Privacy policy

PRIVACY POLICY

Welcome to https://www.sknbiome.com and our mobile applications (together, the

Platform”). The Platform is owned and operated by Continuum Aesthetics Private Limited (the “Company”, “SknBiome”, “we”, “us”, “our”), having its registered address at Delhi, India. You may contact us at support@sknbiome.com or +919354606738.

Regulatory posture. Until India’s Digital Personal Data Protection Act, 2023 (DPDP Act) is brought into force by notification, our privacy practices are governed by the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), the Consumer Protection (ECommerce) Rules, 2020, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (as amended), and sectoral health/pharmacy norms. This Privacy Policy is designed to comply with those laws and be forwardcompatible with the DPDP Act once notified. When the DPDP Act becomes effective, references to “Personal Data”, “Data Fiduciary”, “Data Principal”, etc., in this Policy will apply as set out in Section 16 below.

By accessing or using the Platform, creating an account, booking a teleconsultation, purchasing products, or otherwise providing information to us, you agree to this Privacy Policy and consent to the collection, use, storage, disclosure and processing of your information as described here. If you do not agree, please do not use the Platform.

1.   Definitions

“Personal Information” has the meaning set out in Rule 2(i) of the SPDI Rules and includes information that can identify you directly or indirectly.

**“Sensitive Personal Data or Information” / “SPDI” has the meaning set out in Rule 3 of the SPDI Rules and includes, among others, passwords, financial information, physical/physiological/mental health condition, sexual orientation, medical records and history, biometric information, and any related details provided for availing services.

“Health Data” means any Personal Information about your health status, medical history, laboratory results, dermatology images, prescriptions, treatment plans, teleconsultation notes, and related information.

“Processing” means any operation performed on information including collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, alignment or combination, restriction, erasure or destruction.

“RMP” means a Registered Medical Practitioner permitted to practice under Indian law.

“Services” means our directtoconsumer skincare and epharmacy fulfilment services, teledermatology consultations, AIassisted skin analysis, subscriptions, and related offerings available through the Platform.

2.   What We Collect

We collect information with your knowledge or as permitted by law:

A.              Account & Contact Data. Name, age/date of birth, gender, phone, email, postal address, PIN code; login credentials (passwords are encrypted; we never store your payment card PIN/CVV); government ID details you choose to provide for KYC or regulatory checks.

B.              Health & Care Data. Health history; dermatology photographs or video; consultation chats/calls; prescriptions; treatment plans; medication adherence; symptoms; allergies; lab results shared by you or your provider; RMP notes; care instructions; adverse event reports.

C.              Transaction & Fulfilment Data. Orders, cart, shipping and delivery details, return/refund information; subscription preferences; invoice and tax details; insurance or thirdparty administrator (TPA) details where applicable.

D.              Payment Data. Limited payment instrument metadata and status (via our PCIDSS compliant payment gateways); we do not store full card numbers/CVV. UPI VPA, wallet identifier, or masked card details may be processed by the gateway.

E.               Technical & Usage Data. IP address, device identifiers, mobile OS/browser type/version, app telemetry, cookies/pixels/SDK events, crash logs, referral URLs, session IDs, and analytics on how you use the Platform. We may use cookies and similar technologies (see Section 10).

F.               Communications & Preferences. Your queries to support, marketing consents/optouts, satisfaction surveys, reviews, ratings, and feedback.

G.              ThirdParty & Affiliate Data. With your consent or as permitted by law, data from RMPs, partner pharmacies, labs, logistics providers, insurers/TPAs, affiliates or group entities, and consent managers.

We do not intentionally collect information from children under 18 without verifiable parental/guardian consent (see Section 12).

3.   Lawful Basis, Consent & Notice

1.     Consent for SPDI/Health Data. We obtain your consent (including through electronic means) before collecting and using SPDI/Health Data and inform you of the purposes of use, as required under the SPDI Rules. You may withdraw consent at any time (see Section 11); however, doing so may limit our ability to provide Services.

 

2.     Contractual Necessity. We process data to perform our contract with you (e.g., fulfil an order, schedule a teleconsultation, process payments, provide aftersales support).

 

3.     Legitimate Interests / Compliance. We process data for fraud prevention, security, quality assurance, regulatory recordkeeping, tax/compliance and to improve Services, in a manner consistent with applicable law.

 

4.     Medical/Pharmacy Compliance. For orders of prescriptiononly medicines and telemedicine, we process necessary Health Data to verify prescriptions, dispense medicines lawfully, and enable RMP care in accordance with the Drugs & Cosmetics Act, 1940 and Rules, 1945 and Telemedicine Practice Guidelines, 2020.

 

4.   How We Use Information

We use your information to:

       create and manage your account;

 

       enable teledermatology consults with RMPs (identity verification, scheduling, consult notes, eprescriptions);

 

       dispense, deliver and track products, including coldchain/temperature control where applicable;

 

       operate AIassisted skin analysis as a decisionsupport tool (see Section 7);

 

       provide customer support, returns/refunds, and warranty;

 

       send order confirmations, invoices, service messages and regulatory notices;

 

       personalize content and offers;

 

       conduct analytics, service improvement, and quality audits;

 

       detect, prevent and investigate fraud, abuse, security incidents;

 

       comply with legal obligations (tax, pharmacy records, grievance handling, CERTIn reporting) and regulator/government requests;

 

       create deidentified or aggregated datasets for statistics, research, and service improvement (see Section 8).

 

We do not sell your Personal Information.

5.   Disclosures & Recipients

We disclose information on a needtoknow basis, under confidentiality and data protection obligations, to:

       RMPs/Medical Experts for consultations and continuity of care;

 

       Licensed pharmacies and wholesalers for lawful dispensing and regulatory recordkeeping;

 

       Diagnostic labs you choose to use;

 

       Payment aggregators/gateways (PCIDSS compliant) and banks/UPI PSPs;

 

       Logistics providers/3PLs for packing, shipping and returns;

 

       Cloud/IT/security vendors and analytics providers (including crash analytics, error reporting, and antifraud services);

 

       Affiliates/group entities solely for compliant processing consistent with this Policy;

 

       Professional advisors (auditors, lawyers) under duty of confidentiality;

 

       Governmental, regulatory or judicial authorities where required by law, court order, or to protect rights, safety and property;

 

       Corporate transactions (merger, acquisition, asset sale or restructuring) subject to equivalent safeguards and notice where required.

 

Disclosures of SPDI to third parties require your prior consent unless required under law or by a government agency.

6.   CrossBorder Storage & Transfers

Our primary hosting is in India. If we transfer Personal Information outside India (e.g., to support vendors), we do so under contracts ensuring a same or higher level of protection as required by Indian law. We retain responsibility for onward transfers. When the DPDP Act takes effect, we will comply with any governmentnotified restricted jurisdictions and use mechanisms recognized under that law.

7.             AIAssisted Skin Analysis (Explainability & Human Oversight)

Our AI tools analyse skin images and inputs to generate nondiagnostic assessments and product/consult suggestions. Key points:

       Humanintheloop: AI outputs are reviewed or can be overridden by an RMP/clinician.

 

       Inputs used: uploaded images, questionnaire responses, historical interactions, and anonymized aggregates.

 

       Limitations: AI may be less accurate on poorquality images, under makeup, extreme lighting or for atypical conditions.

 

       Your choices: you can opt out of AIbased personalization in Account → Privacy; this may limit certain features.

 

       Model improvement: we may use deidentified data to improve models. We do not use identifiable Health Data for model training without your consent.

 

8.   DeIdentification & Aggregation

We may create deidentified/aggregated datasets (removing direct identifiers and applying technical and organizational safeguards) for statistics, service improvement, safety monitoring, and research. We will not attempt to reidentify such data and will contractually prohibit recipients from doing so.

9.   Data Retention

We retain data only for as long as necessary for the purposes stated or as required by law. Illustrative periods (subject to change based on law/official guidance):

       Account data: for the life of your account and up to 3 years after last activity or request for deletion, unless a longer period is required for dispute resolution or legal claims.

 

       Health/telemedicine records: for at least 3 years from last treatment/contact or as required by applicable medical ethics regulations; prescriptions and controlleddrug records retained as mandated under the Drugs & Cosmetics Rules, 1945 (including special registers/records for restricted schedules).

 

       Order/transaction records & invoices: up to 8 financial years to comply with the Companies Act, 2013 and tax laws.

 

       System/security logs: 180 days minimum within India, in line with CERTIn Directions; longer if investigating incidents.

 

       Cookies/analytics: as per cookie lifetimes and your settings.

 

Where retention is no longer necessary, data is securely deleted or irreversibly deidentified.

10.   Cookies, SDKs & Online Identifiers

We use cookies, pixels, SDKs and similar tools to enable core functionality (e.g., login, cart), measure performance, personalize content, and for advertising with your consent. You can manage preferences via our Cookie Settings or your browser/device settings. Disabling certain cookies may impact functionality. We do not use SPDI to target advertisements.

11.  Your Rights & Choices

Subject to law, you may:

       Access & Review your Personal Information we hold;

 

       Correction/Update inaccurate or incomplete data;

 

       Withdraw Consent for SPDI/Health Data processing (prospectively);

 

       Optout of nonessential marketing communications at any time;

 

       Delete Account/Data (subject to legal retention obligations).

 

To exercise rights, email support@sknbiome.com from your registered email/phone, or use inapp tools. We may verify your identity and respond within timelines prescribed by law (see Section 15 for grievance redress timelines).

12.   Children’s Privacy

Our Platform is intended for adults (18+). Minors may use the Platform only with parent/guardian involvement, and any processing of a child’s data requires guardian consent. We do not knowingly process children’s data for targeted advertising.

13.   Security Measures

We implement administrative, technical and physical safeguards aligned with Rule 8 of the SPDI Rules and industry standards (e.g., ISO/IEC 27001 practices), including encryption in transit, access controls (least privilege), secure development lifecycle, vulnerability management, network segregation, and vendor due diligence. Payment processing is handled by PCIDSS compliant gateways. Despite safeguards, no system is impenetrable; in case of a security incident, we will take prompt remedial action and notify regulators/users where required.

14.   Breach Reporting & CERTIn

We maintain incident response procedures and will report qualifying cyber incidents to CERTIn within applicable timelines (currently within 6 hours of noticing/being notified) and maintain ICT logs for 180 days within India. We will also inform affected users when required by law or where there is a likely risk of harm.

15.   Grievance Redressal & Contact

Grievance Officer (IT/SPDI & Ecommerce Rules):

 Designation: Grievance Officer – Customer Services

 Email: support@sknbiome.com)

 Phone: +919354606738

       We will acknowledge consumer complaints within 48 hours and resolve them within one month (Consumer Protection (ECommerce) Rules, 2020).

 

       For usergenerated content issues covered by the IT Intermediary Rules, we will acknowledge within 24 hours and dispose of such complaints within 15 days, or sooner where expedited takedowns are mandated.

 

16.        DPDP Act Readiness (applicable upon notification into force)

Once the DPDP Act is brought into force:

       Roles. SknBiome will act as a Data Fiduciary; our processors are Data Processors.

 

       Notice. This Policy and layered justintime notices will constitute our DPDP notices.

 

       Consent & Lawful Use. We will rely on consent for processing health data and on legitimate uses permitted under the Act (e.g., performance of legal obligations).

 

       Children. We will obtain verifiable parental consent for processing children’s data and disable targeted advertising and tracking for children.

 

       Crossborder transfer. We will comply with any governmentnotified restrictions.

 

       Rights. You will be able to access, correct, and erase personal data (subject to legal exemptions) and nominate an alternate contact for rights requests.

 

       Data Breaches. We will notify the Data Protection Board of India and affected users as required.

 

We will update this Policy and our processes to reflect binding rules and implementation timelines when notified by the Government of India.

17.   ThirdParty Services & Links

Our Platform may contain links to thirdparty websites/apps. Their privacy practices are not controlled by us. Please review their policies before using their services.

18.   Changes to this Policy

We may update this Policy to reflect legal, technical or business changes. The updated version will be posted on the Platform with the “Last Updated” date. Significant changes will be notified through the app/website or by email/SMS where appropriate. Continued use after the effective date constitutes acceptance.

19.   Governing Law & Jurisdiction

This Policy is governed by the laws of India. Subject to applicable law, the courts at New Delhi shall have exclusive jurisdiction over disputes arising from this Policy.

20.   Contact Us

For privacy questions, rights requests, or complaints, please contact support@sknbiome.com or write to the Grievance Officer at the address above.

Annex A – ServiceSpecific Disclosures (Healthcare & EPharmacy)

1.     Telemedicine: We follow the Telemedicine Practice Guidelines (2020). Your consent to teleconsultation is recorded (implied if you initiate; explicit where required). Certain medicines cannot be prescribed via telemedicine. RMP identity and registration are disclosed during consults.

 

2.     Epharmacy/Dispensing: Prescription drugs are dispensed by licensed pharmacies against valid prescriptions. For restricted schedules (e.g., H1/X), we comply with mandatory registers, identity checks, and retention requirements under the Drugs & Cosmetics Rules, 1945.

 

3.     Pharmacovigilance & Adverse Events: You may report sideeffects at support@sknbiome.com. We may share necessary details with manufacturers/regulators as required by law.

 

4.     Insurance/TPA: If you share policy details for reimbursements, we will process and, where necessary, disclose relevant data to insurers/TPAs strictly for claim administration.

 

5.     Marketing & Influencers: We comply with the ASCI Code for advertising and disclose material connections for endorsements. Health information is not used for targeted ads.

 

Annex B – Cookie Categories

       Strictly Necessary: login/session, fraud prevention, load balancing.

 

       Functional: preferences, chat support.

 

       Analytics: usage metrics (e.g., pages viewed, time on page).

 

       Marketing: only with your consent; you can withdraw at any time via Cookie Settings.

 

© Continuum Aesthetics Private Limited. All rights reserved.