SOULSKIN Privacy Policy
Last updated:
1. Scope
This Privacy Policy describes how Seoul Health Medical, P.C. d/b/a SeoulSkin (the "Practice") and SOULSKIN, Inc. ("SOULSKIN", and together with the Practice, "we", "us", or "our") collect, use, and protect information when you access or use our HIPAA-compliant platform (the "Platform") or receive services from the Practice. SOULSKIN provides administrative, technology, and operational support services to the Practice, and the Practice and its licensed providers are solely responsible for medical care.
2. Our Role Under HIPAA
The Practice is the covered health care provider responsible for patient care, treatment, payment, health care operations, and patient communications.
SOULSKIN acts as a Business Associate to the Practice as defined by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). We store and process Protected Health Information ("PHI") solely on behalf of, and under the direction of, the Practice in accordance with a duly executed Business Associate Agreement (BAA).
If you are a patient of the Practice, you may also receive a separate Notice of Privacy Practices describing how the Practice may use and disclose PHI and how you can exercise your HIPAA rights.
3. Information We Collect
3.1 PHI
- Patient demographic data (e.g., name, contact details, DOB)
- Medical intake forms, treatment records, images, and signatures
3.2 Non‑PHI / Platform Data
- Account credentials for Practice staff and patients
- Usage and log data (device, browser, IP, timestamps)
- Payment identifiers (Stripe PaymentMethod IDs, last 4 digits)
4. How We Use Information
- Provide, maintain, and improve the Platform
- Facilitate appointment scheduling, treatment follow-ups, billing, payment processing, and patient messaging
- Comply with legal obligations (e.g., HIPAA, PCI DSS)
- Detect, prevent, and investigate security incidents
5. Disclosure of Information
We do not sell or share PHI or personal data with third parties for marketing purposes. We disclose information only:
- To the Practice and its authorized personnel
- To subprocessors bound by written HIPAA‑compliant agreements (e.g., Amazon Web Services, Stripe Payments Co.)
- When required by law, subpoena, or valid court order
6. Security Measures
- TLS 1.3 encryption in transit & AES‑256 encryption at rest
- Role‑based access control (RBAC) & least‑privilege model
- Comprehensive audit logging & intrusion detection
- Daily encrypted backups and disaster‑recovery testing
6A. Electronic Communications, Mobile Data Use, and Opt-Out Rights
Patient Communications and Consent
The Practice may communicate with patients by phone, email, secure messaging, or SMS regarding appointment scheduling, treatment coordination, follow-up care, billing, account alerts, and other health care operations. By providing your contact information and completing applicable intake, treatment, consent, or account-registration workflows, you authorize Seoul Health Medical, P.C. d/b/a SeoulSkin and its HIPAA-compliant service providers to communicate with you through these channels.
This Privacy Policy supplements, and does not replace, any separate patient intake, treatment, or HIPAA consent that the Practice may require before messaging begins.
We use reasonable administrative, technical, and physical safeguards to protect patient information, including encrypted storage, secure messaging infrastructure, access controls, audit logging, and contractual restrictions on vendors. Even with these safeguards, standard email and carrier SMS may not be fully secure, and there remains a risk that a message could be intercepted, misdirected, or accessed by someone other than the intended recipient.
Mobile Information and Marketing
We do not sell, rent, or share mobile information, including phone numbers, SMS registration data, or messaging content, with third parties for their own marketing or promotional purposes under any circumstances. Mobile information is used solely to support patient care and operational communications, such as appointment coordination, treatment follow-ups, billing notices, account alerts, and other service-related messaging.
If we offer promotional or marketing SMS, those messages are sent only when you separately opt in. Marketing consent is voluntary and is not a condition of receiving care from the Practice.
Use of Consumer Data
We use consumer data, including contact information, to:
- Create and manage user and patient accounts
- Facilitate appointment scheduling, treatment coordination, billing, and communications
- Provide customer support and respond to inquiries
- Comply with legal, regulatory, and contractual obligations
- Maintain the security, integrity, and performance of the Platform
Consumer data is never used or shared for third-party advertising or marketing.
Data Sharing and Transfer Restrictions
SOULSKIN does not transfer consumer personal data to external organizations for their independent use. Data may be shared only with vetted service providers acting solely on our behalf (such as HIPAA-eligible hosting, payment processors, and communications infrastructure providers), and only to the extent necessary to deliver services. All such providers are subject to strict contractual, confidentiality, and security obligations.
All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
We maintain administrative, technical, and physical safeguards — including access controls, audit logging, and monitoring — to prevent unauthorized access, use, or disclosure of consumer data.
Opt-Out Rights for Messaging
You may opt out of receiving SMS messages from us at any time by replying STOP or UNSUBSCRIBE to any message you receive. After opting out, you will no longer receive SMS messages unless you re-enroll or arrange another communication preference with the Practice.
Questions and Contact
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at privacy@seoul.skin.
7. Data Retention & Deletion
PHI is retained for the period mandated by applicable federal and state laws or as directed by the Practice. Upon termination of the BAA or at the Practice’s written request, SOULSKIN will securely return or destroy PHI in accordance with 45 C.F.R. § 164.504(e)(2)(J).
8. Patient Rights
Requests to access, amend, or restrict PHI should be directed to the Practice. You may also ask the Practice to update your communication preferences. SOULSKIN will assist the Practice in fulfilling such requests as required by HIPAA.
9. International Users
The Platform is intended for use within the United States. If you access the Platform from outside the U.S., you acknowledge that your data will be processed and stored in the U.S.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in‑app notice. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.
11. Contact Us
For privacy inquiries, please email privacy@seoul.skin. Patients may also contact the Practice regarding communication preferences or HIPAA-related requests. Mailing address for privacy correspondence: SOULSKIN, Inc., 104 W St Suite 538, New York, NY 10018