Data Transfer Policy

Overview

Derm may use personnel, infrastructure, vendors, and care partners located in more than one country. As a result, personal information may be accessed, stored, or processed outside the country where it was originally collected.

When that happens, we aim to apply a consistent level of contractual, operational, and technical protection and to use transfer mechanisms recognized under applicable privacy law.

Where Your Data Is Processed

Depending on the product features you use, your information may be processed in the following locations:

• United States, for core application infrastructure, support operations, analytics, and certain product workflows.
• European Union or other regional hosting environments, where regional storage, compliance, or performance requirements apply.
• Other jurisdictions connected to specialist handoff, local care delivery, or approved vendors supporting a service you request.

Transfer Mechanisms

When personal information is transferred across borders, we may rely on one or more of the following legal bases or safeguards, depending on the transfer:

• Standard Contractual Clauses or equivalent transfer terms recognized by relevant regulators.
• Adequacy decisions or similar findings that a destination jurisdiction provides an adequate level of protection.
• Intra-group agreements, data processing addenda, or comparable contractual safeguards used with affiliates and vendors.
• Your instructions or consent where permitted by law and appropriate for the specific transfer.

Safeguards

We do not treat cross-border transfers as a lower-protection environment. Wherever information is processed, we aim to apply safeguards such as:

• Encryption in transit and at rest where reasonably appropriate.
• Role-based access restrictions and authentication controls for systems handling sensitive information.
• Vendor diligence, contractual data protection commitments, and confidentiality obligations.
• Operational review, monitoring, and incident response procedures designed to reduce transfer-related risk.
• Additional handling restrictions for categories of information that are more sensitive, including health-related content.

Sub-processors

We work with third-party service providers that help us host, secure, support, analyze, and operate Derm. Those providers may process personal information on our behalf only under written terms that describe their responsibilities and limit how they may use the data.

We review sub-processors before use and expect them to maintain appropriate privacy and security standards for the functions they perform.

Health Data Transfers

Health-related information and uploaded images are treated with additional care when a transfer is necessary:

• We aim to limit access to the minimum personnel, vendor, or provider groups needed to support the requested workflow.
• We design product and infrastructure decisions to reduce unnecessary movement of sensitive information across jurisdictions where reasonably possible.
• Where specialist review is involved, information may be shared only with the provider or care partner needed to support that consultation.

Your Rights

Depending on applicable law, you may have the right to:

• Ask whether your information has been transferred internationally and which categories of recipients may receive it.
• Request information about the safeguards we rely on for certain transfers.
• Object to processing or request restrictions where such rights apply.
• Contact a supervisory authority or regulator in your jurisdiction if you believe your rights have been violated.

To exercise these rights, contact us at privacy@derm.com.

Changes to This Policy

We may update this policy when our infrastructure, vendor relationships, or legal obligations change. When we do, we will revise the effective date on this page and provide additional notice where required.

The date shown above reflects the most recent version of this policy.

Contact

For questions about cross-border data handling, contact us at:

legal@derm.com