Privacy Policy – Revance App
This privacy policy refers to the FaceReality website and all its included applications (each, an “App). This privacy policy document contains types of information that is collected and recorded by aemos GmbH and how we intend to use it. The privacy policy goes into effect as of February 7, 2025.
This Privacy Policy applies only to our online activities and is valid for visitors to our www.aemos.at, www.face-reality.com, and platform.face-reality.com website with regard to the information that is shared and/or collected in the FaceReality app. This policy is not applicable to any information collected offline or via channels other than this website.
Data Collection
We collect two main categories of information from our users: (1) Personal and usage information, which does not qualify as Protected Health Information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and (2) images of patients’ faces, which do qualify as PHI under HIPAA. PHI includes any individually identifiable health information that is created, received, transmitted, or maintained in relation to healthcare services.
We treat all non-PHI personal and usage data in accordance with applicable data protection laws, while any patient facial images or other PHI are collected, stored, and processed in strict compliance with HIPAA regulations to ensure the confidentiality, integrity, and security of all sensitive health information.
aemos GmbH may be required to disclose PHI in certain limited circumstances when mandated by law, regulation, or court order. For example, we may share PHI with public health authorities to help control or prevent disease, with law enforcement in response to a valid subpoena or other legal process, or to avert a serious and imminent threat to health or safety. In all cases, such disclosures will only be made to the extent necessary to fulfill the legal or regulatory requirement, and any PHI disclosed will be handled in strict compliance with HIPAA and other applicable data protection laws.
- Personal & Usage Information:
- Personal Identification information of practitioners (Name, email address, phone number, company name) will be collected when you Sign-up, or voluntarily complete a customer survey or provide feedback on any of our message boards or via email.
- Website and application usage information will be collected anonymously when you use our app or view our website via your browser’s cookies.
- Protected Health Information
- Pictures which are uploaded to our app, of you or your clients when uploaded to our application using the applications upload tool or camera roll access, are sent to our servers in Amazon AWS Data Center Frankfurt, Germany, for processing.
Data Usage
aemos GmbH collects your data for the following uses. Use of data differs according to the different categories of data provided, non-PHI data, and PHI data.
- Non PHI Personal & Usage Information:
- Managing your account, which includes supporting functions, and processing your subscription.
- Provide, operate, and maintain our application as well as understand and analyze how you use our application.
- Email you regarding new product features or special offers on other products or services.
- Protected Health Information (PHI):
- All Protected Health Information (PHI) that we collect is used solely to provide our services and facilitate patient care. For the purpose of analyzing images, PHI is securely transferred to our AWS servers in Frankfurt, Germany, where it remains in ephemeral storage and is not retained beyond the brief processing period, typically under one second. Immediately upon completion, these images are not retained in our systems in accordance with HIPAA regulations, ensuring the privacy and confidentiality of all PHI at every stage.
We do not sell your personal information, as set forth in the California Consumer Privacy Act (CCPA).
If you agree, aemos GmbH will share your data with our partner companies so that we can further use their platforms to provide our services. Data sharing differs according to the different categories of data provided, non-PHI data, and PHI data.
- Non-PHI, Personal & Usage Data:
- Amazon Web Services Inc.
- Alphabet Inc.
- Revance Inc.
- Digital Ocean Holdings Inc.
- Mixpanel Inc.
When aemos GmbH processes your order, it may send your data to and use the resulting information from credit reference agencies to prevent fraudulent purchases.
- Protected Health Information:
- Amazon Web Services Inc.
We maintain Business Associate Agreements (“BAAs”) with all partners and third-party providers that receive or have access to PHI, in accordance with HIPAA regulations. These BAAs define each party’s responsibilities to protect PHI and ensure that data security, confidentiality, and regulatory obligations are upheld throughout all stages of data handling.
Under HIPAA, certain types of disclosures require explicit patient authorization before any PHI can be shared, such as for marketing purposes or the sale of PHI, or for certain research activities that are not otherwise exempt. Although aemos GmbH is required by law to inform you of these possibilities, we have no plans or intention to engage in such disclosures. We will not share PHI in a way that requires patient authorization under HIPAA without first obtaining clear, written permission from you or your authorized representative.
Data Storage
The two different types of data, non-PHI Personal & Usage Data and Protected Health Information (PHI) are subject to distinct storage measures.
Non-PHI personal and usage data is stored on Digital Ocean servers in Frankfurt, Germany, protected by industry-standard security measures. Our company will keep your personal identification information beyond the duration of your subscription for the required statutory period. Once this period has expired, we will delete your data by removing it from our servers.
PHI resides only in ephemeral storage and is typically retained for no longer than one second for the purpose of processing. All PHI is handled in strict accordance with HIPAA regulations to ensure its confidentiality, integrity, and security at all times and is never stored.
Marketing
aemos GmbH would like to send you information about products or services of ours that we think you might like. If you have agreed to receiving marketing, you may always opt out later. You have the right at any time to stop aemos GmbH from contacting you for marketing purposes.
If you no longer wish to be contacted for marketing purposes, please contact us at info@aemos.at.
Cookies
Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technologies. For further information please visit allaboutcookies.org.
aemos GmbH uses cookies in a range of ways to improve your experience on our website, including:
- Understanding how you use our website.
There are several different types of cookies our website uses:
- Functionality – Our company uses these cookies so that we recognize you on our website and remember your previously selected preferences. These could include what language you prefer and location you are in. A mix of first-party and third-party cookies are used.
- Advertising – Our company uses these cookies to collect information about your visit to our website, the content you viewed, the links you followed and information about your browser, device, and your IP address. Our company shares some limited aspects of this data with third parties for our own advertising purposes.
You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.
HIPAA – Health Insurance Portability and Accountability Act
aemos GmbH employs comprehensive administrative, physical, and technical safeguards to protect PHI and maintain HIPAA compliance.
Aemos GmbH is committed to protecting the privacy and security of all Protected Health Information (PHI) shared with our application. We limit the collection and storage of PHI by processing patient images exclusively in memory on the iPad and within secure AWS cloud servers. Images are never stored in any persistent storage—once processing is complete, only non-identifiable results are retained. All data transfers occur over encrypted connections (TLS), and our servers employ strict access controls, including two-factor authentication and SSH key-based access, to guard against unauthorized intrusion. Additionally, we maintain a Business Associate Agreement (BAA) with AWS to ensure their physical and technical safeguards meet HIPAA requirements. In the unlikely event of a breach of unsecured PHI, Aemos will promptly investigate the incident, notify all affected individuals, alert the U.S. Department of Health and Human Services (HHS), and inform the media when required, in accordance with the HIPAA Breach Notification Rule.
CCPA Privacy Rights
Under the Californian Consumer Privacy Act, among other rights, Californian consumers have the right to:
- Request that a business that collects a consumer’s personal data disclose the categories and specific pieces of personal data that a business has collected about consumers.
- Request that a business delete any personal data about the consumer that a business has collected.
- Request that a business that sells a consumer’s personal data, not sell the consumer’s personal data.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us.
Privacy policies of other websites
The FaceReality websites and apps contain links to other websites. Our privacy policy applies only to our website, so if you click on a link to another website, you should read their privacy policy.
Changes to our Privacy Policy
aemos GmbH keeps its privacy policy under regular review and places any updates on this web page. This privacy policy was last updated on 27 January 2025.
How to contact us
If you have any questions about aemos GmbH’s privacy policy, the data we hold on you, or you would like to exercise your data protection rights, please do not hesitate to contact us. Email us at info@aemos.at. aemos has an appointed data protection officer, for monitoring of aemos’s ongoing privacy compliance and serving as a point of contact on privacy matters for data subjects and supervisory authorities. If you have any questions regarding this Privacy Policy, if you have any concerns regarding your privacy, or if you wish to make a complaint about how your personal data is being processed by aemos, you can contact our DPO at info@aemos.at.
How to contact the appropriate authority
Should you wish to report a complaint or if you feel that aemos GmbH has not addressed your concern in a satisfactory manner, you may contact the competent local Data Protection Authority, or in any case the Austrian Data Protection Authority (Österreichische Datenschutzbehörde) under +43153115202525 or dsb@dsb.gv.at.