SkinAware - Privacy Policy

(Last updated 04/2026)

medaia GmbH ("medaia", "we", "us") attaches great importance to adequately protecting your personal data. When processing personal data, medaia therefore complies with the applicable legal provisions on the protection, lawful handling and confidentiality of personal data, as well as on data security, in particular the EU General Data Protection Regulation ("GDPR"), the Austrian Data Protection Act ("DSG") and the Telecommunications Act ("TKG").

This privacy policy informs you about the nature, scope and purposes of the processing of your personal data when you use our SkinAware app ("SkinAware").

1. Name and Address of the Controller

The controller responsible for processing your personal data in accordance with data protection regulations is:

medaia GmbH
Am Eisernen Tor 5/1/12
8010 Graz

Contact details of the data protection officer: datenschutz@medaia.at

2. How is your personal data processed?
2.1 Use of SkinAware

When you use SkinAware, we process your personal data. We only process the data that you provide to us during onboarding and when using the app. This includes the following data in particular:

• Personal data/master data (nickname, gender, age cohort)

• Account information (E-mail address, Apple/Google ID if applicable, password)

• Device information (device model, device manufacturer, operating system)

• Location data (information about your geographical location, provided you grant us the relevant permissions)

• Country set in the phone settings for app language

• Image data (taken images, symptoms, if provided)

The processing of your personal data serves the purpose of authenticating your access to SkinAware and thus enabling the correct allocation of the taken images. The authentication data is provided by Apple or Google via their plugin. Furthermore, the transmitted images of your skin lesions are correctly assigned and you are granted access to your archived images in SkinAware.

Your personal data is processed (i) with regard to non-sensitive data for the performance of a contract in accordance with Art. 6 (1) (b) GDPR.

2.2 UV index

We collect your location to provide the UV index. The location-based UV index informs you about the local UV radiation level and, based on the transmitted information, informs you about the remaining time until you get sunburned.

2.3 Push notifications

We use push notifications within our app to display reminders you have set up yourself for self-checks, even outside the app. You can give and withdraw your consent at any time via your app settings.

3. Possible Recipients

SkinAware does only share some data with advertising service providers to provide you with personalized advertisement, if you agree explicitly. We do not sell, rent or lend your personal data to third parties. Advertisements and promotional content may be personalised based on your profile. Your activity on this service may be used to create or supplement a profile about you for the purposes of personalised advertising. The effectiveness of advertising and the performance of content may be measured. Reports may be generated based on your activity and that of others. Your activity on this service may help to develop and improve products and services.

We only disclose your personal data to the extent necessary to the following external service providers (processors) who support us in providing our services:

• IT service providers (e.g. Firebase) and/or providers of data hosting solutions or similar services;

• Advertising providers (i.e. Google AdMob) for displaying personalised advertisement

Our processors only process your data on our behalf and on the basis of our instructions so that we can provide you with our services.

In addition, we transfer your personal data to the following recipients (controllers) to the extent necessary:

• External third parties to the extent necessary on the basis of our legitimate interests (e.g. auditors and tax advisors, insurance companies in the event of insurance claims, legal representatives in specific cases);
  
  

• Authorities, courts and other public bodies to the extent required by law (e.g. financial or data protection authorities).

In the event of a merger, acquisition or sale of all or part of our assets, you will be notified by email and/or by a prominent notice on our website of any change in ownership or use of personal data, as well as your choices regarding personal data.

Personal data, including skin and face images (if opted in), is used to deliver and improve SkinAware and related services, develop new features, updates, personalization services, algorithms, and machine learning. This processing is based on medaia’s legitimate interest to improve its platform and services.

4. Storage Periods and Deletion

We will only retain personal data for as long as necessary to fulfil the respective processing purposes, including compliance with legal, regulatory, tax, accounting or reporting requirements.

We may retain your personal data for a longer period if there is a complaint or if we reasonably believe that a legal dispute relating to our relationship with you is imminent. Our retention obligations may therefore continue to apply even if you no longer use the SkinAware service.

When determining the appropriate storage period for personal data, we take into account the amount, nature and sensitivity of the personal data. We also consider the potential risk of harm from unauthorised use or disclosure and whether we can achieve these purposes by other means.

If the data is no longer necessary for the purposes pursued or legitimate interests and no other legal basis applies, we will delete the data as soon as the other legal basis no longer applies.

If you delete your account or reach out to us to exercise your right to erasure, all personal data that could be used to identify you, will be deleted within 30 days. If you do not request the proactive deletion of your personal data, all personal data will be automatically deleted or anonymised after 36 months of inactivity. No further action is required on your part.

All images recorded with SkinAware are stored on your device. If the app is uninstalled from your device, all recorded images will also be deleted from your device. Please note: Uninstalling the app does not delete the data we have processed up to that point. To delete the data, please proceed as described above.

5. Protection of Data Subject Rights

You have the right to access, correct, delete and restrict the processing of personal data by medaia. You can also revoke your consent to the processing of personal data with future effect if the processing is based on your consent. You may have the right to receive the data you have provided in a structured, commonly used and machine-readable format ("data portability").

You have the right to object to data processing if there are reasons for this arising from your particular situation.

You also have the option of lodging a complaint with the data protection supervisory authority. The supervisory authority responsible for us is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, email: dsb@dsb.gv.at; Tel: + 43 1 52 1 52-0 (http://www.dsb.gv.at )

If you have any questions regarding your personal data, please contact us at: datenschutz@medaia.at

6. Data Security

Data security is very important to us. medaia uses appropriate technical and organisational measures to ensure the security of data processing to the best of its ability. In accordance with Art. 32 GDPR, this applies in particular to the protection of personal data against accidental or unlawful destruction, loss, alteration or unauthorised disclosure of or access to personal data that is transmitted, stored or otherwise processed (in particular, encrypted transmission and storage of your personal data).

All medaia employees are bound to secrecy regarding the information entrusted to them or disclosed to them in the course of their work.