Dermidia

Privacy Policy

Effective date: March 16, 2026 · Dermalapps LLC

Dermalapps LLC (“we,” “us,” or “our”) operates the Dermidia website (dermidia.com), the Dermidia Sense sensor dashboard (sense.dermidia.com), and related mobile and web applications (collectively, the “Services”). This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and your choices regarding your information.

By using our Services, you acknowledge the collection and use of information as described in this policy. If you do not agree, please discontinue use of the Services.

1. Information We Collect

a. Information you provide directly

  • Contact submissions — name, email address, message details, and any other information you submit through our forms or by email.
  • Account credentials — if you register for Dermidia Sense, your account is managed through Amazon Cognito. We receive a unique user identifier (Cognito sub) but do not directly store your password.

b. Information collected automatically

  • IP address and approximate location — when you use our public DSI tools, your browser requests a city- or region-level location estimate from Geoapify using your IP address. Our infrastructure and service providers may also process IP addresses and request metadata for security, performance, and abuse prevention. We do not intentionally store precise geolocation for public tool use.
  • Usage and diagnostic data — infrastructure logs may record request timestamps, pages or routes visited, browser and device metadata, referrers, response status, and similar diagnostic information. We use this information for security, troubleshooting, and service improvement.
  • Cookies and session data — we use cookies to maintain your session state. See Section 3 for details.

c. Sensor and device data (Dermidia Sense users)

If you use Dermidia Sense with a connected sensor device (DSIsense or Shelly), we collect:

  • Indoor temperature and relative humidity readings uploaded by your device, typically every 15 minutes.
  • Derived DSI values computed from those readings.
  • Device identifier associated with your provisioned device.
  • Timestamps of sensor readings.

This data is stored in our cloud infrastructure (AWS DynamoDB) and is associated with your account. See Section 5 for how we use sensor data, including our de-identified internal analytics and research program.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide the Services — calculating and displaying DSI forecasts, historical analysis, and sensor dashboard data.
  • To authenticate users — verifying your identity to protect access to your Sense dashboard and sensor data.
  • To respond to inquiries — replying to messages and following up on device, pilot program, partnership, or general requests.
  • To improve the Services — analyzing usage patterns and sensor data trends in aggregate or de-identified form to develop more accurate DSI models, environmental insights, and skincare guidance.
  • To ensure security — detecting and preventing unauthorized access, fraud, or abuse.
  • To comply with legal obligations — responding to lawful requests from government authorities or courts.

3. Cookies and Session Data

We use the following cookies. We do not use advertising cookies or cross-site tracking cookies.

dev_authStrictly necessary

Temporary password-protection cookie used when the site or a subdomain is operating behind a pre-release access gate. Contains a session token used to allow access to the gated site.

Retention: Session

sense_sessionStrictly necessary

Authenticates your Dermidia Sense session after you log in through the Dermidia app or the Sense website. Contains an encoded session payload with your Cognito user identifier and, when applicable, a linked device identifier.

Retention: 30 days

sense_id_tokenStrictly necessary

Stores a short-lived Cognito identity token in an httpOnly cookie so the Dermidia Sense web backend can make authenticated provisioning requests to AWS-hosted services on your behalf without exposing the token to browser JavaScript.

Retention: Up to 1 hour

Server/CDN logsStrictly necessary

Standard infrastructure logs (Vercel) recording request metadata for security and performance monitoring. Not a cookie; stored server-side only.

Retention: Up to 30 days

You may configure your browser to refuse cookies or alert you when cookies are set. Disabling the sense_session or sense_id_token cookie will prevent access to authenticated Dermidia Sense features, including device provisioning.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share information only in the following limited circumstances:

  • Service providers — we use trusted third-party vendors who process data on our behalf under confidentiality obligations. These include cloud hosting (Amazon Web Services, Vercel), identity management (Amazon Cognito), geolocation lookup (Geoapify), transactional email (Resend), and payment processing if paid services are enabled. Each provider receives only the data necessary to perform its function.
  • Legal requirements — we may disclose information when required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, prevent fraud, or ensure user safety.
  • Business transfer — if Dermalapps LLC is acquired or merges with another entity, your information may be transferred as part of that transaction. We will endeavor to ensure the acquiring entity honors this Privacy Policy or notifies you of any material changes before they take effect.
  • Aggregated insights — we may publish or describe high-level aggregate trends (for example, regional DSI patterns) that do not reasonably identify any individual, household, or device. We do not share underlying de-identified sensor-level datasets with third parties in the ordinary course of business.

5. Sensor Data and De-Identified Internal Research

For Dermidia Sense users, sensor readings (temperature, humidity, DSI values, and timestamps) are stored in association with your account to power your personal dashboard.

To improve the Services and better understand indoor environmental patterns, we may convert older sensor readings into de-identified records by removing account identifiers, device identifiers, and other information that could reasonably link the data back to you, your household, or a specific device. These de-identified records may be retained indefinitely and used internally to:

  • Develop and refine DSI calculation models.
  • Study patterns of indoor environmental conditions across housing types, climates, and seasons.
  • Support internal scientific analysis of indoor environmental factors relevant to skin comfort and dryness.
  • Improve guidance and recommendations within the Services.

We do not use this process to create advertising audiences, we do not attempt to re-identify de-identified records, and we do not share de-identified sensor-level datasets with third parties except if required by law or as part of a corporate transaction described in Section 4. Once data has been de-identified so that it can no longer reasonably be linked to you, it is no longer treated as personal data and is not subject to deletion requests. This de-identification occurs as part of our lifecycle management for older readings rather than your current live dashboard data.

6. Data Retention

  • Contact messages — retained for as long as necessary to respond to your inquiry, provide follow-up, and maintain ordinary business records, typically no more than 24 months unless ongoing correspondence or an active relationship requires longer retention.
  • Sensor readings (identifiable) — retained while your Dermidia Sense account is active and for up to 12 months after account closure, after which readings are either deleted or anonymized as described in Section 5.
  • Session cookies — the dev_auth cookie expires when the browser session ends, the sense_session cookie expires 30 days from issuance unless refreshed upon re-authentication, and the sense_id_token cookie expires within about 1 hour.
  • Server logs — retained for up to 30 days for security and operational purposes.

7. Security

We implement technical and organizational measures appropriate to the sensitivity of the data we hold. These include encryption in transit (HTTPS/TLS), encrypted storage, access controls limiting data access to authorized personnel and systems, and identity verification via Amazon Cognito for Sense users.

No method of internet transmission or electronic storage is 100% secure. In the event of a data breach that materially affects your personal information, we will notify you and relevant authorities as required by applicable law.

8. Your Privacy Rights

Depending on where you reside, you may have the following rights regarding your personal information:

  • Right to know — you may request a description of the personal information we hold about you and how it is used.
  • Right to delete — you may request deletion of your personal information. We will honor such requests subject to any legal obligations requiring us to retain certain data.
  • Right to correct — you may request correction of inaccurate personal information we hold about you.
  • Right to opt out of sale or sharing — we do not sell personal information or share it for cross-context behavioral advertising.
  • Right to non-discrimination — exercising your privacy rights will not result in denial of service or different pricing.

California residents may exercise rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA. To submit a request, contact us at support@dermidia.com. We will respond within 45 days.

Our Services are not intended for users under 17. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided personal information, we will delete it promptly.

9. Third-Party Services and Links

The Services may contain links to third-party websites. This policy does not apply to those sites, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through our Services.

Our key service providers and their relevant privacy practices:

  • Amazon Web Services (AWS) — cloud infrastructure, authentication (Cognito), and data storage. AWS is certified under multiple security and privacy frameworks.
  • Vercel — web hosting and edge delivery. Vercel processes request logs in connection with serving the site.
  • Geoapify — IP-based geolocation for DSI calculation. Your browser sends your IP address to Geoapify to obtain approximate location data for public DSI tools.
  • Resend — transactional email delivery for contact handling. Form submissions may include your name, email address, and message details.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page. For significant changes affecting how we use personal data, we will provide additional notice (such as a notice on the site or, for Sense users, an email notification). Continued use of the Services after the effective date constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Dermalapps LLC

Email: support@dermidia.com

Or use the contact form on this site.