Privacy Policy

How we handle your clinical data

Effective: 4 May 2026 · Version 1.0

This policy is a current working draft. It is reviewed and updated as our practices evolve.

In one paragraph

SkinVault is clinical software for dermatologists and skin cancer surgeons. We store patient records and clinical images on your behalf. All data is hosted in Australia, encrypted in transit and at rest, and access is restricted to you and the people you authorise. We never sell or share clinical data. We comply with the Australian Privacy Act 1988, the New Zealand Privacy Act 2020, and the Australian Privacy Principles.

1. Who we are

SkinVault is operated by SkinVault Pty Ltd (ABN: [to be confirmed]), an Australian-registered company. In this policy, “we”, “us”, and “SkinVault” refer to SkinVault Pty Ltd.

SkinVault is intended for use by registered medical practitioners — dermatologists, skin cancer surgeons, general practitioners, plastic surgeons, and nurse practitioners — practising in Australia and New Zealand. When a clinician uses SkinVault to record information about their patient, the clinician is the data controller for that patient's personal information; we are the data processor.

2. Who this policy applies to

This policy applies to:

  • Clinicians who hold a SkinVault account.
  • Patients whose records are stored in SkinVault by a treating clinician.
  • Visitors to skinvault.app and our marketing pages.

If you are a patient and wish to access, correct, or delete your records, please contact your treating clinician in the first instance — they control your records within SkinVault.

3. What information we collect

Clinician account information: name, professional title, specialty, clinic name, work email, password hash, and Stripe customer ID if you subscribe.

Patient clinical data entered by the clinician:

  • Demographics (name, date of birth, sex, contact details, Medicare or NHI number where entered).
  • Clinical history, risk factors, lesion records, body-site location, and clinical notes.
  • Clinical and dermoscopic images, including post-operative photographs.
  • Procedure records (excisions, biopsies, cryotherapy, topical treatments, etc.).
  • Histopathology results and pathology report text.
  • Consent forms and patient-signed documents.

Usage data: log entries showing which records were created, viewed, or modified, and when (used for clinical audit and security under HIPAA-aligned audit controls).

Technical data: IP address, browser type, and timestamps from server logs, retained for security monitoring.

4. Why we collect it

  • To provide the SkinVault clinical platform to you and your patients.
  • To generate clinical audit reports (e.g. SCARD-aligned procedure audits).
  • To run AI-assisted features (lesion analysis, clinical letter generation, surgical planning) when you elect to use them.
  • To comply with our legal obligations (clinical record retention, taxation, dispute resolution).
  • To detect and respond to security incidents.

6. Where we store your data

All clinical data is stored in Australia, in the AWS Sydney region (ap-southeast-2), via our database provider Supabase. Data does not leave Australian soil except in two specific cases described in §7.

Encryption:

  • At rest: AES-256 on database storage and image object storage.
  • In transit: TLS 1.3 on all client and server connections.

Access controls: row-level security policies in our database ensure that each clinician can read and modify only their own patients' records. Internal staff access is logged and limited to incident response.

7. AI processing and third parties

When you elect to use an AI feature (lesion analysis, clinical brief, GP letter, surgical plan, dictation), the relevant clinical text and image is sent to a third-party AI provider for processing. We currently use:

  • OpenRouter (routing to Anthropic/OpenAI/DeepSeek models) for clinical text generation.
  • OpenAI for image embedding and Whisper transcription.
  • AssemblyAI for real-time clinical dictation.

These providers are bound by their own privacy obligations and do not use clinical data to train their models when accessed through their commercial APIs. Patient names, Medicare numbers, and other directly identifying information are not included in prompts to AI providers — only de-identified clinical content.

Other processors we rely on:

  • Supabase Inc. — database, auth, file storage (data hosted in Australia).
  • Vercel Inc. — application hosting (edge cache; clinical data is fetched from Supabase, not stored at the edge).
  • Stripe Inc. — payment processing (subscription billing only; no clinical data is sent to Stripe).

We do not sell, rent, or share clinical data with advertisers, data brokers, insurers, or any other party. Ever.

8. How long we keep your data

Clinical records are retained for seven (7) years from the last interaction, in line with Australian medical record retention guidelines (longer for paediatric records, where applicable, until the patient turns 25).

If you cancel your subscription, your account is suspended but your clinical records are retained for the statutory period, then deleted. You may request earlier deletion under §10.

Server logs are retained for 90 days. Audit logs covering reads and writes to clinical records are retained for the full retention period of the underlying records.

9. Security measures

  • End-to-end TLS 1.3 encryption.
  • AES-256 encryption at rest.
  • Row-level security in the database — clinicians can never read each other's records.
  • Immutable audit log on all writes to clinical tables (patients, lesions, procedures, histology, lesion images).
  • Password hashing using industry-standard algorithms (bcrypt via Supabase).
  • Optional Google / Apple / Facebook sign-in via OAuth 2.0.
  • Notifiable Data Breach scheme: in the event of an eligible data breach, we will notify the OAIC and affected individuals as required under Part IIIC of the Privacy Act 1988.

10. Your rights

You have the right to:

  • Access the personal information we hold about you (APP 12 / IPP 6).
  • Correct inaccurate personal information (APP 13 / IPP 7).
  • Delete your account and any personal information not subject to a legal retention obligation.
  • Export your clinical records in a structured, machine-readable format.
  • Complain to us, or directly to the OAIC (Australia) or the Office of the Privacy Commissioner (NZ).

Patients should contact their treating clinician for access requests; clinicians may contact us using the details below.

11. Cookies and tracking

SkinVault uses essential authentication cookies to keep you signed in. We do not use third-party advertising cookies or cross-site tracking. We do not have Google Analytics, Facebook Pixel, or any similar product loaded on the application or marketing pages.

12. Children's data

SkinVault is used by clinicians who may treat paediatric patients. Where a record relates to a child, the treating clinician is responsible for obtaining consent from the child's parent or legal guardian in accordance with their professional obligations.

13. Changes to this policy

We will update this policy as our practices change. The “Effective” date at the top reflects the most recent revision. Material changes will be notified to clinicians by email at least 30 days in advance.

14. Contact us

If you have a question about this policy, want to exercise a privacy right, or wish to lodge a complaint:

Privacy Officer
SkinVault Pty Ltd
Email: privacy@skinvault.app
Website: skinvault.app

We aim to respond to privacy enquiries within 30 days.