SOULSKIN Privacy Policy

Last updated: July 2025

1. Scope

This Privacy Policy describes how SOULSKIN, Inc. ("DBA SEOULSKIN", "we", "us", or "our") collects, uses, and protects information when you access or use our HIPAA‑compliant platform (the "Platform"). The Platform is provided exclusively for a single professional corporation (Greater New York Medical Health, P.C.) and its licensed providers (the "Practice").

2. Our Role Under HIPAA

SOULSKIN acts as a Business Associate to the Practice as defined by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). We store and process Protected Health Information ("PHI") solely on behalf of, and under the direction of, the Practice in accordance with a duly executed Business Associate Agreement (BAA).

3. Information We Collect

3.1 PHI

• Patient demographic data (e.g., name, contact details, DOB)
• Medical intake forms, treatment records, images, and signatures

3.2 Non‑PHI / Platform Data

• Account credentials for Practice staff and patients
• Usage and log data (device, browser, IP, timestamps)
• Payment identifiers (Stripe PaymentMethod IDs, last 4 digits)

4. How We Use Information

• Provide, maintain, and improve the Platform
• Facilitate appointment scheduling, payment processing, and secure messaging
• Comply with legal obligations (e.g., HIPAA, PCI DSS)
• Detect, prevent, and investigate security incidents

5. Disclosure of Information

We do not sell or share PHI or personal data with third parties for marketing purposes. We disclose information only:

• To the Practice and its authorized personnel
• To subprocessors bound by written HIPAA‑compliant agreements (e.g., Amazon Web Services, Stripe Payments Co.)
• When required by law, subpoena, or valid court order

6. Security Measures

• TLS 1.3 encryption in transit & AES‑256 encryption at rest
• Role‑based access control (RBAC) & least‑privilege model
• Comprehensive audit logging & intrusion detection
• Daily encrypted backups and disaster‑recovery testing

7. Data Retention & Deletion

PHI is retained for the period mandated by applicable federal and state laws or as directed by the Practice. Upon termination of the BAA or at the Practice’s written request, SOULSKIN will securely return or destroy PHI in accordance with 45 C.F.R. § 164.504(e)(2)(J).

8. Patient Rights

Requests to access, amend, or restrict PHI should be directed to the Practice. SOULSKIN will assist the Practice in fulfilling such requests as required by HIPAA.

9. International Users

The Platform is intended for use within the United States. If you access the Platform from outside the U.S., you acknowledge that your data will be processed and stored in the U.S.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in‑app notice. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.

11. Contact Us

For privacy inquiries, please email privacy@seoul.skin. Mailing address: SOULSKIN, Inc., 104 W St Suite 538, New York, NY 10018