SOULSKIN Privacy Policy

Last updated: July 2025

1. Scope

This Privacy Policy describes how SOULSKIN, Inc. ("DBA SEOULSKIN", "we", "us", or "our") collects, uses, and protects information when you access or use our HIPAA‑compliant platform (the "Platform"). The Platform is provided exclusively for a single professional corporation (Seoul Health Medical, P.C.) and its licensed providers (the "Practice").

2. Our Role Under HIPAA

SOULSKIN acts as a Business Associate to the Practice as defined by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). We store and process Protected Health Information ("PHI") solely on behalf of, and under the direction of, the Practice in accordance with a duly executed Business Associate Agreement (BAA).

3. Information We Collect

3.1 PHI

• Patient demographic data (e.g., name, contact details, DOB)
• Medical intake forms, treatment records, images, and signatures

3.2 Non‑PHI / Platform Data

• Account credentials for Practice staff and patients
• Usage and log data (device, browser, IP, timestamps)
• Payment identifiers (Stripe PaymentMethod IDs, last 4 digits)

4. How We Use Information

• Provide, maintain, and improve the Platform
• Facilitate appointment scheduling, payment processing, and secure messaging
• Comply with legal obligations (e.g., HIPAA, PCI DSS)
• Detect, prevent, and investigate security incidents

5. Disclosure of Information

We do not sell or share PHI or personal data with third parties for marketing purposes. We disclose information only:

• To the Practice and its authorized personnel
• To subprocessors bound by written HIPAA‑compliant agreements (e.g., Amazon Web Services, Stripe Payments Co.)
• When required by law, subpoena, or valid court order

6. Security Measures

• TLS 1.3 encryption in transit & AES‑256 encryption at rest
• Role‑based access control (RBAC) & least‑privilege model
• Comprehensive audit logging & intrusion detection
• Daily encrypted backups and disaster‑recovery testing

6A. Mobile Communications, Consumer Data Use, and Opt-Out Rights

Mobile Information and Marketing

SOULSKIN does not sell, rent, or share mobile information, including phone numbers, SMS registration data, or messaging content, with third parties for their own marketing or promotional purposes under any circumstances. Mobile information is used solely to support operational communications related to the services provided through the Platform, such as appointment coordination, payment notifications, account alerts, and secure service-related messaging.

Use of Consumer Data

We use consumer data, including contact information, to:

• Create and manage user and patient accounts
• Facilitate appointment scheduling, billing, and secure communications
• Provide customer support and respond to inquiries
• Comply with legal, regulatory, and contractual obligations
• Maintain the security, integrity, and performance of the Platform

Consumer data is never used or shared for third-party advertising or marketing.

Data Sharing and Transfer Restrictions

SOULSKIN does not transfer consumer personal data to external organizations for their independent use. Data may be shared only with vetted service providers acting solely on our behalf (such as HIPAA-eligible hosting, payment processors, and communications infrastructure providers), and only to the extent necessary to deliver services. All such providers are subject to strict contractual, confidentiality, and security obligations.

We maintain administrative, technical, and physical safeguards — including access controls, audit logging, and monitoring — to prevent unauthorized access, use, or disclosure of consumer data.

Opt-Out Rights for Messaging

You may opt out of receiving SMS messages from us at any time by replying STOP or UNSUBSCRIBE to any message you receive. After opting out, you will no longer receive SMS messages unless you re-enroll.

Questions and Contact

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at privacy@seoul.skin.

7. Data Retention & Deletion

PHI is retained for the period mandated by applicable federal and state laws or as directed by the Practice. Upon termination of the BAA or at the Practice’s written request, SOULSKIN will securely return or destroy PHI in accordance with 45 C.F.R. § 164.504(e)(2)(J).

8. Patient Rights

Requests to access, amend, or restrict PHI should be directed to the Practice. SOULSKIN will assist the Practice in fulfilling such requests as required by HIPAA.

9. International Users

The Platform is intended for use within the United States. If you access the Platform from outside the U.S., you acknowledge that your data will be processed and stored in the U.S.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in‑app notice. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.

11. Contact Us

For privacy inquiries, please email privacy@seoul.skin. Mailing address: SOULSKIN, Inc., 104 W St Suite 538, New York, NY 10018