Privacy Policy

Your privacy matters. Learn how we collect, use, and protect your personal data in accordance with GDPR and medical device regulations.
Table of Contents
Example H2

(As of 04/2026)

medaia GmbH (‘medaia’, “we”, ‘us’) considers it important to adequately protect your personal data. When processing personal data, medaia therefore complies with the applicable legal provisions on the protection, lawful handling and confidentiality of personal data, as well as on data security, in particular the EU General Data Protection Regulation (‘GDPR’), the Austrian Data Protection Act (“DSG”) and the Telecommunications Act (‘TKG’).

This privacy policy informs you about the nature, scope and purposes of the processing of your personal data when you use our SkinScreener app (‘SkinScreener’) to obtain a risk analysis of your individual skin cancer risk based on transmitted images of your moles and skin lesions.

1. NAME AND ADDRESS OF THE CONTROLLER

The controller responsible for processing your personal data in accordance with data protection regulations is:

medaia GmbH
Am Eisernen Tor 5/1/12
8010 Graz

The contact details of the data protection officer are: datenschutz@skinscreener.at.

2. HOW IS YOUR PERSONAL DATA PROCESSED?

2.1 Use of SkinScreener

When you use SkinScreener, we process your personal data. We only process the data that you provide to us during onboarding and when using the app. This includes the following data in particular:

  • Personal data/basic information (name, year of birth, gender provided by you)
  • Account information (email address, Apple/Google ID if applicable, password)
  • Device information (device ID, operating system)
  • Location data (information about your geographic location, provided you grant us the appropriate permissions; see Section 2.3)
  • App Store country setting
  • Health data (photographic documentation of the skin lesion provided by you, results of the automated risk assessment)

The processing of your personal data serves the purpose of authenticating your access to SkinScreener, thereby enabling the correct allocation of purchased scans or annual subscriptions. The data for authentication is provided by Apple or Google via their plugin. Furthermore, the transmitted images of your skin lesions are correctly allocated and evaluated, and you are granted access to your archived images in SkinScreener. The evaluated images enable a risk assessment with regard to any existing skin cancer risk.

In addition, the processing of your year of birth and gender is necessary to comply with the requirements of post-market surveillance (ISO 13485 and Regulation (EU) 2017/745).

Your personal data is processed (i) with regard to non-sensitive data for the fulfilment of the contract in accordance with Art. 6 (1) (b) GDPR and (ii) with regard to your health data on the basis of your express consent in accordance with Art. 6 (1) (a) GDPR and Art. 9 (2) (a) GDPR. You have the right to revoke your consent at any time with effect for the future. However, without your consent, we are not permitted to process your sensitive health data – this also means that SkinScreener cannot be provided. We ask for your understanding in this matter.

2.2. Post-market surveillance

In order to fulfill our legal obligations regarding post-market surveillance for medical devices and to further develop SkinScreener’s artificial intelligence, we process some of your personal data generated through your use of SkinScreener in an anonymized form, so that no conclusions can be drawn about your identity. To this end, the personal reference is removed and replaced with an internal, non-traceable ID.

To conduct post-market surveillance and further develop the artificial intelligence of our app, analyzed images—along with risk assessments, gender, and age—are transmitted via an encrypted connection to the ISO-certified data center (located in Germany, with local storage on-site), stored there, and processed for research purposes, further development, and market surveillance of SkinScreener medical devices.

2.3 UV index

We record your location in order to provide the UV index. The location-based UV index informs you about the local UV radiation level and, based on the information transmitted, informs you about the remaining time until you get sunburned.

2.4 Push notifications

We use push notifications within our app to send you relevant topics related to the app, including reminders to perform a self-check, reminders to undergo a dermatological examination at intervals you have chosen yourself, and reminders when the UV index exceeds the threshold you have chosen. You can give and withdraw your consent at any time via your app settings.

2.5 Customer feedback

The processing activities are carried out for the purpose of being able to respond to customer feedback and enquiries in a targeted manner within the scope of customer surveys. For this purpose, we require your email address or that of your Apple or Google account.

2.6 Newsletter

You have the option to subscribe to our newsletter through our app. To do so, we need your email address and your consent to receive the newsletter.

You can cancel your newsletter subscription at any time. Use the link in the newsletter or send your cancellation to the following email address: marketing@medaia.at We will then immediately delete your data related to the newsletter distribution. This revocation does not affect the lawfulness of the processing carried out on the basis of your consent until the revocation.

3. POSSIBLE RECIPIENTS

SkinScreener is ad-free and does not share any data with advertising service providers. Nor do we sell, rent or lend your personal data to third parties.

We only share your personal data to the extent necessary with the following external service providers (processors) who support us in providing our services:

  • IT service providers and/or providers of data hosting solutions or similar services;
  • Other service providers, providers of tools and software solutions who also assist us in providing our services and act on our behalf (e.g. providers of communication services); Payment service providers (such as PayPal or Stripe)

Our processors only process your data on our behalf and on the basis of our instructions so that we can provide our services to you.

Please note that our data processor, Google LLC, is headquartered in the United States of America. On July 10, 2023, the European Commission adopted a new adequacy decision pursuant to Article 45 of the GDPR for the United States of America, known as the EU-U.S. Data Privacy Framework. Google LLC, as a data importer in the United States, appears on the list of the Data Privacy Framework; therefore, the transfer of personal data is possible solely on the basis of the adequacy decision, and no further measures within the meaning of Article 46 of the GDPR need to be taken.

In addition, we transfer your personal data to the following recipients (controllers) to the extent necessary:

  • External third parties to the extent necessary on the basis of our legitimate interests (e.g. auditors and tax advisors, insurance companies in the event of insurance claims, legal representatives in the event of a claim);
  • Research institutions (only on the basis of your express consent);
  • Authorities, courts and other public bodies to the extent required by law (e.g. financial or data protection authorities).

In the event of a merger, acquisition or sale of all or part of our assets, you will be notified by email and/or by a prominent notice on our website of any change in ownership or use of personal data, as well as your choices regarding personal data.

4. STORAGE PERIODS AND DELETION

We will only retain personal data for as long as is necessary to fulfil the respective processing purposes, including the fulfilment of legal, regulatory, tax, accounting or reporting requirements.

We may retain your personal data for a longer period if there is a complaint or if we reasonably believe that a legal dispute relating to our relationship with you is imminent. Our retention obligations may therefore continue to apply even if you no longer use the SkinScreener service.

When determining the appropriate storage period for personal data, we take into account the amount, nature and sensitivity of the personal data. We also consider the potential risk of harm from unauthorised use or disclosure and whether we can achieve these purposes by other means.

If the data is no longer necessary for the purposes pursued or legitimate interests and no other legal basis applies, we will delete the data as soon as the other legal basis no longer applies.

If you withdraw your voluntary consent or exercise your right to erasure, we will delete or anonymize all personal data, including your health data, that is not subject to any legal retention requirements within 30 days. If you do not request the proactive deletion of your personal data, all personal data, including your health data, will be automatically deleted or anonymized after three years of inactivity. No further action is required on your part.

You can also delete your account and thus all personal data yourself by selecting this option in the app.

All images captured using SkinScreener and rated as green, yellow, or red, as well as the analyses and recommendations, are stored on your device. If the app is uninstalled from your device, all images taken will also be deleted from your device. Please note: Uninstalling the app does not delete the data we have processed up to that point. To delete the data, please follow the steps described above.

5. PROTECTION OF DATA SUBJECT RIGHTS

You have the right to access, rectify, delete and restrict the processing of personal data by medaia. You can also withdraw your consent to the processing of personal data with future effect if the processing is based on your consent. You may have the right to receive the data you have provided in a structured, commonly used and machine-readable format (‘data portability’).

You have the right to object to data processing if there are reasons for this arising from your particular situation.

You also have the option of lodging a complaint with the data protection supervisory authority. The supervisory authority responsible for us is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, email: dsb@dsb.gv.at; tel: +43 1 52 1 52-0 (http://www.dsb.gv.at). Additional European data protection authorities can be found at https://digital-strategy.ec.europa.eu/en/library/list-personal-data-protection-competent-authorities.

If you have any questions regarding your personal data, please contact us at datenschutz@skinscreener.at.

6. DATA SECURITY

Data security is very important to us. medaia uses appropriate technical and organisational measures to ensure the security of data processing to the best of its ability. In accordance with Art. 32 GDPR, this applies in particular to the protection of personal data against accidental or unlawful destruction, loss, alteration or unauthorised disclosure of or access to personal data that is transmitted, stored or otherwise processed (in particular, encrypted transmission and storage of your personal data).

All medaia employees are bound to confidentiality regarding information entrusted to them or disclosed to them in the course of their work.

7. WEBSITE

The website is operated by medaia GmbH as the data controller. In this notice, we inform you about the personal data we process in the context of this website. The website can generally be used without providing personal data.

7.1. Visiting our website

Legitimate interest pursuant to Art. 6 (1) (f) GDPR:

medaia GmbH processes the data within the scope of its predominantly legitimate interest pursuant to Art. 6 (1) (f) GDPR in order to achieve the stated purposes, in particular the provision of the website.

Purposes of processing:

The processing of your data serves to provide, ensure system security and improve the website and thus the public image of medaia GmbH.

Data categories:

  • IP address of the requesting computer
  • Date and time of access
  • Name and URL of the data accessed
  • Amount of data transferred
  • Notification of whether the access was successful
  • Identification data of the browser and operating system used
  • Website from which access is made
  • Name of your internet access provider

7.2. Cookies

Our website uses so-called cookies. These are small text files that are stored on your device with the help of your browser. They do not cause any damage. We use cookies to make our website user-friendly. Some cookies remain stored on your device until you delete them. They enable us to recognise your browser the next time you visit. You can control the setting of cookies and their storage duration via your browser settings. If you deactivate cookies, the functionality of our website may be restricted. You can find a detailed list of the cookies used by our website and further information in our cookie banner.

7.2.1. Necessary cookies

Necessary cookies help to make a website usable by enabling basic functions such as page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

7.2.2. Preferences

Preference cookies allow a website to remember information that affects the way a website behaves or looks, such as your preferred language or the region you are in.

7.2.3. Statistics

Statistics cookies help website owners understand how visitors interact with websites by collecting and reporting information anonymously.

7.2.4. Statistics

Marketing cookies are used to track visitors to websites. The intention is to display advertisements that are relevant and appealing to the individual user and therefore more valuable to publishers and third-party advertisers.

7.3 Storage period

We generally store your personal data for a period of 3 months. Longer storage only takes place if this is necessary to investigate attacks on our website.