SkinLink Privacy Policy
Last updated: 2026-05-09
SkinLink is a mobile application that lets clinicians capture and securely route dermatology cases (lesion photos plus consent metadata) to specialists for asynchronous review. This Privacy Policy describes what data the app collects, how it is used, and how it is protected.
If you have questions, contact the app operator at the email listed in the App Store / Play Store listing.
1. What we collect
When you use SkinLink, the app collects:
- Account information — your email address and assigned role (Clinician, Specialist, or Admin), set at the time your account is created by your organization's Admin.
- Authentication data — a hashed password and one or more device public keys you generate during enrollment. The corresponding private keys never leave your device.
- Patient case content — photographs of skin lesions, free-text case notes, structured clinical fields, and (when enabled by your organization) a consent reference. All case content is end-to-end encrypted on your device before it is uploaded. The server stores only ciphertext and routing metadata; it never holds plaintext patient information.
- Case lifecycle metadata — the IDs of cases you create or are assigned to, lifecycle state (new, assigned, in-review, diagnosed, closed), assignment timestamps, and audit events that record privileged actions (sign-in, sign-out, case opened, diagnosis sent, withdrawal, etc.).
- Device identifiers — a per-installation push notification token and the public-key thumbprint that identifies your enrolled device.
- Operational telemetry — failed sign-in counts (used for account-lockout protection) and sync-engine retry state. No usage analytics are collected.
The app does not collect:
- Location data, contacts, calendar, microphone, or any identifier outside the app.
- Patient names, dates of birth, or other plaintext identifiers in any column the server can read.
- Advertising identifiers; SkinLink contains no advertising.
2. How we use it
- Your email and role are used to authenticate you and route cases to you.
- Case content is decrypted only on the recipient device (the assigned Specialist, the Clinician who created the case, and Admins who hold a role-wrapped key for audit). Patient names and identifying details should be entered into the encrypted case body, never the routing metadata.
- Audit events are retained per your organization's retention policy and are visible only to Admins.
- Push tokens are used solely to deliver notifications about cases you are a participant in (assigned to you, or diagnosed for cases you created).
We do not use your data for advertising, profiling, or third-party tracking.
3. Where it lives
- On your device: an encrypted SQLite database keyed to a device-specific secret stored in the OS keychain, the device private key (Secure Enclave / Keystore), and any drafts or queued uploads that have not yet synced.
- On Supabase (our hosted Postgres + Storage backend): the encrypted ciphertext blobs, RLS-gated routing metadata, and the audit log. The dataset is hosted in the Supabase region your organization selected.
- Apple Push Notification service / Firebase Cloud Messaging: opaque push tokens only. No case content is ever included in a push payload — notifications carry only a case ID and a generic title.
The Supabase project enforces Row-Level Security on every table; users cannot see rows that belong to other users or other organizations.
4. Third parties
SkinLink uses the following processors:
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Hosted Postgres, Authentication, Storage | Encrypted case blobs, RLS-gated routing metadata, hashed passwords, public keys, audit events |
| Apple Push Notification service (iOS) | Delivery of in-app notifications | Push token, generic case-update payload (case ID only) |
| Firebase Cloud Messaging (Android) | Delivery of in-app notifications | Push token, generic case-update payload (case ID only) |
| Expo Updates | Optional over-the-air JS bundle delivery | None — Expo receives only build IDs |
No data is sold to advertisers, brokers, or other third parties.
5. HIPAA stance
SkinLink is designed for use under a Business Associate Agreement (BAA) between the deploying clinic / organization and Supabase. End-to-end encryption ensures that the server, Supabase support staff, and SkinLink developers cannot read plaintext patient content.
Your organization (the Covered Entity, in HIPAA terms) is responsible for entering patient data only in jurisdictions where the BAA permits, for honoring patient access / deletion requests, and for selecting an appropriate retention period in the Admin settings.
6. Retention
- Account data — retained while your organization keeps your account active. Admins deactivate (rather than delete) accounts; deactivated accounts retain their public keys + audit history but cannot sign in.
- Case content — retained per the retention policy your Admin configures in the app. The default is "permanent until explicitly deleted." Subject withdrawal removes case content; the existence of a withdrawal is preserved permanently.
- Audit events — retained per your organization's
audit_retention_dayssetting. The default is permanent. - Push tokens — replaced on every reinstall; old tokens are removed at re-enrollment.
- Device-local data — wiped when you sign out or uninstall the app.
7. Your rights
You may, by request to your organization's Admin:
- Access the audit history for your account.
- Have your account deactivated (sign-ins disabled, public keys preserved for audit).
- Have specific cases withdrawn (content removed; withdrawal record preserved).
If your organization is subject to GDPR or similar regulations, contact your organization's data controller for cross-border requests.
8. Security
- Encryption in transit: TLS 1.2+ for every connection to Supabase and to Apple / Google push servers.
- Encryption at rest (server): ciphertext only; the server cannot decrypt case content.
- Encryption at rest (device): SQLite encrypted with a key from the device keychain; private keys held in Secure Enclave / Keystore.
- Authentication: password + per-device public key. Lockout after 5 failed sign-in attempts in a 15-minute window.
- Audit log: append-only at the database level (no UPDATE / DELETE policies). Admins review.
We follow the OWASP Top 10 and the HIPAA Security Rule technical safeguards. Reports of suspected vulnerabilities should go to the contact email in the app store listing.
9. Children
SkinLink is a clinical tool intended for use by licensed healthcare professionals. The app is not directed at children and we do not knowingly collect personal information from anyone under 18 outside of a clinical case opened by a clinician on a patient's behalf, in which case the patient's data is handled under the deploying organization's HIPAA / privacy obligations.
10. Changes to this policy
If we change this policy materially we will update the "Last updated" date at the top and surface a notice in-app on next sign-in.