Dermalia

Privacy

How we handle your data.

This statement describes which personal data we process, for what purpose, and on what legal basis. As of: May 2026.

1. Controller

Mosaic Medical UG (haftungsbeschränkt)
Stubbenhof 16, 21147 Hamburg
E-Mail: kontakt@dermalia.de

2. Data processing at a glance

Dermalia is medical software that converts 3D skin scans from your practice's diagnostic devices into a skin report. We process only the data we technically need: scan identifier, optionally the patient's first name and email address to deliver the report.

We explicitly do not process: date of birth, address, insurance number, diagnoses in plain text, prior treatments or other medical record content.

3. Which data we process

3.1 During the scan in the practice

  • Scan identifier (generated by the Isemeco device)
  • 3D model and images of the skin surface
  • Measured skin values (wrinkles, pores, pigmentation, redness, hydration)
  • First name and email address, if provided by the patient
  • Practice ID (which practice carried out the scan)

3.2 When accessing the report

  • Access timestamp, anonymised IP address (via Vercel)
  • Browser type, device type (to optimise rendering)
  • Behavioural events (clicks, page views) for product improvement

4. Legal basis

Processing takes place on the basis of Art. 6 (1) (b) GDPR (contract performance towards the practice as data processor) and Art. 9 (2) (h) GDPR (health data for medical diagnostics). The relationship between you and your treating practice remains unaffected.

5. Data processors and external services

We use the following services, with which data processing agreements (DPA) per Art. 28 GDPR exist or are being finalised:

  • Vercel Inc. (web app hosting), servers in the EU (Frankfurt). Contracts under EU standard contractual clauses.
  • Neon Inc. (PostgreSQL database), region eu-central-1 (Frankfurt).
  • Resend Inc. (email delivery for reports), GDPR compliant.
  • Meiquc Ltd. / Isemeco (3D scanner manufacturer), API for transferring raw scan data. Servers in the EU cluster (Frankfurt). DPA being finalised.

6. Retention period

Report data is stored for the duration agreed with the practice (default: 24 months from scan date), then automatically deleted. You can request earlier deletion at any time (see section 8).

7. Cookies and tracking

We use only technically necessary cookies and anonymised reach measurement via Vercel Analytics. No third-party advertising cookies. No ad networks.

8. Your rights

You have the right at any time to information (Art. 15), rectification (Art. 16), deletion (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21). You can lodge a complaint with the supervisory authority responsible for you (e.g. Hamburg Data Protection Commissioner).

Please send requests to kontakt@dermalia.de.

9. Data security

Transport is encrypted (TLS 1.3). Data in the database is encrypted at rest. Access by our staff is only via multi-factor authentication. Detailed security information is available at dermalia.de/sicherheit.

10. Changes

We reserve the right to adjust this privacy policy if there are changes to the legal situation or our services. The current version is available at this URL.