Privacy Policy · GDPR

How we protect the data you and your patients trust to SkinCloud.

SkinCloud is built so that clinical photographs leave your device only as ciphertext. This page explains exactly what we process, why, where it lives, and how to get rid of it.

Beta · TestFlight Last updated 8 May 2026 Operated from Portugal
On this page
  1. Who we are
  2. What data we process
  3. Lawful basis
  4. How we protect it
  5. Sub-processors
  6. Retention
  7. Your rights
  8. International transfers
  9. Changes

01Who we are

SkinCloud is an iOS application for medical professionals to document patient sessions — encrypted clinical photographs, intake history (anamnesis), and tamper-evident audit logs. The application is operated from Portugal, contactable at joaompc@gmail.com.

Under GDPR, the doctor who uses SkinCloud is the data controller for their patients' personal data; SkinCloud is the data processor, acting on the doctor's instructions and bound by professional secrecy of the same standard the doctor owes their patients. If you are a patient whose photos or history were stored in SkinCloud by your doctor, please contact your doctor first — they hold the controller relationship for your data.

02What data we process

From the doctor

Account holder

  • Email address — for sign-in.
  • Authentication tokens issued by Supabase Auth.
  • Audit log of in-app actions: sign-in, photo upload, photo view, export, deletion. Used to support the doctor's own GDPR Art. 30 record-keeping.
From the patient (entered by the doctor)

Patient record

  • Display label, optionally pseudonymous (e.g. "Patient 024").
  • Optionally: full name, date of birth, gender, referral source, treatment goals.
  • Anamnesis — medical history, prior surgeries, current medications, allergies, skin type and conditions, contraindication flags, lifestyle, and free-text notes.
  • Clinical photographs taken or imported by the doctor.
  • Records of digital consent — timestamped, captured via QR-code scan to a separate consent web page.
We do not collect location data, contact lists, advertising identifiers, third-party analytics, or marketing data.

03Lawful basis

Health data is processed under GDPR Article 9(2)(h) — processing necessary for the provision of medical care by, or under the responsibility of, a health professional bound by professional secrecy. The doctor records the patient's explicit consent to photographic documentation via the in-app consent flow.

04How we protect it

Five layers, implemented in this order.

End-to-end encryption for clinical photos

Every photo is sealed on the doctor's device with a per-photo AES-GCM-256 key, wrapped under a master key kept only in the doctor's iCloud Keychain. SkinCloud staff and operators cannot decrypt photos — the master key never leaves the doctor's hardware unencrypted. Recovery is via a one-time recovery code shown at signup; if it's lost together with their devices, the photos cannot be recovered.

Server-side encryption for text fields

Anamnesis, notes, and patient identifiers are encrypted at rest by Supabase (AES-256 on disk) and accessed only via Row Level Security policies that scope every query to the owning doctor's user id.

Transport — TLS 1.3

All connections between the app, the consent web page, and Supabase use TLS 1.3 with modern ciphersuites.

App-level access control

Email + password authentication, plus a Face ID / Touch ID / device passcode lock on cold launch and after 60 seconds of backgrounding.

Tamper-evident audit log

Append-only by Row Level Security — the doctor can read but cannot edit or delete records. Every access to patient data is logged with timestamp and action, providing a forensically useful history for both their own compliance and any investigation.

05Sub-processors

Each sub-processor is bound by a Data Processing Agreement consistent with GDPR Art. 28.

ProviderPurposeRegion
Supabase Inc. Database (PostgreSQL), authentication, file storage, edge functions. AWS Frankfurt · EU
Apple Inc. iCloud Keychain for master-key sync (end-to-end encrypted by Apple), App Store / TestFlight distribution. Global · E2EE
Vercel Inc. Static hosting for skincloud.app, including the patient consent web page. Global edge

06Retention

Patient records are retained while the doctor's account is active. When the doctor deletes a patient, all associated photos, sessions, and anamnesis rows — and the underlying ciphertext storage objects — are removed within 30 days.

When the doctor deletes their entire account from the in-app "Danger zone," every record they own is wiped immediately and irreversibly: photos cannot be recovered after this point, even by us.

07Your rights · GDPR Art. 15–22

Access & portability

Settings → Export my data produces a downloadable archive (manifest JSON + decrypted JPEGs) of every record the doctor stores.

Rectification

Records can be edited directly in the app at any time.

Erasure

Settings → Delete my account — irreversible, propagated to all sub-processors within 30 days.

Restriction or objection

Email joaompc@gmail.com and we'll act within one calendar month.

Right to lodge a complaint

In Portugal, the CNPD; otherwise, your local supervisory authority.

08International transfers

SkinCloud data is stored in the European Union (Supabase / AWS Frankfurt). iCloud Keychain items sync via Apple's globally distributed infrastructure, end-to-end encrypted; only the doctor's Apple ID can decrypt them.

09Changes to this policy

Material changes are notified through the app and by email. The "Last updated" date at the top of this page is always current.