mendiSKIN — Privacy Policy

Effective from 25 March 2026.

Contents

Introduction
Definitions
What data we collect
Purposes of processing
Legal bases
Sensitive data
Automated processing & AI
Storage and transfer
Retention
Service providers
Security
Incident notification
Your rights
Age
Cookies, analytics and advertising
Medical disclaimer & limitation of liability
Governing law
Contacts
Changes

1. Introduction

mendiSKIN (the "Service", "we", "our") is an informational self-monitoring application for skin (Astana, Republic of Kazakhstan). The Service provides advisory AI indications based on photos of moles taken by the user.

mendiSKIN is not a medical device and is not intended for diagnosis, screening or clinical decision-making. Any recommendation provided by the Service is informational and does not replace an in-person examination by a physician.

2. Definitions

Personal data — any information relating to a directly or indirectly identifiable natural person.
Processing — collection, recording, storage, modification, use, anonymisation, transfer, deletion and any other operation on data.
Consent — voluntary, specific, informed and unambiguous indication of will.
Service provider — third party to whom we delegate part of the processing on our behalf.

3. What data we collect

Category	Contents
Account	name, email, hashed password
Profile	age, gender, skin phototype, locale, time zone, home city (optional)
Geolocation	device coordinates (with permission)
Health data	mole photos, size, body location, notes, AI results, history
Consents	document version, hash, timestamp, locale, device class
Technical	device model, OS version, identifiers, IP, application events
Payments	subscription status, external transaction ID. Card / banking details are not stored.

4. Purposes of processing

We may process your data for purposes that include:

providing, operating and maintaining the Service, account management and authentication;
security, fraud prevention and abuse protection;
communications with users, customer support;
analytics, performance measurement, product research;
development, testing and improvement of the Service, its features and algorithms;
personalisation of content and interface;
marketing and advertising communications (with opt-out where required);
compliance with applicable law and dispute resolution;
corporate transactions, including possible mergers, acquisitions, reorganisations and asset transfers.

5. Legal bases for processing

Processing is carried out on the following bases (applicable personal data legislation):

Consent — for sensitive data and geolocation;
Contract — for account, profile, history of checks;
Legitimate interest — for security, analytics, product development, marketing to the extent not overriding your rights;
Legal obligation — where expressly required by law.

6. Sensitive data (health, biometrics)

Mole photos and related data may constitute sensitive data and are processed on the basis of your separate informed consent. Technical and organisational protection measures proportionate to the nature of the data are applied.

The use of anonymised, aggregated or otherwise non-identifying data for research and product purposes, including improvement of the Service's algorithms, is carried out in accordance with applicable law.

7. Automated processing and AI

The Service applies automated processing, including machine-learning models, to produce informational risk indications. The output is not a medical opinion.

Your rights regarding automated processing are exercised as provided by applicable law, including the right not to be subject to decisions producing legal effects based solely on automated processing.

8. Storage and transfer

Personal data may be processed and stored in any of the countries where we or our service providers operate. Technical and organisational protection measures are applied, including encryption in transit and at rest.

We evaluate applicable data-storage requirements and will update this Policy as needed. Where cross-border transfers occur, they are carried out on the basis of user consent and/or other legal grounds permitted by applicable law.

9. Retention

Data is retained for the period necessary for the purposes for which it was collected, or as required by applicable law, contractual obligations or for the resolution of potential disputes. Upon expiry of the applicable period, data is deleted, anonymised or restricted in processing.

10. Service providers

For the performance of specific operations we engage reputable service providers in the following categories:

hosting and cloud infrastructure;
email and push notification delivery;
payment processing;
analytics and performance measurement;
professional services (legal, accounting and the like).

Service providers process data exclusively on our instructions and under contractual data-protection obligations. A current list is available on request.

11. Security measures

We apply technical and organisational measures reasonably sufficient to protect data from accidental or unlawful loss, alteration, disclosure or unauthorised access, including encryption, access controls and regular infrastructure updates. Absolute security on the modern internet cannot be guaranteed.

12. Incident notification

In the event of an incident affecting your personal data, we will notify you and the relevant supervisory authority within the time and manner prescribed by applicable law.

13. Your rights

Applicable law may grant you, among other things, the following rights:

access to the data we process about you;
correction or supplementation of inaccurate data;
deletion of the account and associated data — via "Settings" → "Delete account" in the app;
restriction of, or objection to, processing;
withdrawal of consent (for processes based on consent);
obtaining a copy of your data in a machine-readable format;
lodging a complaint with the supervisory authority.

Send requests to i.elmusa99@gmail.com. Response time: up to 30 calendar days.

14. User age

The Service is intended for users aged 18 and over. Persons under 18 may use the Service only under the supervision of a legal guardian.

15. Cookies, analytics and advertising

We and our partners may use cookies, SDKs and similar technologies for:

operation of the Service, authentication and security;
collection of analytical information about interaction with the product and measurement of its effectiveness;
research and improvement of features;
personalisation of content and interface;
marketing and advertising communications.

Some of these technologies are necessary for the operation of the Service. Others may be disabled through your browser or device settings. Marketing communications can be managed in account settings.

16. Medical disclaimer and limitation of liability

By using the Service you confirm that you have read and understood the following:

The Service is not a medical device and is not intended to diagnose, treat, prevent or screen for any disease.
The AI indication output is not a medical opinion and may produce both false-negative and false-positive results.
The Service does not create a doctor-patient relationship.
For any concerning skin presentation — regardless of any result shown — consult a licensed physician. Do not delay seeking medical care because of anything shown in the Service.
In an emergency, contact a doctor or emergency services, not the Service.
You assume the risk of using the Service to the maximum extent permitted by law.
The Service is provided "as is" and "as available" without express or implied warranties of accuracy, fitness for a particular purpose or freedom from errors, to the maximum extent permitted by law.
To the maximum extent permitted by law, mendiSKIN, its affiliates, employees and contractors shall not be liable for any indirect, special, incidental, punitive or consequential damages. Aggregate liability shall not exceed the amount paid by the user for the Service in the 12 months preceding the event. The limitation does not apply to liability that cannot be limited under applicable law.

The provisions of this section are interpreted and applied to the maximum extent permitted by applicable law. The invalidity of any provision does not affect the validity of the remainder.

17. Governing law and venue

This Policy is governed by the law of the Republic of Kazakhstan. Disputes are resolved by the courts at the operator's location, or as provided by mandatory rules of applicable law.

18. Contacts

mendiSKIN, Astana, Republic of Kazakhstan · i.elmusa99@gmail.com

19. Changes to this policy

We may update this Policy. We will notify you of material changes. The current version is always available at https://mendiskin.org/privacy-policy.en.html.