and functionalities of the Platform and the Doctor’s Webshop;
Prevention and detection of fraud, malware (malicious software or malware) and management of security incidents;
Management of any disputes with the Doctor;
Monitoring and analysis of platform and the Doctor’s Webshop traffic; and
For statistical purposes.

2. Categories of Personal Data processed

UNIVERSKIN collects and processes the following Personal Data from the Doctor:

Information relating to civil status, identity and identification data :
- your name and surname
- your email address
- your photo (optional)
Information relating to professional life :
- the name of the clinic or medical office
- Cabinet / Clinic contact details including opening hours, telephone number, e-mail and website (if applicable)
- a description of the office / clinic
- a photo of the Cabinet / Clinic (optional)

3. Data Preservation

The Doctor's Personal Data will be kept for the duration of its contractual relationship with UNIVERSKIN. When the Account is closed, personal data will then be archived for the legal period necessary for compliance with the legal obligations of UNIVERKSIN and for purposes of proof for the establishment, exercise or defense of a legal claim.

4. Recipients of Personal Doctor Data

The Personal Data of the Doctor is intended exclusively for UNIVERSKIN.

Unless legally or judicially obliging it to do so, UNIVERSKIN will never disclose, assign, rent or transmit Personal Data processed to third parties other than the following recipients :

— The Users, for the purposes of connecting with the Doctor. The personal data will allow the latter to contact the User who will thus become his patient, then to monitor his care, in accordance with the ethical and legal rules applicable to his profession. As such, the Doctor's personal data will be published on the Site, to allow Users to freely choose the doctor by whom they wish to be followed;

— The hosting service provider of the Platform, as mentioned in article III below, for the purpose of performing technical hosting and database management services;

— Employees of UNIVERSKIN services who are responsible for the operational management of the Platform, who have been authorized to process the data and who have received appropriate operating instructions.

5. Doctor's rights over his Personal Data

The Doctor has the possibility to request, at any time, the exercise of the following rights :

RIGHT OF ACCESS: you have the right to ask UNIVERSKIN to provide you with confirmation of the processing of your personal data as well as certain information on the processing carried out by UNIVERSKIN on your data, it being understood that this information is in any event provided in this personal data protection policy ;
RIGHT TO RECTIFY: you have the right to ask UNIVERSKIN to correct, in particular by supplementing or correcting it, all or certain information held about you ;
RIGHT TO LIMIT PROCESSING: you can ask UNIVERSKIN that some of your data will not be processed, in particular when you dispute the accuracy of the data, when the data retention period has ended but you still need it to keep this personal data for the establishment, exercise or defense of a legal claim, or if you have objected to the processing ;
RIGHT TO PORTABILITY OF DATA: you can obtain the communication of the personal data that you have communicated to UNIVERKSIN in a readable format, or ask UNIVERSKIN to transmit the personal data that you have communicated to it to another data controller ;
WITHDRAWAL OF CONSENT: withdraw your consent to the future processing of your personal data by UNIVERSKIN, when the processing is based on consent ;
RIGHT TO SUBMIT A COMPLAINT: file a complaint with the competent data protection authority in the Member State in which you reside (in France: the National Commission for Data Protection and Liberties (3 Place de Fontenoy, 75334 Paris CEDEX 07 - Tel: +33 01 53 73 22) if you consider that the processing operated by UNIVERSKIN constitutes a violation of your personal data.

You acknowledge that you do not have the right to object to the processing of your data or the right to erase it, except in the case where this opposition relates to commercial prospecting, including profiling, except at the risk of automatic and immediate closure of your account on the Platform, failing which UNIVERSKIN can continue to interact with you. The absence of such rights is also justified by compliance with the legal obligations imposed on UNIVERSKIN in particular with regard to rules of access and traceability of access to Patient Data.

In order to allow the exercise of your rights, you are requested to contact the Data Protection Officer, Maître Eric ELABD at 04.93.00.11.96 or by sending an email to the following address: dpo@universkin.com.

II. PROTECTION OF PATIENT DATA

For the purposes of this article :

(I) Patient Data designates the personal data of Patients, processed within the framework of the use of the Platform and/or the Doctor’s Webshop, relating both to their civil status (“Identifying Data”) and to their health (“Qualifying Data”). Patient Data can be communicated by the Patient himself if he is a User of the Site and/or collected directly by the Doctor via his account on the Platform. To find out more about the treatment of the Patient Data operated by UNIVERSKIN, if necessary, jointly responsible with the Doctor or subcontracted by the latter (see the stipulations below), the Doctor is invited to read the Patients privacy notice available at the following address: https://www.skinxs.com/patient-notice.

(II) Patient designates a patient of the Doctor - User or not of the Site, whose Patient Data is processed through the Platform as part of his medical follow-up by the Doctor.

1. Roles and responsibilities

Given the purposes of the Platform and the Doctor's Webshop, when processing the Patient Data identified below, the Doctor expressly acknowledges and accepts that UNIVERSKIN may have the following qualities, within the meaning of the Regulations applicable to the protection personal data:

Data controller: UNIVERSKIN then determines the purposes and means of the processing, i.e. the processing is carried out on behalf of UNIVERSKIN, which is responsible for the measures taken to operate this processing;
Joint controller: UNIVERSKIN determines jointly with the Doctor the purposes of the processing carried out via the Platform and/or the Doctor’s Webshop. UNIVERSKIN and the Doctor are jointly and severally responsible for the security and confidentiality measures implemented to preserve the personal data of Users;
Subcontractor: UNIVERSKIN acts on behalf of the Physician, qualified as 'data controller', on the latter's instructions and within the limits of the missions entrusted to it contractually.

2. Mapping of Patient Data processing

2.1. Processing carried out on the Platform (https://skinxs.com):

Responsibilities	Purpose	Legal basis	Categories of data processed
UNIVERSKIN, together with the Doctor	Management of the User's connection to the Platform and the provision of the Questionnaire	Execution of the general conditions of use of the Platform	Identifying Data IP address Connection logs
UNIVERSKIN, together with the Doctor	Ensure and manage the connection between the User and the Doctor consulted through the Platform (incoming flows when the Doctor registers the User on the Platform, management of the relationship in use and management of outgoing flows)	Execution of the general conditions of use of the Platform	Identifying Data Qualifying Data
Doctor, UNIVERSKIN acting as a subcontractor	Establishment, from the Qualifying Data communicated by the User, of an initial scientific analysis of his Qualifying Data aimed at assisting the Doctor in the diagnosis he will make, with a view to defining a dermatological formulation adapted to the User	Execution of the general conditions of use of the Platform	Identifying Data Qualifying Data
Doctor, UNIVERSKIN acting as a subcontractor	Automation, by the Tool, of the establishment of the diagnosis, the cosmetic formulation and the prescription of the Product	Execution of the general conditions of use of the Platform	Identifying Data, previously pseudonymized Qualifying Data
Doctor, UNIVERSKIN acting as a subcontractor	Data annotation and labeling to improve the quality and accuracy of automated skin assessment	Execution of the general conditions of use of the Platform and Legitimate interest	Identifying Data, previously pseudonymized Qualifying Data
Doctor, UNIVERSKIN acting as a subcontractor	Respond to User requests and provide technical support in their use of the Platform, as well as its maintenance	Execution of the general conditions of use	E-mail address Any personal data and other information that the User could communicate to UNIVERSKIN or the Doctor in this context
Doctor, UNIVERSKIN acting as a subcontractor	Management of any disputes with Users concerning the use of the Platform	Legitimate interest	Identifying Data Connection logs IP address If applicable, identity document (exercise of a right)
UNIVERSKIN	Operational management of the Platform (ensure its proper functioning, support and maintenance)	Execution of the general conditions of use	Identifying Data Connection logs IP address If applicable, if an anomaly concerns the Qualifying Database, possible access to this data.
UNIVERSKIN	Prevention and detection of fraud, malware and management of security incidents	Legitimate interest	Connection logs IP address Last name First Name E-mail address
UNIVERSKIN	Monitoring and analysis of traffic on the Platform in order to improve its functionalities and the user experience	Legitimate interest	Statistical data usage (cookies) IP address Connection logs
UNIVERSKIN	Statistics	Legitimate interest	Statistical data usage (cookies)
UNIVERSKIN	Unless the User objects, for secondary scientific research purposes in order to improve the mechanism for defining the formulation of products designed by UNIVERSKIN	Processing necessary for scientific research purposes (article 9.1 j of the GDPR)	Identifying Data, previously pseudonymized Qualifying Data

2.2. Processing carried out on the Doctor’s Webshop (https://prescriptionskincare.skinxs.com):

Responsibilities	Purpose	Legal basis	Categories of data processed
UNIVERSKIN, together with the Doctor	Ensure the traceability of data between the Doctor and the User between the Site and the Platform	Legitimate interest
Doctor, UNIVERSKIN acting as a subcontractor	Ensure the order taking, purchase and delivery of products ordered on the Site	Execution of the general conditions of sales	Identifying Data Shopping cart Delivery postal address and, if different, billing address
Doctor, UNIVERSKIN acting as a subcontractor	Provide after-sales service	Execution of the general conditions of sales	Identifying Data Shopping cart Delivery postal address and, if different, billing address
Doctor, UNIVERSKIN acting as a subcontractor	Claims management	Legitimate interest	Identifying Data Shopping cart If applicable, if the complaint concerns the quality of the products sold, the Qualifying Data
Doctor, UNIVERSKIN acting as a subcontractor	Operational management of the Doctor’s Webshop (ensure its proper functioning, support and maintenance)	Execution of the general conditions of use	Identifying Data Where applicable, shopping cart and postal addresses (delivery and invoicing), as well as any data that the User may communicate in this context
UNIVERSKIN	Prevention and detection of fraud, malware and management of security incidents	Legitimate interest	Connection logs IP address Last name First Name E-mail address
UNIVERSKIN	Platform traffic monitoring and analysis	Legitimate interest	Statistical data usage (cookies) Connection logs IP address
UNIVERSKIN	Statistics	Legitimate interest	Statistical data usage (cookies)

3. Physician's responsibility for processing Patient Data

Patient Data processed by the Doctor through the Platform and the Doctor’s Webshop is strictly covered by professional secrecy, which the Doctor seeks to respect and to make respect to the members of his team who could gain access to the Patient Data. The Doctor is the sole master of the proper use, with discernment and wit, of the Platform and the Doctor’s Webshop and the data it contains and, in particular, Patient Data.

As responsible - alone or jointly with UNIVERSKIN - for the processing carried out on Patient Data through the Platform and the Doctor's Webshop, the Doctor undertakes :

To set up and maintain appropriate security and confidentiality measures for its information system, such as to guarantee adequate protection of the personal data it processes, adapted to the risks engendered by their processing on the rights and freedoms of his Patients, in accordance with the Regulations applicable to the protection of personal data and the regulatory and ethical requirements related to his professional activity;
To respect, at all times and in any event, the rights of Patients whose Patient Data is processed and, in particular, immediately inform UNIVERSKIN if a Patient sends him directly (ie outside of the contact form or the dedicated contact email, available on the Site or the Doctor's Webshop) a request in the event of the exercise of a right by a Patient under the Regulations applicable to the protection of personal data;
In the event of a personal data breach, proceed within 72 hours of becoming aware of a personal data breach, to notify the competent authorities and the persons concerned by the breach, under the conditions and according to the procedures provided for by the Regulations applicable to the protection of personal data.

The violation may affect the Platform or the Doctor's Webshop, in which case UNIVERSKIN undertakes to notify it under the conditions provided for in section 4 below.
If the violation affects the Doctor's information system (excluding the Platform and/or Doctor's Webshop), the Doctor undertakes to immediately inform UNIVERSKIN in order to allow the latter to take all the security measures necessary to avoid or limit the spread of the violation to its own information system.

With specific regard to the Doctor's Webshop, the Doctor undertakes to inform the Patient of the transmission of his personal data to UNIVERSKIN for the purposes of placing an order. The Doctor undertakes to obtain the prior consent of the Patient to do so and guarantees UNIVERSKIN in this regard. The Doctor also undertakes to obtain the Patient's consent for the sending of notifications by UNIVERSKIN by sms and/or email, for the purpose of informing the Patient of the methods of ordering his products on the Doctor's Webshop.

The Patient is then invited to connect to the Doctor's Webshop.

On the Doctor's Webshop, the Patient will be invited to view his analysis results carried out by the Doctor then, if he wishes, order the product(s) recommended by the Doctor and/or offered in addition by UNIVERSKIN.

The procedure for ordering Products is governed by the general terms and conditions of sale of the Doctor's Webshop, available at the following address: https://skinxs.com/terms-of-sales.

4. Responsibility of UNIVERSKIN for the processing of Patient Data

Whether acting as joint controller or subcontractor of the Doctor, UNIVERKIN undertakes to comply with the following obligations:

ensure the confidentiality of Patient Data and ensure that each person whom they authorize to process said data seeks to respect confidentiality or is subject to an appropriate obligation of confidentiality ;
ensure the security and integrity of Patient Data on the Platform. As such, UNIVERSKIN implements and maintains appropriate security measures as specified in article III below ;
not to use Patient Data for purposes other than those provided for and recalled herein and in the Patient Privacy Policy, and not to keep them beyond the period provided for in these documents. In any case, UNIVERSKIN undertakes to respect the stipulations of point 7 below concerning the fate of Patient Data;
not to grant, rent, assign or otherwise communicate to another person, all or part of the Patient Data with the exception of the recipients mentioned in the Patient Privacy Policy;
provide assistance to the Doctor in order to allow him to respond, within the time limits and under the conditions provided for by the Regulations applicable to the protection of personal data, to any request for the exercise of a right, request or complaint by a data protection authority member or any other regulator ;
not to transfer the Patient Data processed to countries outside the European economic area which have not been recognized by the European Commission as ensuring an adequate level of protection (i) without first obtaining the express written authorization of the Doctor and (ii) without the implementation of legal instruments recognized as appropriate by the Regulations applicable to the protection of personal data to supervise the transfer(s) concerned;
immediately alert the Doctor in the event of a violation of Patient Data and, when UNIVERSKIN acts as joint manager or subcontractor of the Doctor, to assist the Doctor in the implementation of any action to deal with this data breach, including notifications to the competent authorities and to persons affected by the breaches and provide any useful information enabling the extent of the data breach to be assessed and the means to be remedied to be identified;

5. Secondary use of Patient Data by UNIVERSKIN

The Doctor recognizes and accepts that Patient Data of Patients who have not objected to the secondary use of their personal data by UNIVERSKIN for research purposes with a view to improving the mechanism of definition of the formulation of products designed by UNIVERKSIN, may be processed by UNIVERSKIN for this purpose. In strict compliance with professional secrecy, Patient Data will be pseudonymized beforehand by an automated process based on depletion and the secure hashing by private key of Patient Data, so that the data used for research purposes does not contain any personal data that could directly identify a patient.

The Doctor declares and acknowledges having informed the Patients that he follows, and of which he integrates Patient Data on the Platform, regarding the secondary use of their personal data for research purposes. The Doctor seeks to immediately inform UNIVERSKIN in the event of a Patient's opposition to the secondary use of his personal data. The Doctor guarantees UNIVERSKIN against any action by the Patient in relation to prior information and non-opposition to the processing of data in this context.

6. Release of Patient Data at the end of the use of the Platform and the Doctor’s Webshop by the Doctor

At the end of the use of the Doctor’s account on the Platform, for whatever reason, UNIVERSKIN will return the Patient Data processed on the Platform and the Doctor’s Webshop to the Doctor who requests it.

The Doctor expressly recognizes and accepts that UNIVERSKIN will keep all Patient Data (Identifying Data and Qualifying Data) which have been communicated by the User with a view to creating his User account on the Site, to allow the User to transmit his Personal Data to any other doctor of his choice.

Only the Patient Data collected by the Doctor on the Platform, as part of his care for the User (all data linked to the Doctor’s account) will be deleted.

III. SECURITY MEASURES IMPLEMENTED ON THE PLATFORM

UNIVERSKIN undertakes to set up and maintain appropriate security and confidentiality measures such as to guarantee adequate protection of the personal data processed, adapted to the risks engendered by their processing on the rights and freedoms of the persons concerned. These measures aim in particular to (i) protect personal data against their destruction, loss, alteration, disclosure to unauthorized third parties and (ii) ensure the restoration of the availability of personal data and access to it within deadlines appropriate in the event of a physical or technical incident. UNIVERSKIN also undertakes to set up a procedure aimed at regularly testing, analyzing and evaluating the effectiveness of their technical and organizational measures to ensure the security of processing.

The Site and the Doctor's Webshop as well as the personal databases, excluding the Qualifying Database, are hosted in France by the company OVH (RCS Roubaix 424 761 419).

The Platform as well as the Qualifying Database and the Doctor's Webshop as well as the personal databases, are hosted in France by the company AWS HDS (RCS Nanterre 487482143).

In accordance with the regulations applicable to the protection of personal data, this/these hosts act as a subcontractor of UNIVERSKIN. The host does not have the right to use the Personal Data it hosts, except for the purpose of performing technical hosting and database management services and only under the contractual conditions signed between the host and UNIVERSKIN, in compliance with the Regulations applicable to the protection of personal data and, with regard to the hosting of health data, the HDS certification imposed by the public health code.

IV. MANAGEMENT OF COOKIES

UNIVERSKIN uses cookies for the proper functioning of the Site and the Platform and to monitor and analyze the traffic on it. A "cookie" is a small data file sent to the User's browser by a web server and stored on the hard drive of his computer. There is no risk of damaging the computer.

The information collected through cookies is solely and strictly intended for UNIVERSKIN, in compliance with the regulations applicable to the protection of personal data. Cookies from third-party publishers (Google, Facebook, etc.) allow these publishers to access the information collected through their cookies.

UNIVERSKIN uses the following cookies:

Performance cookies

These cookies allow the Site and the Platform to provide functionality and personalization of the user experience, based on previous visits and selections.

Cookie name

Storage period

LiveChat (LiveChat Inc.)

3 years

Sentry

3 years

Statistics cookies

These cookies make it possible to differentiate the visitors and to realize statistics of use of the Site and the Platform by the Users, such as, the frequency, the duration and the recurrence of the visits.

Cookie name

Storage period

gid (Google Analytics)

1 day

ga (Google Analytics)

14 months

gat (Google Analytics)

1 day

The User is free to consent to the use of all or part of the cookies (other than cookies strictly necessary for the operation of the Site and the Platform) used by UNIVERSKIN on the Site and the Platform. The User is also free to withdraw their consent to the use of cookies at any time, by clicking on the following link : info@universkin.com.

The User can also configure his browser to accept cookies or deactivate them. The instructions for cookies on the most used browsers are available on the following links :

— Windows Internet Explorer® :
https://support.microsoft.com/fr-fr/help/17442/windows-internet-explorer-delete-manage-cookies.

— Mozilla Firefox® : https://support.mozilla.org/fr/kb/autoriser-bloquer-cookies-preferences-sites.

— Google Chrome® : https://support.google.com/accounts/answer/61416?co=GENIE.Platform%3DiOS&hl=fr.

— Apple Safari® (iPhone ; iPad) : https://support.apple.com/fr-fr/HT201265.

— Apple Safari® (Mac) : https://support.apple.com/fr-fr/guide/safari/sfri11471/mac.

— Deactivation of Google Analytics : https://tools.google.com/dlpage/gaoptout.

V. EVOLUTION OF THE PRIVACY POLICY

This Privacy Policy can be modified, supplemented or updated at any time by UNIVERSKIN, in particular to take into account any legal, regulatory, jurisprudential and / or technical development, with the aim of constantly guaranteeing the best data protection of the User’s Personal information. UNIVERSKIN will inform Users of any updates to the Privacy Policy by email at least fifteen (15) days before the effective date of the change. If the User does not agree with the terms of the new wording of the Privacy Notice, he is free to request the closure of his Account and the deletion of his Personal Data by writing to the following address : info@universkin.com.