Privacy Policy

Skinvest — SAHPRA Class B SaMD AI Skin Triage

Last Updated: 5 May 2026

Health-Image Disclosure

Skinvest processes images of human skin, which may constitute special-category personal information under POPIA (South Africa) and GDPR Article 9 (EU/UK). We process this data only with your explicit consent and in accordance with this policy.

1. Who We Are

Skinvest ("we", "us", "our") is the operator of skinvest.ai and the associated AI skin triage service. Skinvest is licensed by the South African Health Products Regulatory Authority (SAHPRA) as a Class B Software as a Medical Device (SaMD). Founders: Roscoe Kerby (CEO) and Sienna Klipp.

2. What Data We Collect

2.1 Information you provide

  • Skin images you upload for triage analysis
  • Account / waitlist data — name, email, professional role (where applicable) when you sign up
  • Communication content — emails sent to support@skinvest.ai

2.2 Information collected automatically

  • Standard server logs (IP address, user agent, request timestamp) for security and operational purposes
  • Triage outputs and model inference metadata associated with your uploaded images

3. Why We Process It (Lawful Basis)

  • To deliver the triage service you requested (contractual necessity / your consent)
  • To improve the model — only with your explicit consent at upload time
  • To meet our regulatory obligations under SAHPRA SaMD requirements (legal obligation)
  • For security and abuse prevention on our infrastructure (legitimate interest)

4. How Long We Keep It

  • Skin images and triage outputs: retained for up to 24 months for service-improvement and clinical-quality purposes, then deleted or fully de-identified
  • Account / waitlist data: retained while your account or interest in the service is active, plus a reasonable period thereafter for legitimate operational reasons
  • Server logs: retained for up to 90 days
  • You may request earlier deletion at any time — see Section 7

5. Who We Share It With

We do not sell your personal information. We share data only with:

  • Hosting and infrastructure providers (e.g., PythonAnywhere) under appropriate processor agreements
  • Cloud storage and AI compute providers used to run the triage model, under appropriate processor agreements
  • Regulatory or legal authorities where compelled by law (SAHPRA, courts of competent jurisdiction)
  • Our medical advisory board in de-identified form, where review is needed for service quality

6. International Transfers

Data may be processed in jurisdictions outside South Africa, including in the United States and the European Union, where our cloud and AI providers operate. Where this happens, we apply appropriate safeguards (Standard Contractual Clauses or equivalent).

7. Your Rights

Under POPIA, GDPR, and equivalent regimes, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion ("right to be forgotten") of your data
  • Withdraw consent at any time, without affecting prior lawful processing
  • Object to processing or request restriction
  • Receive your data in a portable format
  • Lodge a complaint with the Information Regulator (South Africa) or your local supervisory authority

To exercise any of these rights, email support@skinvest.ai. We aim to respond within 30 days.

8. Security

Skinvest applies appropriate technical and organisational measures, including HTTPS encryption in transit, access controls on internal systems, and secure-by-default cloud configurations. As a SAHPRA Class B SaMD operator, our security posture is operated under regulated medical-device standards. No system is perfectly secure; please notify us of any suspected vulnerability at support@skinvest.ai.

9. Children

Skinvest is not intended for children under the age of 13 (or the equivalent minimum age in your jurisdiction). If a parent or guardian uploads on behalf of a child, the parent/guardian is responsible for the consent. We will delete data associated with a child upon verified request.

10. Cookies

We use a minimal set of essential cookies and similar technologies needed to operate the site (e.g., session, CSRF, flash messages). We do not use third-party advertising cookies. Where we add analytics in future, we will update this policy and obtain consent where required.

11. Changes to This Policy

We may update this policy from time to time. The "Last Updated" date at the top will reflect the most recent revision. Material changes will be communicated via the website or email where appropriate.

12. Contact

By using Skinvest, you acknowledge that you have read, understood, and agree to this Privacy Policy.