Privacy Policy

Last updated: April 1, 2026

1. Data Controller

The data controller responsible for processing your personal data is:

DermIOnline
Thunstrasse 2
3005 Bern
Switzerland
dermionline@hin.ch

2. Data We Collect

We collect the following categories of personal data when you use DermIOnline:

  • Account data: full name, email address, date of birth, country of residence, phone number.
  • Health data: skin condition descriptions, symptom information, medical history, current medications, known allergies, and photos of the affected area.
  • Payment data: transaction identifiers processed by Stripe. We do not store card details.
  • Usage data: consultation history and account activity logs.

3. Purpose of Processing

We process your data for the following purposes:

  • To provide the dermatology consultation service (delivery of written assessments).
  • To manage your account and authenticate your identity.
  • To process payments via Stripe.
  • To send service-related notifications (email and SMS) regarding your consultation status.
  • To comply with applicable legal obligations under Swiss medical law.

The legal basis for processing health data is your explicit consent given at account registration (Art. 9(2)(a) GDPR), and the performance of the service contract (Art. 6(1)(b) GDPR).

4. Who Sees Your Data

Your consultation data — including health information and photos — is accessible only to the dermatologist assigned to your case. DermIOnline staff do not access medical content except for technical support purposes, and only with your consent.

We do not sell, rent, or share your personal or health data with third parties for marketing purposes.

Sub-processors we use include:

  • Supabase (EU/Frankfurt) — database and file storage.
  • Stripe — payment processing.
  • Resend — transactional email delivery.
  • Twilio — SMS/WhatsApp notifications to the doctor.
  • Vercel — application hosting.

5. Data Storage and Retention

All patient data — including consultation records and medical photos — is stored on servers located in the EU (Frankfurt, Germany), operated by Supabase.

In accordance with Swiss medical law (KVG/LaMal), consultation records are retained for a minimum of 10 years from the date of the consultation.

Account data is retained for as long as your account is active. If you request account deletion, we will remove your personal data subject to legal retention obligations.

6. Your Rights

Under GDPR and Swiss data protection law, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request correction of inaccurate data.
  • Deletion — request deletion of your personal data (subject to legal retention requirements).
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdrawal of consent — withdraw consent at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at dermionline@hin.ch. We will respond within 30 days.

7. Cookies and Tracking

DermIOnline uses only strictly necessary cookies required for authentication and session management (via Supabase Auth). We do not use advertising or analytics tracking cookies.

8. Governing Law

This Privacy Policy is governed by Swiss law (nDSG) and, where applicable, the EU General Data Protection Regulation (GDPR). Any disputes shall be subject to the jurisdiction of the courts of Bern, Switzerland.

9. European Health Data Space (EHDS) — Regulation (EU) 2025/327

9.1 What is the EHDS?

The European Health Data Space (EHDS) Regulation (EU) 2025/327 entered into force on 26 March 2025 and establishes a comprehensive EU-wide framework for the sharing and use of electronic health data. DermIOnline is committed to full compliance with EHDS requirements as they come into effect between 2027 and 2029.

9.2 Your Rights Under EHDS

Under the EHDS, you have the following rights regarding your electronic health data:

  • The right to access your electronic health data in a standardised European format.
  • The right to add personal health information to your record.
  • The right to restrict access to specific parts of your health data, or to specific persons.
  • The right to view a log of who has accessed your health data.
  • The right to request corrections to your health data if errors are found.
  • The right to opt out of your data being used for secondary purposes (research and innovation).

9.3 Secondary Use of Health Data

Your health data may only be used for secondary purposes (such as research or public health) through authorised Health Data Access Bodies (HDABs) and only within secure processing environments. You have the right to opt out of secondary use at any time by contacting us at info@mdpharma.swiss.

9.4 Data Protection Officer

In accordance with GDPR Article 37 and EHDS requirements, DermIOnline has appointed a Data Protection Officer (DPO). You may contact our DPO at info@mdpharma.swiss.

9.5 Timeline

The EHDS Regulation will apply progressively from March 2027, with secondary use provisions becoming fully applicable from March 2029. We will update this policy as implementing acts and national guidance become available.

9.6 Cybersecurity

DermIOnline implements technical and organisational security measures in accordance with GDPR Article 32 and the NIS2 Directive, including encryption of data in transit and at rest, access controls, and regular security assessments.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. We will notify you of material changes by email. The date at the top of this page reflects the most recent update.

Privacy Policy — DermIOnline | DermIOnline