Privacy Policy for Skinpal
Version 2026
1. Introduction
1.1 Welcome to Skinpal. We understand that you are trusting us with sensitive information about your health and wellbeing, and we take that responsibility seriously.
1.2 This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Skinpal mobile application (the "App"). It also describes your rights and how you can exercise them.
1.3 We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all other applicable data protection laws.
2. Who we are – Data Controller
2.1 The data controller for all personal data collected through the App is TSW Nordic AB (company registration number 559516-7585), a company registered in Sweden.
2.2 Contact details for data protection matters:
Address: Övre Sanatoriegatan 34, 416 83 Göteborg, Sweden
Email: dpo@skinpal.com
3. What Personal Data We Collect
Depending on how you use the App, we may collect the following categories of personal data:
3.1 Identity and contact data: This includes your name, username, email address, and other identifiers you provide when you create an account.
3.2 Health-related and lifestyle data (special category data): This includes photographs of your skin, skin history, severity tracking, treatments, potential triggers, and logs of your interactions. This is considered "special category personal data" under GDPR because it relates to your health.
3.3 Community and communication data: When you use community features, we collect posts, threads, messages, your anonymized username, and interactions with other users.
3.4 Technical and device data: This includes your IP address (when necessary for security), device model, operating system version, app logs, and crash analytics.
3.5 Support and communication data: If you contact support, we collect messages, attachments, and feedback you provide.
4. How and Why We Use Your Personal Data
We only use your personal data when we have a legal basis to do so:
4.1 To provide and maintain the App: To operate the App, verify identity, and provide personalized functionalities. (Legal basis: Performance of contract) .
4.2 To enable community features: To allow participation in threads and connection with other users. (Legal basis: Performance of contract and explicit consent for health info) .
4.3 To track and analyze your skin condition: To provide personalized insights and track changes. (Legal basis: Your explicit consent) .
4.4 To improve and develop the App: To develop new features and conduct aggregated trend analysis or research. (Legal basis: Legitimate interest) .
4.5 To ensure security and prevent fraud: Security monitoring and fraud prevention. (Legal basis: Legitimate interest) .
4.6 To comply with legal obligations: For bookkeeping and responding to lawful requests. (Legal basis: Legal obligation) .
5. Legal Basis for Processing Special Category Data
5.1 We process health-related data, images, and research-driven insights based on your explicit consent.
5.2 You may withdraw your consent at any time, though this does not affect the lawfulness of processing that occurred before the withdrawal.
6. How Long We Keep Your Data
6.1 We retain personal data only as long as necessary to provide our services or as required by law.
6.2 Specific retention periods:
Account data: Retained while your account is active and for a reasonable period afterwards.
Health and tracking data: Retained while your account is active or until you request deletion.
Community posts: May be retained in anonymized form after account deletion.
Support communications: Retained for up to 3 years after the last interaction.
Anonymized data: May be retained indefinitely for research and statistical purposes.
7. Data Security
7.1 All personal data is stored solely within the EU/EEA at audited data centres compliant with ISO/IEC 27001.
7.2 Security measures include encryption at rest and in transit (TLS 1.2+), strict role-based access controls, vulnerability assessments, and secure backup routines.
8. Data Transfers Outside the EU/EEA
8.1 Your data is stored exclusively on servers within the EU/EEA. Transfers outside the EU/EEA will only occur if fully compliant with GDPR safeguards, such as Standard Contractual Clauses (SCCs).
9. Sharing Your Data with Third Parties
9.1 We do not sell your personal data to third parties.
9.2 We may use third-party processors for hosting, analytics, or support. These processors are bound by Data Processing Agreements (DPA) and cannot repurpose your data.
9.3 Third-party services will never receive identifiable health data unless explicitly required for functionality or authorized by your consent.
10. Anonymization and Research
10.1 We may use anonymized data for dermatological analysis, identifying patterns in topical steroid withdrawal, research publications, and clinical collaborations.
10.2 Where data is fully anonymized so individuals can no longer be identified, it falls outside the scope of GDPR.
11. Your Rights
Under GDPR, you have the following rights:
Right of access: Request a copy of your personal data.
Right to rectification: Request correction of inaccurate data.
Right to erasure: Request deletion of your data (subject to legal retention requirements).
Right to restrict processing: Request restriction of data usage.
Right to object: Object to processing based on legitimate interests.
Right to data portability: Receive your data in a machine-readable format (JSON, CSV).
Right to withdraw consent: Withdraw consent at any point.
Right to lodge a complaint: Contact the Swedish Authority for Privacy Protection (IMY) or your local authority.
12. Children and Minors
12.1 The App must not be used by minors without verified parental or legal guardian consent. We reserve the right to refuse service if verification is not provided.
13. Changes to This Privacy Policy
13.1 We may amend this policy from time to time. You will be notified of material changes, and continued use of the App after notification constitutes acceptance.