IMPORTANT Crisalix provides the Services and, as such, Crisalix controls your personal data when you directly sign up with us either as an end user or as aesthetics professional. However, we will not be the data controller of your personal data if you are invited as an end user to join directly from aesthetics professional. In such a case, we will act as data processor being the relevant aesthetics professional the data controller of your personal information and, therefore, such aesthetics professional will decide the scope and length of the access to the Services that you may enjoy. However, we will implement the same technical or organizational security measures to protect your personal data in both scenarios (i.e., data controller/data processor).
Note that, if you decide to use our online community (MyCrisalix), we will be a data controller even if you have been previously invited by aesthetics professional.
We are dedicated to protecting the privacy of our users by taking all possible measures to protect their personally identifiable information. This Privacy and Cookies Policy outlines these measures and discloses the privacy practices of Crisalix, which have been adapted to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”).
This Privacy and Cookies Policy sets out how Crisalix uses and protects any information that you provide or that is collected when you use Crisalix’s services, websites, platforms, products, and any and all applications, internet- or mobile-based or not, provided by Crisalix, directly or indirectly, (referred to collectively as the “Services” in this document).
Crisalix is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using the Services, then you can be assured that it will only be used in accordance with this Privacy and Cookies Policy.
1.1. Who is the controller? How can I contact the controller?
- Name: Crisalix S.A. (“Crisalix” or “us”)
- Address: PSE-A, 1015 Lausanne, Switzerland
- Telephone: +41 21 530 70 04
- Email: firstname.lastname@example.org
Note that Crisalix collaborates with its subsidiaries to perform the Services (“Crisalix' Affiliates”). Crisalix' Affiliate refers to any entity that owns or controls, is owned or controlled by or is or under common control or ownership with Crisalix, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise. If these Crisalix' Affiliates access to your personal data they will act as data (sub) processors. The current Crisalix' Affiliate is the following:
- Crisalix Labs SLU, Av. Francesc Cambo 17, Barcelona, Spain.
1.2. Is there a Data Protection Delegate (DPO) in our organization? How can I get in touch with the DPO?
Yes, we have designated a DPO for all companies within the Crisalix Group. This designation has been notified to the Spanish Agency for Data Protection. You can contact our DPO through the following email address: email@example.com.
2. Purpose of the processing
2.1. For what purpose will we process your data?
We wish to inform you that we will process your data for the following purposes:
- To render the Services.
- To manage, develop, deliver, and improve the Services.
- To keep you informed, including by electronics means, about Crisalix’ latest developments, updates, and news. It also helps us improve our Services and advertising. If you do not want to be on our mailing list, you can opt out at anytime by updating your preferences or by contacting us on firstname.lastname@example.org.
- To perform internal auditing, data analysis, and research to improve Crisalix’ Services, and customer communications.
- To administer sweepstakes, contests, or similar promotions where you participate.
2.2. How long will we retain your data?
We shall retain your data for as long as our contractual relationship with you is in force in order to manage it correctly and to send you commercial information of interest to you, provided that this is adequate, relevant and limited to what is necessary for the purposes for which the data is processed. The above default rule will apply unless you request the erasure of your data.
Once the processing of your data is no longer adequate, relevant and limited to what is necessary for the purposes for which the data is processed, we will retain your data duly blocked and only for the purposes of discharging potential responsibilities as requested by the regulations. Likewise, we may retain your data in a totally anonymous way so as to render your identification impossible, as a result of which such data will no longer be personal data.
Finally, we wish to inform you that we will take every reasonable step to ensure that inaccurate data is rectified or deleted.
2.3. Will we take decisions solely on the basis of automated processing, including profiling, with the data that you provide us?
No, we shall not take individual decisions solely on the basis of automated processing which may produce legal effects concerning you or similarly affect you significantly.
Note that even during the simulation process there is human intervention. To optimize the Services and guarantee the highest quality results, a manual/visual check of all cases done through photos is done by a specialized and dedicated team.
2.4. Will we process anonymous/aggregate data for analysis purposes?
Yes, we also collect non-personal information − data in a form that does not permit direct or indirect association with any specific data subject. We may collect, use, transfer, and disclose non-personal information for any purpose. Note that aggregated and/or anonymous data is considered non-personal information for the purposes of this Privacy and Cookies Policy.
The following are some examples of non-personal information that we collect and how we may use it:
- We may collect information such as, language, zip/postal code, area code, location, and the time zone where a Service is used or visited so that we can better understand user behaviour and improve our Services and advertising.
- We may also collect information regarding customer behaviour on our website and from our other Services, such as but not limited to 3D usage statistics, surgery information, or success rate. This information is aggregated and used to help us provide more useful information to our customers and to understand which parts of our Services are of most interest.
In any event, if we do combine non-personal information with personal information the combined information will be processed as personal information for as long as it remains combined.
2.5. Apps using ARKit, TrueDepth API, Camera APIs, Photo APIs, or other software for depth of facial mapping information
TrueDepth API and Camera APIs data is only used to track user's facial mapping information, necessary for Face-based Augmented Reality experiences. We do not collect, store or share with third-parties data used by ARKit, TrueDepth API, Camera APIs, Photo APIs, or other software for depth of facial mapping information.
3. Legitimisation of the processing
3.1. On what basis is the processing of your personal data based?
Your personal data will be processed for the above-mentioned purposes and on the basis of the following legitimate reasons for the processing, which are applicable depending on each case:
- your consent, and
- the need to offer and render you with the Services.
3.2. Which data do you need to provide us with? What should happen if you do not provide it?
It is necessary that you provide us with all of the personal data marked as mandatory in the registration form of the Services. Mandatory data fields are identified with a (*). Note that, when uploading a picture for a 3D simulation or informing us about any health information, you will be providing us with special categories of data. Please note that we will process such data with specific care.
Failure on your side to provide us with the data requested and identified as mandatory, may negatively affect the use of the Services and access to its contents, to the point that you may not be able to access the Services at all.
In addition to the data collected through the form, we may collect and process other personal data such as any other data which may be generated during the use of the Services.
Besides, you may be asked to provide your personal information anytime you are in contact with Crisalix or a Crisalix' Affiliate.
Finally, we may also collect aggregated/anonymous information regarding your activities from our Services. For more information please see section 2.4 in relation to anonymous/aggregate data analysis.
3.3. Do I need to provide accurate and precise data?
Yes, considering how important your data is to us, when you provide us with your data you guarantee its veracity and/or accuracy.
Please, be aware that you will be responsible for any false or inaccurate representations made by you, as well as for the damage caused as a result of the same to Crisalix, Crisalix' Affiliates or other third parties.
Crisalix and Crisalix' Affiliates shall not be responsible for any incident deriving from the lack of accuracy and/or misrepresentation of the information provided by you.
4.1. Will we disclose your data to third-parties?
Crisalix and Crisalix' Affiliates may share your personal information with each other and use it consistent with this Privacy and Cookies Policy.
Besides, Crisalix needs to share personal information with companies which provide services such as information processing, fulfilling customer orders, payment processing, managing and enhancing customer data, providing customer service, assessing your interest in our products and services, and conducting customer research or satisfaction surveys. These third parties will act as our processors, or sub-processors, and will have implemented appropriate safeguards to protect your personal information.
Furthermore, Crisalix will disclose your personal data if these is required by law, legal process, litigation, and/or requests from public or governmental authorities within or outside your country of residence. We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.
We may also disclose information about you if we determine that disclosure is reasonably necessary to enforce our terms and conditions or protect our operations or users. Additionally, in the event of a reorganization, merger, or sale we may transfer any and all personal information we collect to the relevant third party.
4.2. Could you disclose your personal information to third parties through the Services?
Yes, please note that, when using our online community (MyCrisalix), you will make public your personal information. Therefore, when you use the Services or post on a Crisalix forum, blog, or social networking service, the personal information you share is visible to other users and can be read, collected, or used by them.
Furthermore, you may choose to contact an aesthetics professional from the directory that we provide in the Services and, in such a case, you will allow us to share your personal information with the chosen aesthetics professional.
You are responsible for the personal information you choose to submit in these instances.
5. International transfers
5.1. Will your personal data be transferred to third countries or international organisations?
Besides, note that we make certain personal information available to the Crisalix' Affiliate located in Philippines (please see section 1.1 above). This is necessary to allow us to provide you with the Services and, in particular, to optimize the Services and guarantee the highest quality results, a manual/visual check of all cases done through photos is done by a specialized and dedicated team of this Crisalix’ Affiliate located in Philippines.
This Crisalix' Affiliate located in Philippines in no event may be data controller. They act as data processors, or sub-processors, to help us to provide the Services. We have put in place the relevant appropriate safeguards and, in particular, an agreement following the standard data protection clauses adopted by the Commission.
6. Your rights
6.1. What rights do you enjoy regarding the processing of your data?
As provided for by the General Data Protection Regulation, we wish to inform you about your right to:
- Access your data. You have the right to access your data in order to find out what personal data we process that concerns you. You may exercise your right of access at the following email email@example.com.
- Request to have your data rectified or deleted. In certain circumstances, you will have the right to rectify inaccurate personal data relating to you that is processed by us, or even to request its erasure. You may exercise your rights of rectification and erasure by contacting us at the following email firstname.lastname@example.org.
- Request the restriction of the processing of your data. In certain circumstances, you will have the right to request the restriction of the processing of your data by us, in which case, we wish to inform you that we will only retain the data for the exercise or defence of legal claims, as provided by the General Data Protection Regulation. You may exercise your right of restriction by contacting us at the following email email@example.com.
- Your data portability. In certain circumstances, you will have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and the right to transmit this data to another controller. You may exercise your right to data portability by contacting us at the following email firstname.lastname@example.org.
- Object to the processing of your data. In certain circumstances and on grounds relating to your particular situation, you will have the right to object to the processing of your data, in which case we will no longer process it unless compelling legitimate grounds exist or for the exercise or defence of possible legal claims. You may exercise your right to object by contacting us at the following email email@example.com.
6.2. Do you have the right to withdraw your consent?
Yes, you may, at any moment, withdraw your consent regarding the processing of your data for one, several or all of the purposes referred to above. Be aware that, should that happen, our rendering of the Services could be altered or even discontinued totally.
6.3. Do you have the right to appeal?
Yes, you can appeal to the competent supervisory authority in your place of residence. You may obtain information on how to contact the different supervisory authorities by contacting us at the following email firstname.lastname@example.org.
In any event, before starting any appeal, please contact us by email (email@example.com) so that we can settle any discrepancies or disputes in an amicable way.
6.4. When will we reply to you?
We will reply to your requests as soon as possible and, in any event, within one month. Should we not meet this deadline, please, excuse us and contact us again so that we can deal with and rectify any possible technical error, which may have caused our late reply.
7. Origin of the data
7.1. Where have we obtained your data from?
We have obtained your data directly from you. For further information about what data we process, please refer to section 3.2.
7.2. What categories of data do we process? Will we process sensitive data?
For additional information about the data we process, please, refer to section 3.2. For further information, please visit the Security statement and the HIPAA compliant.
Despite processing health related data (e.g. 3D simulation), we do not process any other special categories of data that it is not necessary to provide the Services.
8. Best practices, safeguards and additional measures
We are aware of the importance of privacy and data protection regulations. Accordingly, the protection of the security, integrity and confidentiality of our clients and users’ information is very important for us. Therefore, it is our firm intention to act in a responsible way in this regard.
In this context, we have adopted sufficient technical and organisational measures to ensure the security of your personal data and to avoid its alteration, loss and unauthorised processing or access, all in conformity with the applicable data protection regulations and the highest market standards.
Besides, to make sure your personal information is secure, we communicate our privacy and security guidelines to our employees and strictly enforce privacy safeguards within Crisalix and Crisalix' Affiliates.
For further information, please visit the Security statement and the HIPAA compliant.
You acknowledge and agree that you have read and understood this Privacy and Cookies Policy, whose contents constitute the entire agreement between you and Crisalix regarding the use and processing of your personal information in the Services. You expressly accept to be bound by the terms of this Privacy and Cookies Policy, in all its scope and extent, without exception of any of its provisions.
11. Amendment of this Privacy and Cookies Policy
Crisalix reserves the right to update and modify the Privacy and Cookies Policy from time to time.
Date of the last update: June 1, 2018.
Should you wish to send us any suggestion or comment regarding our Privacy and Cookies Policy, please, contact with us. You may find our details in section 1.1.