Privacy policy
This policy explains what information Cutis Health, Inc. ("Cutis," "we," "us") collects from people who visit cutis.health or use our screening product, how we use it, who we share it with, and the rights you have over it.
We are a smartphone-first dermatology screening service. Our work touches health-adjacent information, so we hold the entire data pipeline to the standard of a regulated medical product even where the law does not require us to.
1. Information we collect
1.1 Information you give us directly
- Shortlist signup. Email address. Optionally: first name, role, country. Collected via a form hosted by Tally, our form vendor.
- Product use (when the screening app launches). Photographs of the skin area you choose to capture; metadata you tap into the app (Fitzpatrick skin type, body location, age band, symptoms, duration, lesion characteristics); follow-up answers about how a concern resolved.
- Account information. A stable pseudonymous identifier and the consent choices you record.
- Contact correspondence. Emails you send to hello@cutis.health or press@cutis.health.
1.2 Information collected automatically
- Camera and image metadata. Device model, lens specification, focal length, exposure, white balance, ambient lighting at capture, and (where supported) depth information. This is captured by the camera; we store it so we can normalise color and scale across devices.
- Coarse geolocation. City-level only, and only if you grant location permission. We use it to study how climate and ambient UV correlate with the concerns users bring to the app. We never collect precise GPS.
- Server logs. IP address, timestamp, browser, and pages requested. Logs are kept for security and uptime monitoring and rotated routinely.
1.3 Information we do not collect
- We do not buy data from data brokers.
- We do not run third-party advertising trackers on this website.
- We do not collect biometric identifiers (faces, fingerprints) intentionally. Faces visible in overview photographs are detected and obscured before any image is stored for model training.
2. How we use information
- To deliver a screening result to you and to connect you to a board-certified dermatologist via our partner platforms when your scan indicates moderate-to-high concern.
- To monitor the quality and safety of our model, including a per-Fitzpatrick performance dashboard that we use to gate model releases.
- To improve our model. Only if you consent. Consent is granular — see Section 4.
- To respond to your support questions and press inquiries.
- To meet our legal obligations, including subpoenas and lawful demands.
3. Lawful basis (for users in the EEA, UK, and Canada)
For visitors in jurisdictions whose privacy law requires us to identify a lawful basis, we rely on the following:
- Consent for any use of your scan data in research, publication, or external dataset licensing.
- Performance of a contract for delivering the screening result and the partner-dermatologist referral you request.
- Legitimate interests for security logs, model-safety monitoring, and basic site analytics.
- Legal obligation for tax records and lawful disclosures.
4. Granular consent
Inside the product, your consent is recorded in three independently revocable buckets:
- Screening — required to use the product at all. We use your scan and metadata to deliver your triage result.
- Model improvement — optional. We use your scan, metadata, and any confirmed diagnosis returned by a partner dermatologist to improve the model for all users.
- Research and dataset licensing — optional and separately revocable. We may include your de-identified data in IRB-approved research, peer-reviewed publication, or external dataset licensing to academic and pharmaceutical research partners.
Each choice is recorded with a timestamp and a version. You can change any choice at any time, with no impact on your access to the core screening product.
5. Sharing
We share information narrowly and only as described here.
- Partner dermatologists and teledermatology platforms. When you choose a partner-dermatologist review of your scan, we forward your images and the metadata you provided to the partner platform. The partner becomes responsible for that record under its own privacy notice. Diagnosis flow-back to Cutis is contingent on your consent at the time of the referral.
- Service providers. Cloud hosting (AWS), email delivery, form collection (Tally), and content delivery vendors that process data on our written instructions. We require contractual privacy and security commitments, including a HIPAA Business Associate Agreement with our cloud provider.
- Research partners. Only if you consented in bucket 3 above, and only under IRB approval where applicable. Data is de-identified to the HIPAA Safe Harbor standard before any external sharing.
- Legal disclosures. We will respond to lawful, narrowly scoped legal demands. We push back on overbroad requests.
- Corporate transactions. If Cutis is acquired or merged, your information may transfer to the successor entity subject to this policy.
We do not sell personal information.
6. How we store and protect information
- Encryption at rest (AES-256) and in transit (TLS 1.3).
- Role-based access controls and a least-privilege model for employee access.
- Full prediction audit logging — every model prediction is logged with model version, dataset snapshot ID, and calibrated confidence band, so any later question has a deterministic answer.
- A documented adverse-event reporting process for any user-reported case of a missed urgent finding or harmful guidance.
- Tamper-evident, append-only logs for label provenance.
- A Business Associate Agreement with our cloud provider.
Despite this, no online service is perfectly secure. If we detect a breach affecting your information, we will notify affected users and authorities as required by applicable law.
7. Retention
- Shortlist email addresses are kept until you ask us to remove them or unsubscribe.
- Scans and metadata are kept while your account is active. When you delete your account, your raw images, metadata, and per-account records are deleted within 30 days; backups are purged on a defined rotation cycle.
- De-identified data used for model training may persist beyond account deletion if it was contributed under your prior consent at the time of capture, because a model trained on it cannot be selectively untrained on a per-record basis. Future consent revocation prevents new training inclusion. We disclose this honestly rather than promise a guarantee we cannot keep.
- Audit logs are kept for the duration required by our regulatory and legal obligations.
8. Your rights
Regardless of where you live, you can:
- Request a copy of the personal information we hold about you.
- Ask us to correct information that is wrong.
- Ask us to delete your information (subject to the retention caveats above).
- Change or revoke any consent bucket at any time.
- Object to specific uses of your information.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, email privacy@cutis.health from the address associated with your account. We respond within 30 days.
9. Children
Cutis is not directed to children under 13 and we do not knowingly collect data from them. Use of the product by anyone under 18 should be supervised by a parent or guardian.
10. International transfers
Cutis is incorporated in the United States. If you use the product from outside the US, your information will be processed in the US and other countries our service providers operate in. Where required, we put standard contractual clauses or equivalent transfer safeguards in place.
11. Cookies and similar technologies
Our marketing site uses only strictly necessary first-party cookies. We do not run advertising trackers, third-party analytics, or cross-site tracking pixels. When you open a Tally form, Tally may set its own cookies; those are governed by Tally's privacy notice.
12. Changes to this policy
We update this policy when our practices change. The "Last updated" date at the top reflects the most recent revision. Material changes are surfaced in-app and emailed to registered users.
13. Contact us
Cutis Health, Inc.
Privacy: privacy@cutis.health
General: hello@cutis.health
Cutis is a skin-health screening tool and is not a diagnostic device. Information provided by Cutis is for general wellness purposes only and is not a substitute for professional medical advice, diagnosis, or treatment.