Skin & Beauty Center, Inc., its affiliates, subsidiaries, and entities under common management (“we,” “our,” or “us”) values your privacy. This Privacy Policy (“Policy”) describes how we collect, use, disclose, and otherwise process personal information through our website at www.dermla.com and any other websites, patient portals, mobile applications, and digital services we operate (collectively, the “Services”). This Policy also describes the rights and choices you have regarding your personal information. For additional information about rights you may have based on your state of residence, please see Section 13 (State-Specific Privacy Rights) and Section 14 (California Notice at Collection).
By using our Services, you agree that your personal information will be handled as described in this Policy. Your use of our Services and any dispute over privacy is subject to this Policy and the Terms and Conditions posted on our website.
Table of Contents
- Scope
- Medical Advice Disclaimer
- Personal Information We Collect
- How We Use Your Information
- How We Share Your Information
- Third-Party Websites and Online Booking Platforms
- Cookies and Other Tracking Technologies
- Your Privacy Choices
- Children’s Privacy
- Data Retention
- Security
- Notice of Privacy Practices (HIPAA Summary)
- State-Specific Privacy Rights
- California Notice at Collection and Privacy Rights
- Changes to This Policy
- Contact Us
1. Scope
This Policy applies to our personal information processing activities, including but not limited to:
- Visitors to www.dermla.com and other websites where this Policy is posted;
- Individuals who schedule appointments, request consultations, or otherwise engage with our healthcare services;
- Individuals who create an account or access features through patient portals or other login-protected areas;
- Individuals who participate in events, surveys, clinical research, or promotions conducted by us;
- Individuals who sign up to receive marketing communications, newsletters, or other materials;
- Visitors to our physical office locations;
- Current, former, and prospective business partners and service providers; and
- Individuals who otherwise communicate or interact with us through our Services.
Protected Health Information
Any protected health information (“PHI”) as defined by the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), that we collect, receive, or maintain in our capacity as a covered entity or business associate is governed by a separate Notice of Privacy Practices, provided to patients at the time of their first visit or upon request. To the extent there is a conflict between this Policy and the HIPAA Notice of Privacy Practices regarding your PHI, the HIPAA Notice controls.
Additional Notices
Depending on how you interact with us, we may provide supplemental privacy notices with additional details. Such supplemental notices will control to the extent there is a conflict with this Policy.
Employment Data
This Policy does not apply to personal information collected about job applicants, candidates, or current or former employees or contractors in the context of our working relationship with them.
2. Medical Advice Disclaimer
For Patients
The content on www.dermla.com, including text, graphics, and images, is for informational purposes only. It is not intended to be a substitute for professional medical advice, diagnosis, or treatment. Always seek the advice of your physician or other qualified health provider with any questions you may have regarding a medical condition. Never disregard professional medical advice or delay in seeking it because of something you have read on this website.
For Healthcare Professionals
This site is for general informational purposes only. You should use your own professional judgment in evaluating the information provided.
3. Personal Information We Collect
We collect personal information directly from you, from third-party sources, and automatically through your use of the Services. The types of information collected may vary depending on how you interact with us.
3.1 Information Collected Directly
Contact Details and Identifiers
Name, email address, phone number, mailing address, date of birth, gender, and other similar identifiers.
Account and Profile Information
Username, password, and other information used to access your account through patient portals or our websites.
Financial and Payment Details
Payment type, payment card details, billing address, insurance information, and other financial information necessary to process transactions.
Health and Medical Information
When you schedule an appointment, meet with our providers, or use our Services, we may collect health and medical information such as conditions, treatments, diagnoses, and related wellness data. Where such data constitutes PHI under HIPAA, it is governed by our separate Notice of Privacy Practices.
Communications and Interactions
Records of emails, calls, chat messages, form submissions, social media interactions, reviews, testimonials, and other communications, including information submitted through AI-assisted tools or automated response systems we may deploy.
Promotional Information
Contact details, preferences, and demographic information collected in connection with marketing communications, offers, or promotions.
Survey and Feedback Responses
Responses provided through surveys, questionnaires, or research.
Event and Registration Details
Information related to your participation in or registration for events we host or sponsor.
Preferences
Communication preferences, service preferences, and other choices you provide.
3.2 Information Collected from Third Parties
We may collect personal information about you from third-party sources, including:
- Healthcare Partners and Referral Sources. Information from referring physicians, laboratories, imaging centers, and other entities involved in your care.
- Data Analytics and Marketing Providers. Lead and prospect information for marketing, advertising, and customer enhancement purposes.
- Social Media Platforms. Information you make publicly available or share when interacting with us through social media.
- Business Partners and Service Providers. Information from entities that perform services or functions on our behalf.
3.3 Information Collected Automatically
We and our service providers may automatically collect certain information about your use of the Services through cookies, pixel tags, and similar technologies:
- Device and Browsing Information. Browser type, operating system, device type, unique device identifiers, language, referring URLs, access times, page views, and clickstream data.
- Activities and Usage. Links clicked, searches performed, features used, items viewed, time spent within the Services, and other interaction data.
- Location Information. Approximate geographic location derived from your IP address.
3.4 De-Identification and Privacy-Protective Processing
We employ a healthcare privacy platform that acts as an intermediary between our website and third-party analytics and advertising tools. This platform is designed to remove personally identifiable information and protected health information from data flows before transmitting event data to downstream marketing and analytics destinations.
Through this architecture, data shared with advertising platforms is de-identified—personal identifiers are removed or cryptographically hashed, and only non-identifiable behavioral signals are transmitted. This approach is designed to comply with guidance from the U.S. Department of Health and Human Services regarding online tracking technologies used by HIPAA-regulated entities.
3.5 Derived and Inferred Information
We may derive or infer information about you based on the information we collect, such as preferences, interests, or other demographic characteristics.
4. How We Use Your Information
We may collect, use, disclose, and otherwise process personal information for the following purposes:
- Services and Support. To provide healthcare and related services, manage your account, process transactions, schedule appointments, communicate about your care, and provide technical support.
- Analytics and Improvement. To understand how users access and use the Services, evaluate and improve our operations, and conduct internal quality control and training.
- Communication. To respond to inquiries, fulfill requests, send appointment reminders, and provide information about our Services.
- Customization and Personalization. To tailor content, offer location-based customization, and personalize your experience.
- Marketing and Advertising. To send promotional communications about our Services, in accordance with applicable law and your preferences.
- Research and Surveys. To administer surveys and questionnaires for market research, patient satisfaction, or quality improvement.
- Insight Development. To combine information collected through the Services with other data for analytics and research, typically using de-identified or aggregated data.
- Event Planning. For event registration, attendance tracking, and related communications.
- Security and Protection of Rights. To protect the Services and our operations, and to prevent and detect fraud, unauthorized activities, and other misuse.
- Compliance and Legal Process. To comply with legal or regulatory obligations, respond to subpoenas, court orders, and other legal processes.
- Auditing and Internal Operations. To conduct audits, maintain business records, and enforce our policies.
- General Business Support. To assess and implement business transactions and administer general business functions.
5. How We Share Your Information
We may disclose personal information to the following categories of recipients:
- Affiliates and Related Entities. We may share personal information with our parent company, subsidiaries, and other entities under common ownership or management, including affiliated practice entities within our healthcare network.
- Vendors and Service Providers. We share information with vendors who perform functions on our behalf, including IT and hosting providers, patient management systems, payment processors, marketing and analytics providers, appointment scheduling platforms, customer support services, and legal counsel. These providers are contractually obligated to use personal information only for the purposes disclosed to them.
- Healthcare Privacy Platform. We use a healthcare privacy platform that processes website behavioral data on our behalf under a Business Associate Agreement. This platform de-identifies data before transmission to non-HIPAA-compliant analytics and advertising destinations.
- Third-Party Analytics and Advertising Providers. We may disclose de-identified device, browsing, and usage information to marketing, analytics, and advertising providers for measuring campaign performance, improving our Services, and delivering relevant content. Data shared through our healthcare privacy platform has been stripped of personal identifiers.
- Business Partners. In some circumstances, we may partner with other businesses to offer services or facilitate programs.
- Other Users. If you submit information through public-facing features such as reviews or testimonials, that information may be visible to other users.
- Business Transfers. In connection with any merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, we may disclose or transfer personal information to the acquiring or successor entity.
- Legal Compliance. We may disclose information as required by law, including in response to subpoenas, court orders, and requests from government entities and law enforcement.
- Security and Protection of Rights. Where we believe disclosure is necessary to protect our rights, property, or safety, or the rights, property, and safety of others.
- De-Identified and Aggregated Data. We may use and disclose aggregated, de-identified, and other non-identifiable data for quality control, analytics, research, and other purposes. Where we use de-identified data, we maintain it in de-identified form and do not attempt to re-identify it, except to verify the adequacy of our de-identification processes pursuant to applicable law.
6. Third-Party Websites and Online Booking Platforms
Our Services may contain links to third-party websites, features, or services, including online booking and scheduling platforms operated by third parties. In some cases, you may be redirected to a third-party website or application to complete an appointment booking, payment transaction, or other interaction.
IMPORTANT: When you leave www.dermla.com and access a third-party platform—including third-party booking, scheduling, or payment systems—your interaction is governed by that third party’s own privacy policy, terms of service, and data handling practices, not this Policy.
Skin & Beauty Center, Inc. is not responsible for the privacy practices, security measures, content, or data collection activities of any third-party website or platform, even if we link to it or it displays our branding. We encourage you to review the privacy policy and terms of any third-party service before submitting personal information. We do not control and are not liable for the actions of third-party platforms, including how they collect, store, use, or disclose your personal information. Any questions or concerns about a third-party platform should be directed to that platform’s operator.
7. Cookies and Other Tracking Technologies
We and our service providers use cookies, pixels, local storage objects, log files, and similar technologies to automatically collect browsing, activity, device, and similar information. We use this information to analyze how users interact with our Services, optimize performance, and for marketing and analytics purposes.
7.1 Types of Cookies
- Essential Cookies. Necessary for basic site functionality, such as enabling secure areas and remembering your preferences.
- Performance and Analytics Cookies. Collect information about how visitors use our websites. Data collected by these cookies is processed through our healthcare privacy platform to remove personal identifiers before transmission to analytics tools.
- Functional Cookies. Remember preferences, login details, and choices to provide enhanced features.
- Advertising Cookies. Used to deliver relevant advertisements and measure campaign effectiveness. These cookies transmit de-identified signals through our healthcare privacy platform rather than sending raw personal data to advertising networks.
7.2 Cookie Consent and Management
We deploy a cookie consent management tool on www.dermla.com that allows you to manage your cookie preferences, including opting out of non-essential cookies, the sale of personal information through cookies, and targeted advertising. You may access and update your preferences at any time through the cookie preference center available on our website.
You may also manage cookies through your browser settings. The “Help” section of most browsers explains how to prevent your device from accepting new cookies, how to receive notification when a new cookie is set, and how to delete cookies. Disabling cookies may affect the functionality of certain features of our Services.
7.3 Third-Party Analytics
We use third-party analytics tools, including Google Analytics, to evaluate usage of our Services. Data transmitted to these tools is routed through our healthcare privacy platform, which removes personal identifiers before the data reaches the analytics provider. For more information about Google’s privacy practices, visit https://www.google.com/policies/privacy/partners/.
7.4 Cross-Device Tracking
We and our third-party providers may use the information we collect to identify other devices you use (e.g., mobile phone, tablet, computer). Cross-device data is subject to the same de-identification processes described in this Policy.
7.5 Third-Party Advertising
We work with third-party advertising networks and partners to personalize content and display advertising within and outside our Services. Information shared with advertising partners is processed through our healthcare privacy platform to ensure that personal identifiers and protected health information are not disclosed to non-HIPAA-compliant advertising destinations.
7.6 Browser and Opt-Out Preference Signals
We are committed to honoring user privacy preferences communicated through browser-based or device-based signals. Where our website and its supporting technology are capable of detecting opt-out preference signals—such as the Global Privacy Control (“GPC”) signal or similar mechanisms recognized under applicable state privacy laws—we will treat such signals as a valid request to opt that browser or device out of the “sale” or “sharing” of personal information and targeted advertising conducted through cookies and tracking tools on our website, to the extent required by law.
Because our websites use a variety of technologies and platforms, the ability to detect and honor specific signals may vary. If you are unsure whether your opt-out preference signal is being recognized, you may also exercise your opt-out rights directly through our cookie preference center or by contacting us using the information in Section 13.2.
We do not currently respond to “Do Not Track” browser signals, as there is no industry-wide standard for this signal at this time.
8. Your Privacy Choices
- Account and Profile Information. You may access, update, and delete certain personal information by adjusting your account settings or contacting us directly.
- Marketing Communications. You may opt out of promotional communications by following the unsubscribe instructions in each message. If you opt out, we may still send transactional or service-related communications.
- Cookie Preferences. You may adjust your cookie preferences through our cookie consent management tool or through your browser settings.
- Opt-Out of Sale and Targeted Advertising. Where applicable, you may opt out of the “sale” or “sharing” of your personal information and targeted advertising through our cookie preference center or by submitting a request as described in Section 13.
- Industry Ad Choice Programs. You can opt out of targeted ads from participating third-party networks at aboutads.info/choices (Digital Advertising Alliance). Opting out does not stop all ads—you may continue to receive generic advertisements.
9. Children’s Privacy
Our Services are not designed for or directed to children under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If you are a parent or legal guardian and believe we have collected information from your child in violation of applicable law, please contact us using the information in Section 16 so we can take appropriate action.
In jurisdictions with specific requirements regarding children’s data, we comply with applicable provisions of the Children’s Online Privacy Protection Act (COPPA) and relevant state laws.
10. Data Retention
We retain personal information for as long as needed or permitted based on the purpose for which it was collected, consistent with applicable law. When determining retention periods, we consider:
- Whether we are subject to legal obligations requiring us to maintain records for a specified period;
- Whether the information is necessary to provide ongoing services or maintain our relationship with you;
- Whether we have legal positions requiring preservation of information (e.g., legal holds); and
- Applicable statutes of limitations and regulatory requirements.
Where we maintain personal information in de-identified form, we will not attempt to re-identify it except as permitted by applicable law.
11. Security
We have implemented administrative, technical, and physical safeguards designed to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. These measures include encryption, access controls, regular security assessments, and employee training.
Despite our efforts, no data security measures can guarantee complete security. You can help protect your information by choosing a strong, unique password and keeping your login credentials confidential. If you believe your account has been compromised, please contact us immediately.
12. Notice of Privacy Practices (HIPAA Summary)
THIS SECTION PROVIDES A SUMMARY OF HOW WE MAY USE AND DISCLOSE YOUR PROTECTED HEALTH INFORMATION UNDER HIPAA. A COMPLETE NOTICE OF PRIVACY PRACTICES IS PROVIDED TO PATIENTS AT THE TIME OF THEIR FIRST VISIT OR UPON REQUEST.
12.1 Uses and Disclosures of PHI
We may use and disclose your PHI for the following purposes:
- Treatment. To provide, coordinate, or manage your healthcare, including disclosures to other providers involved in your care.
- Payment. To bill and collect payment for services, including disclosures to insurance companies, health plans, and other responsible parties.
- Healthcare Operations. To operate our practice, including quality assessment, employee training, compliance activities, and business planning.
- Appointment Reminders. To contact you with appointment reminders, treatment alternatives, or other health-related benefits and services.
12.2 Disclosures Without Authorization
We may disclose your PHI without your prior authorization in certain legal situations, including:
- Public health activities, including disease prevention, reporting child abuse or neglect, and communicable disease notifications;
- Law enforcement purposes, in response to court orders, subpoenas, warrants, or summons;
- Judicial and administrative proceedings;
- Situations involving serious threats to health or safety;
- Workers’ compensation programs; and
- As otherwise required by law.
12.3 Your Rights Regarding PHI
You have the right to:
- Inspect and obtain a copy of your medical and billing records;
- Request amendment of health information you believe is incorrect or incomplete;
- Request an accounting of certain disclosures of your PHI;
- Request restrictions on certain uses or disclosures of your PHI; and
- Request confidential communications (e.g., asking that we contact you at a specific phone number or address).
To exercise any of these rights, please contact our office directly or use the contact information in Section 16.
13. State-Specific Privacy Rights
Residents of certain U.S. states may have additional rights under applicable state privacy laws. California residents should also see Section 14 for additional California-specific disclosures.
13.1 Consumer Privacy Rights
Subject to applicable law, limitations, and exceptions, residents of states with comprehensive consumer privacy laws may have the following rights:
- Access. To confirm whether we are processing your personal information and to obtain a copy in a portable, readily usable format.
- Deletion. To request deletion of your personal information.
- Correction. To request correction of inaccurate personal information.
- Opt-Out. To opt out of: (a) the “sale” of your personal information; (b) targeted advertising; and (c) profiling in furtherance of decisions that produce legal or similarly significant effects.
- Revoke Consent. To revoke consent previously provided for the processing of your personal information.
13.2 How to Exercise Your Rights
You may submit a privacy request by:
- Emailing us at info@dermla.com;
- Calling us at (818) 842-8000; or
- Submitting a request through the privacy web form on our website.
When you submit a request, we will take steps to verify your identity by matching the information you provide with our records. In some cases, we may request additional information. If we cannot verify your identity after a good faith attempt, we may deny the request and explain the basis for the denial.
13.3 Authorized Agents
You may designate an authorized agent to submit privacy requests on your behalf. Authorized agents must provide proof of authorization, and we may require you to directly verify your identity and the agent’s authority.
13.4 Appeals
If we deny your privacy request, you may appeal our decision by contacting us within sixty (60) days of the denial. We will respond as required under applicable state law.
13.5 Non-Discrimination
We will not discriminate against you for exercising any privacy rights described in this Policy.
13.6 Sale of Personal Information
We do not disclose personal information to third parties in exchange for monetary compensation. However, our use of cookies and tracking technologies may constitute a “sale” or “sharing” under certain state privacy laws. Specifically, identifiers, location information (e.g., IP address), and Internet and network activity information may be disclosed to third-party advertising and analytics providers through cookies and similar technologies.
Where required by law, we provide opt-out mechanisms through our cookie consent management tool and, where applicable, a “Do Not Sell or Share My Personal Information” link on our website. We employ a healthcare privacy platform to de-identify data before it reaches advertising and analytics destinations. This platform removes personal identifiers and protected health information, transmitting only anonymized event data to downstream tools.
13.7 Applicable State Laws
California (CCPA/CPRA): See Section 14 for the complete California Notice at Collection.
14. California Notice at Collection and Privacy Rights
This section provides additional information for California residents pursuant to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the “CCPA”). This section applies to “personal information” as defined in the CCPA, whether collected online or offline, and does not apply to information exempt under the CCPA.
14.1 Categories of Personal Information Collected and Disclosed
The following table identifies the categories of personal information we may collect (and may have collected in the prior 12 months), along with the categories of third parties to whom we may disclose such information:
| Category of Personal Information | Third-Party Recipients |
|---|---|
| Identifiers (name, email, phone, address, IP address, online identifiers) | Affiliates; service providers; analytics and advertising providers; regulators and law enforcement |
| Customer Records (name, contact info, financial/payment info, health-related info) | Affiliates; service providers; regulators and law enforcement |
| Commercial Information (services purchased, purchasing history) | Affiliates; service providers; analytics providers; regulators and law enforcement |
| Internet/Electronic Network Activity (browsing history, clickstream, search history) | Affiliates; service providers; analytics and advertising providers; regulators and law enforcement |
| Location Data (approximate location from IP address) | Affiliates; analytics and advertising providers; regulators and law enforcement |
| Audio, Visual, or Similar Information (call recordings, photographs) | Affiliates; service providers; regulators and law enforcement |
| Professional Information (job title, company, business contact details) | Affiliates; service providers; regulators and law enforcement |
| Inferences and Profiles (preferences, characteristics, behaviors) | Affiliates; analytics providers; regulators and law enforcement |
| Sensitive Personal Information (login credentials, financial account data, health-related info, precise geolocation) | Affiliates; service providers; regulators and law enforcement |
14.2 Sensitive Personal Information
We do not collect, use, or disclose “sensitive personal information” beyond the purposes authorized by the CCPA. We only use and disclose sensitive personal information as reasonably necessary and proportionate to: (i) perform services you request; (ii) ensure security and integrity; (iii) detect and prevent fraud; (iv) verify quality and safety; (v) comply with legal obligations; (vi) provide information to service providers; and (vii) for purposes other than inferring characteristics about you.
14.3 Sales and Sharing
While we do not disclose personal information to third parties in exchange for monetary compensation, our use of third-party analytics and advertising cookies may be considered “selling” or “sharing” under the CCPA. We may “sell” or “share” the following categories: identifiers, commercial information, location information (IP address), and Internet and network activity information.
We do not sell or share sensitive personal information, nor do we sell or share personal information of individuals we know to be under sixteen (16).
14.4 California Privacy Rights
California residents have the following rights under the CCPA:
- Right to Know (Access and Portability). Request the categories and specific pieces of personal information collected, the sources, business purposes, and categories of third-party recipients.
- Right to Correct. Request correction of inaccurate personal information.
- Right to Delete. Request deletion of your personal information.
- Right to Opt-Out of Sales and Sharing. Opt out via our cookie preference center or the “Do Not Sell or Share My Personal Information” link on our website.
- Right to Limit Use of Sensitive Personal Information. We only use sensitive personal information for CCPA-permitted purposes.
- Right to Non-Discrimination. We will not discriminate against you for exercising any CCPA right.
To exercise your rights, see Section 13.2.
14.5 California Shine the Light
Under California’s “Shine the Light” law (Cal. Civ. Code § 1798.83), California residents who provide us certain personal information may request information about sharing with third parties for direct marketing. To submit a request, email us at info@dermla.com.
15. Changes to This Policy
We may update this Policy from time to time. We will post any changes on this page and update the “Last Updated” date. If we make material changes, we will endeavor to provide prior notice, such as by email or prominent notice on our website. We encourage you to review this Policy periodically.
16. Contact Us
If you have questions or concerns about this Policy or our privacy practices, or wish to exercise your privacy rights, please contact us:
- Email: info@dermla.com
- Phone: (818) 842-8000
- Mailing Address:
Skin & Beauty Center, Inc.
Attn: Compliance Officer
2220 N. Screenland Drive
Burbank, CA 91505 - Compliance Officer: For data protection inquiries, please email info@dermla.com.
- HHS Complaints: If you believe your health information privacy rights have been violated, you may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at https://www.hhs.gov/ocr/.