Privacy policy dermovo en — dermovo

PRIVACY POLICY OF THE „DERMOVO" APPLICATION

Effective date: 01.07.2026

1. Roles in data processing

  1. The „Dermovo" Application operates on a model in which your personal data is processed for the purpose of using the services of a selected beauty salon or aesthetic medicine clinic (the „Salon").
  2. The controller of your personal data is the Salon whose services you use through the Application. The Salon's identifying details (business name, address, contact data) are presented in the Application and provided by the Salon.
  3. Defence Union sp. z o.o. (Aleje Jerozolimskie 123A, 02‑001 Warsaw, KRS 0000807970, NIP 7010949057, REGON 384586614; the „Operator") provides the Application and processes data: - as a processor – on behalf of and on the instructions of the Salon, under a data processing agreement (Art. 28 GDPR); - as a separate controller – only for the technical and operational purposes described in section 4 (e.g. security, error diagnostics, maintenance and development of the Application).
  4. Data contact: [email protected].

2. What data we process

  1. Account data: e‑mail address, first and last name and – optionally – date of birth.
  2. Booking data: selected Salon, type of Treatment, date, booking history and communication with the Salon.
  3. Health data (special category): information about booking a specific aesthetic medicine or cosmetology Treatment may reveal health data within the meaning of Art. 9 GDPR.
  4. Technical and diagnostic data: device data, technical identifiers, error and crash logs, and data needed to deliver push notifications.
Purpose Legal basis
Creating and maintaining an Account and providing the Application service Art. 6(1)(b) GDPR (contract)
Fulfilling bookings and the Treatment contract by the Salon Art. 6(1)(b) GDPR (contract with the Salon)
Processing health data in connection with a Treatment Art. 9(2)(a) GDPR (explicit consent) or Art. 9(2)(h) GDPR (where it concerns health care)
Ensuring security, diagnostics and development of the Application Art. 6(1)(f) GDPR (Operator's legitimate interest)
Sending push notifications Art. 6(1)(a) GDPR (consent)
Handling complaints and defending against claims Art. 6(1)(c) and (f) GDPR

4. Recipients and processors

The Operator uses trusted providers that process data under data processing agreements:

  1. Sentry (Functional Software, Inc., USA) – error and crash monitoring of the Application; processes technical and diagnostic data.
  2. Tpay (Krajowy Integrator Płatności S.A., Poznań, Poland) – payment processing to the Salon. Tpay processes payment data as a separate controller under its own privacy policy.
  3. Railway (Railway Corp.) – hosting and server infrastructure; data stored in the European Union region.
  4. Expo (650 Industries, Inc., USA) – delivery of push notifications to mobile devices.

Data may also be disclosed to entities authorised under applicable law.

5. Transfers outside the European Economic Area

  1. The server infrastructure (Railway) is located in the European Union.
  2. Some providers (Sentry, Expo) are based in the United States, which may involve transfers outside the EEA. Such transfers are carried under the Data Privacy Framework.

6. Data retention

  1. Account data is kept for the duration of use of the Application and, after Account deletion, for the period necessary for settlements or defence against claims until the limitation period expires.
  2. Booking data and health data are retained by the Salon in line with its own legal obligations.
  3. Diagnostic data is kept for the period necessary to ensure security, typically no longer than 90 days.

7. Your rights

  1. You have the right to: access your data, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interest, and withdrawal of consent at any time (without affecting the lawfulness of processing before withdrawal).
  2. For data processed by the Salon as controller, those rights are exercised through the Salon. The Operator supports their exercise as a processor.
  3. You have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00‑193 Warsaw, Poland), or your local supervisory authority.

8. Voluntary nature of providing data

Providing Account data is voluntary but necessary to use the Application and book Treatments. Providing a date of birth is entirely optional. Granting consents (e.g. for push notifications) is voluntary.

9. Push notifications

Push notifications are delivered via the Expo service and require consent granted at the level of the device operating system. You may withdraw this consent in your device or Application settings at any time.

10. Children

The Application is intended only for adults. We do not knowingly collect data of persons under 18.

11. Changes to this Privacy Policy

This Policy may be updated. We will inform you of material changes via the Application or e‑mail. The current version is always available at dermovo.pl/privacy-policy-dermovo-en.