Privacy Policy
Last updated: 2026-06-16
Dersoma processes personal data in line with GDPR principles: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.
1. Data Controller and Contact
Controller (legal entity): Dersoma, MB (Lithuanian private legal entity). For international audiences we use the trade name Dersoma.
Registered office: Vilties g. 16A, LT-58386 Dotnuva, Kėdainių district municipality, Republic of Lithuania.
Company registration number (JAR): 307658420 (public register: registrucentras.lt).
Contact (including privacy requests): supportdersoma@gmail.com.
Data Protection Officer (DPO): not appointed. Privacy requests can be sent to the contact email above. We may appoint a DPO if required by law.
2. Data We Process
- Photos uploaded for skin analysis (including when you use the app without creating an account).
- Questionnaire and check-in answers (health-related context you choose to submit).
- AI-generated analysis outputs shown in the app.
- Analysis history on your device:saved runs (photos URLs, questionnaire, analysis text) are stored in your browser's localStorage on that device — they are not synced to a server-side account library unless we add that feature later and update this policy.
- Account data for sign-in (email) and session identifiers managed by Supabase Auth.
- Subscription and billing metadata (plan type, subscription status, Stripe customer/subscription identifiers, current period end).
- Optional weekly check-in reminders: push subscription data (endpoint/keys) and/or email address, day, time, timezone, language — keyed by a device identifier stored in your browser.
- Technical data: IP address (including for abuse prevention and rate limiting), request metadata, and security logs.
2a. Photos: storage, retention, and deletion
Uploaded skin photos are stored in Supabase Storage in the photos bucket.
- Signed-in users: files are stored under a folder tied to your account ID (
uploads/<user-id>/…). When you delete your account (and no active paid period blocks deletion), we delete files in that folder as part of the deletion process. - Guest / free users without an account: files may be stored under a shared guest prefix (
uploads/guest/…). They are not linked to an account and are kept until removed by lifecycle processes or a verified erasure request.
There is no automatic expiry timer on all photo objects by default. Removing an item from in-app history on your device does not delete the underlying storage file unless we implement that link.
For complete erasure of any remaining files or rows, email supportdersoma@gmail.com from your registered address. We respond within a reasonable period, subject to legal retention (e.g. Stripe billing records).
2b. Questionnaire data, analysis text, and AI inference
Questionnaire and check-in answers are processed to generate educationaloutputs. Analysis text may be kept in your browser's local history as described above.
Special category data (GDPR Article 9): Skin photos and questionnaire/check-in answers may reveal or relate to health (e.g. symptoms, sleep, diet, stress, emotional wellbeing, treatment history). We treat this as special category data. We process it only with your explicit consent (see section 3) when you tick the consent box and submit an analysis request.
Dersoma does not use your photos or questionnaire answers to train or fine-tune any machine-learning model owned by Dersoma.
Google Gemini (United States): Live analysis is performed by calling Google Gemini APIs operated by Google LLC and/or its affiliates (United States). Our servers send prompts that can include encoded skin images and questionnaire/check-in text(including health-related fields) to Google's infrastructure for inference. Google processes that content only to return a responsefor your request, under Google's applicable terms, privacy notices, and safety/logging rules. We do not control Google's internal systems or retention beyond what their policies describe. OpenAI is not used for live skin analysis at this time; if we enable another provider later, we will update this policy before doing so.
International transfer for AI: Because Google is established outside the EEA/UK, submitting an analysis request involves a transfer of personal data (including special category health-related data) to the United States for the duration of that API call and any short-term processing Google performs. See section 6 below for the transfer safeguards we rely on. If you do not want this transfer, do not submit photos or health-related questionnaire data for AI analysis.
AI outputs are labelled in the app as AI-generated and educational only. They may be incomplete or incorrect.
2c. Optional “Share results” (public link)
If you use Share, we create a read-only link with no uploaded skin photos. It may include educational text and limited questionnaire fields needed to render the view. Anyone with the link can read it until expiry.
Snapshots are stored in Supabase with an expiry of approximately 90 days, then removed or made unavailable.
3. Legal Bases (GDPR Art. 6 and Art. 9 where applicable)
- Contract performance: providing analysis, premium features, and account services you request.
- Explicit consent (Art. 9): processing photos and health-related questionnaire/check-in data for educational analysis — you give this when you tick the consent box before using analysis features and submit the data.
- Consent: push notifications and optional email reminders.
- Legitimate interests: security, abuse prevention, rate limiting, and service reliability (balanced against your rights).
4. Why We Use Data
- Generate AI-based educational skin insights and check-in comparisons.
- Let you review past runs stored on your device.
- Send weekly reminders when you enable them.
- Operate subscriptions and premium access.
- Process payments via Stripe (we do not receive your full card number).
- Send optional email reminders via Resend.
- Create optional expiring share links when you choose Share.
- Find nearby dermatology-related places (coordinates sent to OpenStreetMap services).
- Fetch representative weather data for premium recommendations (country-level, via Open-Meteo).
5. Service Providers (Processors)
We use the processors below. Where they publish a DPA, we rely on it together with their terms for production processing. International transfers use their published mechanisms (e.g. SCCs).
Vercel
Hosts the Next.js application, API routes, and scheduled jobs. Processes HTTP request data and logs.
Supabase
Authentication, database (e.g. share snapshots, reminder tables), and photo storage.
Stripe
Payments, subscriptions, billing portal, invoices. Card data stays with Stripe.
Google (Gemini API) — processor; transfers to the United States
Role: processor (sub-processor under our instructions) for AI inference. Data sent: encoded images and text prompts derived from your questionnaire/check-in (may include special category health-related content). Location: processing may occur in the United States and other countries where Google operates. Safeguards: we rely on Google's Cloud Data Processing Addendum (incorporating EU Standard Contractual Clauses for transfers) and related Google AI / Gemini terms applicable to the API product you enable. Google's documentation describes supplementary measures and certification programmes where offered.
PubMed / NCBI
Search terms derived from your questionnaire (not photos) to retrieve article metadata for citations.
OpenStreetMap — Nominatim
Reverse geocoding (coordinates → locality label) when needed; User-Agent includes a contact email.
OpenStreetMap — Overpass API
Nearby dermatology-related place search: your coordinates and search radius are sent to public Overpass endpoints to query map data.
Open-Meteo
Representative current weather for the country you selected in the questionnaire (no API key; coordinates of a representative city, not your precise GPS unless you separately use location features).
Resend
Transactional email (reminders, contact form) when configured.
Web Push (browser / OS vendors)
Delivers push reminders when you opt in; subscription endpoint and keys stored on our servers.
DNS / CDN (if configured)
If dersoma.com or related domains use a proxy/CDN (e.g. Cloudflare), that provider may process IP addresses and TLS metadata under its own terms.
Official GDPR / DPA resources
6. International Transfers (outside the EEA/UK)
Several providers process data in countries that do not have an EU adequacy decision (including the United States). We rely on appropriate safeguards required by GDPR Chapter V, typically:
- Standard Contractual Clauses (SCCs)in the provider's Data Processing Addendum or equivalent contract (e.g. Supabase, Stripe, Vercel, Resend, Google Cloud / Gemini).
- Your explicit consent (Art. 9) for transfers of special category health-related data to Google in the US when you choose to run AI analysis (in addition to contractual safeguards).
- Provider supplementary measures and security commitments described in their DPA and security documentation.
Google Gemini — key point:Each time you request skin analysis, health-related photos and questionnaire text may be transmitted from our servers (hosted in the EU or elsewhere) to Google's systems in the USfor inference. We do not store your full prompt indefinitely on Google's side; retention is governed by Google's policies for the Gemini API product. You can request more information via supportdersoma@gmail.comor exercise rights against us as controller; for Google's own processing, Google's privacy notices also apply.
Other transfers (e.g. Stripe payments, Supabase hosting region, Vercel edge logs) follow each vendor's DPA and region settings configured for our project.
7. Retention
- Device analysis history (localStorage): until you clear browser data or remove entries in the app.
- Account-tied photos: until account deletion (folder wipe) or erasure request.
- Guest uploads: until erasure request or operational cleanup.
- Share snapshots: ~90 days.
- Reminder subscriptions: until disabled or invalid endpoint removed.
- Stripe billing records: as required by law and Stripe settings.
- Security / rate-limit logs: short operational period only.
8. Your Rights
- Access, rectify, erase, restrict processing, portability (where applicable), object to legitimate-interest processing.
- Withdraw consent (e.g. disable push/email reminders).
- Complain to your supervisory authority (Lithuania: VDAI).
Contact supportdersoma@gmail.com. Self-service account deletion is available in Settings when permitted. We may verify identity before disclosing or deleting data. Response within one month where GDPR applies.
9. Security
We use access controls, environment secrets, least-privilege server access, upload content validation, and rate limiting. No internet system is risk-free.
10. Children
Dersoma is not directed at children under 16. Do not use the service if you are under 16 without parental consent where required. Contact us to request deletion of a child's data.
11. Email unsubscribe links
Reminder emails include an unsubscribe URL with your device identifier and email address. The link is not a secret password; anyone with the link could disable reminders for that schedule. Treat forwarded emails accordingly.
12. Policy Changes
We update this policy when the product, law, or providers change. The "Last updated" date shows the current version.