Privacy Policy

The company MEDALTIK, a simplified joint-stock company (SASU) registered with the Trade and Companies Register of Besançon, FRANCE under number 995 319 761 (hereinafter "MEDALTIK"), is committed to protecting the personal data of users of the MySkinCompanion mobile application and of the associated marketing website at https://myskincompanion.com (hereinafter together the "Service").

MySkinCompanion is intentionally designed so that the User's personal record of the aesthetic treatment sessions they receive stays on the User's device. As a result, very little personal data is processed by MEDALTIK.

MEDALTIK, in its capacity as data controller, undertakes to protect the data it processes in compliance with the applicable regulations, in particular Regulation (EU) No. 2016/679 of April 27, 2016 known as the "General Data Protection Regulation" or "GDPR", and Law No. 78-17 of January 6, 1978 known as the "Data Protection Act" as amended (hereinafter together the "Applicable Regulations").

This document constitutes the personal data protection policy implemented by MEDALTIK and aims to inform the User about the commitments and practical measures taken to ensure compliance with and protection of personal data (hereinafter the "Policy").

For any question about this Policy, the User may contact MEDALTIK:

• by email: privacy@myskincompanion.com
• by postal mail: MEDALTIK, 45 Chemin des Ragots, 25000 BESANCON, France

Last updated: April 17, 2026.

Definitions

The words and expressions used in this Policy have the meaning given to them by the Applicable Regulations, whether used in the singular or plural:

• Personal Data: any information relating to a directly or indirectly identified or identifiable natural person.
• Data Subject: an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. In practice, this will be the User of the Service.
• Data Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing.
• Processor: a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.
• Processing: any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Capitalised terms not defined in this Policy have the meaning given to them in MEDALTIK's General Terms of Use.

Principle: Your Record Stays on Your Device

MySkinCompanion is built so that the record of the aesthetic treatment sessions the User saves — including product reference (REF), batch number (LOT), expiry date (EXP), date of the session and identification of the practitioner as provided by them — is stored exclusively on the User's device.

MEDALTIK does not host, back up, or synchronise that record on its own infrastructure, and has no technical means to read it. The User alone holds the record, and may at any time export it as a file, share it with a practitioner of their choice, or delete it permanently from the device.

As a direct consequence:

• no account creation, name, email address or telephone number is required to install and use the App on iPhone;
• no treatment Data is received by MEDALTIK;
• no profile, analytics or behavioural tracking is built by MEDALTIK from the User's record.

Personal Data Collected and Purposes of Processing

MEDALTIK only processes the very limited Personal Data described below, strictly for the purposes indicated.

1. Android waitlist — optional

If the User does not own an iPhone, they may optionally provide an email address on the marketing website in order to be notified once the Android version of the App becomes available.

• Data collected: email address.
• Purpose: sending a single notification email when the Android version is released.
• Legal basis: consent of the Data Subject (Art. 6.1.a GDPR).
• Retention: the address is deleted as soon as the notification has been sent, or earlier upon the User's request.

The User may withdraw consent at any time by writing to privacy@myskincompanion.com, which will result in the deletion of the address and the cancellation of the notification.

2. Support and anomaly reports — optional

If the User contacts MEDALTIK to report an anomaly or to ask a question about the Service, MEDALTIK will process the information spontaneously communicated by the User.

• Data collected: email address, and any other Personal Data the User chooses to share in their message.
• Purpose: responding to the request and, where applicable, correcting the reported anomaly.
• Legal basis: consent of the Data Subject (Art. 6.1.a GDPR) and legitimate interest of MEDALTIK in maintaining and improving the Service (Art. 6.1.f GDPR).
• Retention: the exchange is retained for a period of two (2) years from the date of the last message.

3. Marketing website — technical logs

To operate the marketing website in a reasonable and secure manner, the hosting infrastructure generates short-lived technical logs, which may include an IP address and a user-agent string.

• Purpose: ensuring the security and availability of the website and preventing abuse.
• Legal basis: legitimate interest of MEDALTIK (Art. 6.1.f GDPR).
• Retention: these logs are retained for a maximum of thirty (30) days, then destroyed.

4. What is not collected

• No account data. The App does not create an account.
• No treatment Data on MEDALTIK's side. The record lives on the User's device only.
• No health data. MEDALTIK is not a certified health data host (HDS). The User is asked not to enter into the App information that would qualify as personal health data.
• No advertising, analytics or profiling cookies on the marketing website. See the Cookie Management section below.

Retention Period

MEDALTIK only retains Personal Data for the time strictly necessary to the purpose for which it was collected, as detailed for each processing above. At the end of that period, the data is destroyed or anonymised, except where an archival obligation requires it to be retained under restricted access for the legal duration required.

Recipients of the Data

Within a strict access-management and confidentiality policy, only recipients duly authorised by MEDALTIK may access the information the User has communicated.

Internal recipients

Authorised MEDALTIK staff may access Personal Data strictly on a need-to-know basis.

Processors and external service providers

The Personal Data collected may also be transmitted to MEDALTIK's processors and service providers, within the limits provided by the Applicable Regulations and in accordance with this Policy, notably for the purpose of hosting the marketing website and the Android waitlist service, distributing the App, and securing the information system.

Processor	Role
Laravel Cloud	Hosting and deployment platform for the marketing website and the Android waitlist service
Amazon Web Services (AWS), Frankfurt region	Underlying infrastructure provider
Apple Inc.	Distribution of the App on the Apple App Store

The App, once installed on the User's device, does not transmit the User's record to any of these processors.

Third parties authorised by law

Where required to do so by law, MEDALTIK may share Personal Data with competent judicial or administrative authorities.

Anonymised aggregates

MEDALTIK may share with third parties anonymised or aggregated data, for statistical purposes only, under conditions that prevent the re-identification of the Data Subject.

Transfer and Hosting of Personal Data

The Personal Data processed by MEDALTIK is hosted within the European Union (Frankfurt, Germany).

Where MEDALTIK nevertheless needs to transfer Personal Data outside the territory of the European Union in order to deliver the Service, MEDALTIK guarantees that such transfers are executed either to States that are subject to an adequacy decision by the European Commission, demonstrating an adequate level of protection within the meaning of Article 45 GDPR, or, in the absence of an adequacy decision, under the conditions provided for in Article 46 GDPR, notably through the use of standard contractual clauses approved by the European Commission.

Security Measures

MEDALTIK undertakes to ensure the security and integrity of the Personal Data of the Data Subject.

To this end, MEDALTIK implements and maintains technical and organisational security measures for its information system appropriate to the nature of the Personal Data and the risks presented by their processing.

These measures aim to:

• protect Personal Data against destruction, loss, alteration or disclosure to unauthorised third parties;
• ensure the restoration of the availability of Personal Data and access thereto within appropriate timeframes in the event of a physical or technical incident.

The servers hosting Personal Data are protected against physical (access control) and logical (firewalls, identity and access management) malicious acts.

Rights of the Data Subject

In accordance with the Applicable Regulations, the Data Subject may exercise at any time their rights of access, rectification, portability and deletion of the Personal Data concerning them, as well as rights of restriction or opposition to the Processing, by contacting MEDALTIK at privacy@myskincompanion.com.

The Data Subject also has the right to lodge a complaint with any competent supervisory authority, such as the CNIL (https://www.cnil.fr/fr/plaintes), if they consider that a Processing of their Personal Data infringes the Applicable Regulations.

MEDALTIK reserves the right to request any reasonable information from the Data Subject before providing the elements relating to their request, in particular their email address, proof of identity where necessary, and the subject of their request.

MEDALTIK is required to respond to the Data Subject within a maximum period of thirty (30) days, except where the request is particularly complex or where a large number of requests have been made simultaneously.

Cookie Management

A cookie is a text file that may be stored on the computer, tablet or smartphone of an internet user when consulting and using a website.

MEDALTIK does not use advertising, analytics or profiling cookies on the myskincompanion.com marketing website. Only cookies strictly necessary to the operation of the site may be used; such cookies do not require prior consent under the Applicable Regulations.

The App, once installed on the User's device, does not use cookies.

Modification of the Policy

This Policy may be modified depending on the development of the Service and in the event of legal, case-law, CNIL or usage changes.

The version of the Privacy Policy applicable to the Data Subject is the one published on the day of use of the Service.