Data Privacy Rights

Last Updated: October 14, 2025
Operated by: Aqualanes Limited ("Aqualanes", "Company", "we", "our", or "us")

1. INTRODUCTION AND SCOPE OF APPLICATION

Aqualanes Limited operates the DERMXELL⁺ website, online store, and associated digital marketing channels (the "Services") to provide customers with premium cosmetic. This Data Privacy Rights document establishes comprehensive consumer data rights, platform-specific privacy controls, and enforcement mechanisms for all users of DERMXELL⁺ products and services distributed by Aqualanes Limited.

This document has been specifically designed to ensure 100% compliance with all major advertising platform privacy policies including AppLovin Corporation, Google LLC (including YouTube), Meta Platforms Inc. (Facebook/Instagram), TikTok, Shopify Inc., and other approved digital advertising networks. By accessing our Services, purchasing our products, or engaging with our advertising content across any platform, you acknowledge that you have read, understood, and accepted all data privacy rights provisions contained herein.

CRITICAL ADVERTISING PLATFORM COMPLIANCE DECLARATION: This Data Privacy Rights document ensures complete compliance with all major advertising platform privacy requirements, user control mechanisms, and data subject rights frameworks effective as of October 2025.

2. UNIVERSAL DATA SUBJECT RIGHTS FRAMEWORK

2.1 FUNDAMENTAL PRIVACY RIGHTS

All Data Subjects may exercise the following rights, subject to identity verification and applicable legal limitations:

Core Rights (GDPR Articles 15-22):

Right of Access: Obtain confirmation of processing and copies of Personal Data
Right of Rectification: Correct inaccurate or incomplete Personal Data
Right of Erasure (Right to be Forgotten): Request deletion of Personal Data under specified circumstances
Right to Restriction: Limit processing under certain conditions
Right to Data Portability: Receive Personal Data in structured, machine-readable format
Right to Object: Object to processing based on legitimate interests or direct marketing
Rights Related to Automated Decision-Making: Protection against solely automated decisions with legal or similarly significant effects

2.4 SPECIFIC DATA CATEGORY PRIVACY RIGHTS

COMPREHENSIVE DATA CATEGORY CONTROL FRAMEWORK: "You have granular control over each category of personal data we collect, process, and store, with specific rights tailored to each data type."

Identity Data Rights:

Name and Contact Information: Right to update, correct, or anonymize identity data
Age and Demographic Data: Control over demographic profiling and age-based processing
Account Credentials: Right to modify login information and security credentials
Identity Verification Data: Access to and deletion of verification documents and records

Financial Data Rights:

Payment Information: Right to delete stored payment methods and billing information
Transaction History: Complete access to purchase records and transaction data
Financial Verification Data: Control over credit verification and fraud prevention data
Billing Address Information: Right to update and manage billing and shipping addresses

Commercial Data Rights:

Purchase History: Comprehensive access to all order and purchase records
Product Preferences: Control over product recommendation algorithms and preferences
Customer Service Interactions: Access to all support communications and service records
Loyalty and Rewards Data: Management of loyalty program participation and rewards data

Technical Data Rights:

Device Information: Control over device identifier collection and processing
Usage Analytics: Right to opt-out of website and application usage tracking
Cookie and Tracking Data: Granular control over cookie categories and tracking technologies
IP Address and Location Data: Management of geographic data collection and processing

Communication Data Rights:

Email Communications: Control over marketing email preferences and communication history
SMS and Text Messages: Management of mobile communication preferences and data
Social Media Interactions: Control over social platform integration and data sharing
Customer Feedback Data: Rights over reviews, testimonials, and feedback submissions

CLINICAL TRIAL PARTICIPANT DATA RIGHTS: "DERMXELL⁺ efficacy claims are supported by clinical testing with 1,500 participants. All clinical study participants retain comprehensive rights over their research data."

Research Data Subject Rights:

Clinical Data Access: Right to access all personal data collected during clinical studies
Study Participation Withdrawal: Right to withdraw from ongoing research at any time
Research Data Deletion: Right to request deletion of clinical study data (subject to regulatory requirements)
Study Results Access: Right to receive summary of research findings and study conclusions

Clinical Data Processing Transparency:

Clear disclosure of clinical study methodologies and data collection
Informed consent documentation and withdrawal procedures
Independent clinical research organization data handling protocols
Professional dermatologist oversight and participant safety monitoring

Research Data Retention and Control:

Clinical study data retention limited to regulatory requirements (typically 7 years)
Participant identification data anonymization after study completion
Right to opt-out of future research contact and studies
Research data portability for participants seeking study record transfers

Study Participant Protection Framework:

Independent ethics committee oversight of all clinical research
Adverse event reporting and participant safety monitoring
Clear communication of study risks and benefits
Post-study follow-up and support procedures

United States (CCPA/CPRA/VCDPA/CPA/CTDPA/UCPA):

Right to Know: About Personal Information collection, use, and sharing
Right to Delete: Personal Information (with specified exceptions)
Right to Correct: Inaccurate Personal Information
Right to Opt-Out: Of "sale" or "sharing" of Personal Information
Right to Limit Use: Of Sensitive Personal Information
Right to Non-Discrimination: For exercising privacy rights
Right to Appeal: Denial of privacy rights requests

2.3 SPECIFIC DATA CATEGORY RIGHTS

Identity Data Rights:

Access and Download: Complete identity information in portable format
Correction Procedures: Real-time updates to name, age, and demographic information
Verification Controls: Enhanced security for identity-related changes
Cross-Platform Synchronization: Unified identity management across all services

Financial Data Rights:

Payment Method Management: Add, modify, or delete payment information
Transaction History Access: Complete financial interaction records
Billing Address Controls: Independent management of billing and shipping addresses
Financial Data Portability: Export payment history in standard formats

Commercial Data Rights:

Purchase History Access: Complete order and transaction records
Product Preference Management: Control over recommendation algorithms
Customer Service Data: Access to all support interactions and communications
Marketing Segmentation Control: Opt-out of behavioral targeting categories

Technical Data Rights:

Device Identifier Management: Control over tracking across devices
Usage Analytics Opt-Out: Granular control over website interaction tracking
Location Data Precision: Choice between general and precise location sharing
Cookie Data Granularity: Individual cookie category management

2.4 CLINICAL STUDY AND RESEARCH DATA PRIVACY RIGHTS

Clinical Trial Participant Rights:

Study Data Access: Complete access to personal data collected during clinical trials
Research Data Portability: Export clinical study data in standardized medical formats
Study Withdrawal Rights: Right to withdraw from studies and request data deletion
Anonymization Controls: Choice between anonymous and identifiable research participation
Research Results Access: Right to receive study outcomes and personal results where applicable

Clinical Testing Data Management:

Informed Consent Documentation: Access to all consent forms and study agreements
Data Sharing Controls: Granular control over research data sharing with third parties
Publication Rights: Control over use of personal data in research publications
Follow-Up Study Participation: Independent consent for longitudinal research studies
Medical Record Integration: Control over integration with personal healthcare records

Consumer Study Participation Rights:

Voluntary Participation: No requirement to participate in studies for product access
Study Data Deletion: Right to request deletion of consumer study data
Results Communication: Right to receive study results and personal outcomes
Compensation Transparency: Clear information about study participation compensation
Independent Review: Access to institutional review board (IRB) information where applicable

Research Data Protection Standards:

HIPAA Compliance: Health information privacy protections where applicable
Good Clinical Practice: Adherence to international clinical research standards
Data Minimization: Collection limited to essential research objectives
Secure Storage: Enhanced security measures for sensitive research data
Retention Limitations: Defined retention periods for research data with automatic deletion

Australia (Privacy Act 1988):

Right to Notification: Of eligible data breaches within 72 hours
Access and Correction Rights: Under Australian Privacy Principles
Complaint Resolution: Through Office of the Australian Information Commissioner

United Kingdom (UK GDPR and Data Protection Act 2018):

Enhanced Data Protection Rights: Equivalent to EU GDPR with UK-specific implementations
ICO Complaint Procedures: Direct access to UK Information Commissioner's Office
Post-Brexit Enhanced Protections: Strengthened UK-specific privacy safeguards

3. PLATFORM-SPECIFIC DATA RIGHTS AND USER CONTROLS

3.1 APPLOVIN CORPORATION DATA RIGHTS COMPLIANCE

MANDATORY APPLOVIN USER CONTROL DISCLOSURE: "We work with AppLovin to deliver ads in our mobile application and other devices and/or platforms. You have comprehensive control over your data used in AppLovin's advertising technology including device identifiers (IDFA/AAID when available), purchase behavior and transaction data, geographic location data (country/region level), and app usage patterns and engagement metrics."

AppLovin-Specific User Rights:

Device-Level Controls: iOS Settings > Privacy & Security > Apple Advertising; Android Settings > Privacy > Ads
AppLovin Privacy Management: Available through dataprotection@applovin.com
Consent Management: Proper consent flag control for EU/EEA/UK users
Data Retention Control: 13-month maximum retention with user deletion rights
Sensitive Data Protection: Complete exclusion from health-related targeting

User Control Mechanisms:

Direct opt-out through device advertising settings
Email requests for data deletion: dataprotection@applovin.com
Consent withdrawal for advertising personalization
Geographic data processing controls

3.2 GOOGLE LLC AND YOUTUBE DATA RIGHTS COMPLIANCE

GOOGLE ADVERTISER TRANSPARENCY AND USER CONTROL: "We participate in Google's advertiser transparency and verification programs. You have complete control over how your data is used for Google advertising personalization across Search, YouTube, and the broader Google ecosystem."

Google-Specific User Rights:

Google Ads Personalization: adssettings.google.com
YouTube Advertising Preferences: youtube.com/account_privacy
Google Analytics Opt-Out: tools.google.com/dlpage/gaoptout
Privacy Sandbox Controls: Available in supported Chrome browsers
Data Download: Google Takeout for comprehensive data export

Enhanced YouTube Privacy Controls:

Video viewing history management
Ad personalization based on YouTube activity
Channel subscription privacy settings
Comment and interaction data controls
Age-appropriate content restrictions

Privacy Sandbox Implementation:

Topics API Control: Interest-based advertising management
Protected Audience Management: Remarketing without cross-site tracking
Attribution Reporting Control: Conversion measurement privacy settings

3.3 META PLATFORMS (FACEBOOK/INSTAGRAM) ENHANCED DATA RIGHTS

META HEALTH & WELLNESS DATA RESTRICTIONS (2025) USER CONTROL: "We strictly comply with Meta's enhanced health and wellness data restrictions effective January 2025. You have complete control over health-related advertising data and can exclude yourself from all health and wellness targeting categories."

Meta-Specific User Rights:

Advertising Preference Management: facebook.com/adpreferences
Instagram Privacy Controls: instagram.com/accounts/privacy_and_security/
Data Sharing Withdrawal: facebook.com/help/568137493302217
Custom Audience Exclusion: Available through support@dermxell.com
Health Category Opt-Out: Complete exclusion from health-related advertising

Enhanced 2025 User Control Mechanisms:

Granular health and wellness advertising controls
Enhanced transparency for custom audience inclusion
Simplified data sharing withdrawal processes
Real-time advertising preference updates
Complete health data exclusion options

Meta Data Download and Deletion:

Facebook data download: facebook.com/dyi
Instagram data download: instagram.com/download/request/
Account deletion: facebook.com/help/224562897555674
Data portability: Available in structured formats

3.4 SHOPIFY PLATFORM DATA RIGHTS COMPLIANCE

SHOPIFY PRIVACY AND USER CONTROL FRAMEWORK: "All transactions, customer data processing, and e-commerce operations comply with Shopify's Privacy Policy and provide you with comprehensive control over your purchasing and account data."

Shopify-Specific User Rights:

Account Data Access: Complete purchase history and account information
Payment Information Control: Secure payment data management
Customer Service Data: Access to all support interactions and communications
Marketing Preference Management: Granular control over promotional communications

E-Commerce Privacy Controls:

Order history access and download
Payment method management and deletion
Shipping information privacy controls
Customer service interaction records

3.5 SMS/TEXT MESSAGING PRIVACY RIGHTS AND CONTROLS

COMPREHENSIVE SMS DATA RIGHTS: "By providing your mobile number and opting in to receive text messages, you maintain complete control over SMS communications and related data processing."

SMS-Specific User Rights:

Immediate Opt-Out: Reply STOP to unsubscribe from all text messages
Help and Support: Reply HELP for assistance and preference management
Message Frequency Control: Manage frequency and timing of text communications
Mobile Data Deletion: Complete removal of mobile number from all systems

Mobile Number Data Processing Controls:

Mobile number collection transparency and consent
SMS marketing data retention limitations (maximum 3 years)
Carrier compliance with telecommunications regulations
Cross-platform mobile data synchronization controls

Carrier and Regulatory Compliance:

Full compliance with carrier requirements and regulations
Message and data rates may apply (carrier-dependent)
Enhanced consent mechanisms for international SMS
Opt-in verification procedures for marketing messages

Enhanced Mobile Privacy Protections:

No sale or sharing of mobile data with third parties
Secure storage and encryption of mobile communications
Regular purging of inactive mobile number data
Integration with device-level privacy controls

3.5 USER-GENERATED CONTENT PRIVACY RIGHTS

Content Submission Privacy Rights:

Review and Testimonial Control: Edit, modify, or delete product reviews and testimonials
Photo Submission Management: Control over before/after photos and transformation images
Content Attribution Rights: Choice of anonymous or attributed content submission
Cross-Platform Content Control: Management of content across multiple platforms and channels

Social Media Integration Privacy:

Hashtag Campaign Participation: Voluntary participation with clear opt-out mechanisms
User-Generated Campaign Control: Independent choice in promotional content creation
Social Media Content Deletion: Right to request removal from official brand channels
Influencer Collaboration Privacy: Enhanced protections for sponsored content creators

Community Engagement Privacy Rights:

Forum and Discussion Control: Management of community platform participation
Comment and Interaction Data: Access and deletion rights for all community interactions
Reputation and Rating Systems: Control over participation in rating and review systems
Customer Story Sharing: Independent consent for success story and transformation sharing

Content Verification and Authentication:

Purchase Verification Display: Control over showing verified purchaser status
Authenticity Verification: Right to verify content authenticity without personal disclosure
Content Moderation Appeals: Process for appealing content removal or modification decisions
Privacy-Preserving Verification: Options for anonymous verification of genuine content

3.6 THIRD-PARTY INTEGRATION PRIVACY RIGHTS

Social Media Plugin Controls:

Facebook Integration: Granular control over Facebook Like, Share, and Comment plugins
Instagram Feed Integration: Management of Instagram content display on brand websites
Twitter Integration: Control over Tweet buttons and Twitter content embedding
Pinterest Integration: Management of Pinterest Save buttons and board integration

Payment Processor Privacy Rights:

PayPal Integration: Independent privacy controls for PayPal checkout and data sharing
Stripe Privacy Management: Control over Stripe payment data processing and retention
Apple Pay Privacy: Device-level privacy controls for Apple Pay transactions
Google Pay Controls: Account-based privacy management for Google Pay processing

Analytics and Tracking Integration Rights:

Google Analytics Opt-Out: Comprehensive opt-out with alternative analytics options
Facebook Pixel Management: Granular control over Facebook conversion tracking
Third-Party Tracking Scripts: Individual consent for each tracking technology
Cross-Platform Analytics: Control over unified analytics across multiple platforms

Customer Support Integration Privacy:

Live Chat Privacy: Control over chat data retention and agent access
Help Desk Integration: Management of support ticket data and communication records
CRM Integration: Control over customer relationship management data sharing
Knowledge Base Interaction: Privacy controls for help article interaction tracking

4. USER-GENERATED CONTENT AND SOCIAL MEDIA PRIVACY RIGHTS

4.1 COMPREHENSIVE USER CONTENT DATA RIGHTS

USER-GENERATED CONTENT CONTROL FRAMEWORK: "You maintain complete ownership and control over all content you submit including product reviews, testimonials, photos, videos, and social media interactions with DERMXELL⁺."

User Content Specific Rights:

Content Ownership: Retention of all intellectual property rights in submitted content
Content Deletion: Right to request removal of reviews, testimonials, and submitted photos
Content Modification: Right to edit or update previously submitted content
Content Portability: Right to receive copies of all submitted content in downloadable format

Review and Testimonial Data Rights:

Access to all review data and rating submissions
Control over display preferences and anonymization options
Right to withdraw testimonials and customer success stories
Protection against unauthorized use of customer testimonials

Photo and Video Submission Rights:

Complete control over before/after photo submissions
Right to request blurring or anonymization of identifying features
Deletion of transformation photos and video testimonials
Control over cross-platform sharing of visual content

4.2 SOCIAL MEDIA INTERACTION PRIVACY RIGHTS

SOCIAL MEDIA DATA PROCESSING CONTROL: "All interactions with DERMXELL⁺ social media properties (Facebook, Instagram, YouTube, TikTok) are subject to comprehensive privacy controls and user rights."

Social Media Specific Rights:

Interaction Data Access: Complete record of likes, comments, shares, and engagements
Social Data Deletion: Removal of all social media interaction records
Cross-Platform Tracking Opt-Out: Prevention of data sharing between social platforms
Social Advertising Exclusion: Opt-out from social media advertising targeting

Community Engagement Controls:

Control over hashtag campaign participation and data usage
Management of user-generated campaign involvement
Community forum data access and deletion rights
Influencer collaboration data transparency and control

Social Media Platform Integration Rights:

Facebook/Instagram data integration controls
YouTube channel interaction privacy management
TikTok engagement data access and deletion
Cross-platform social data synchronization controls

5. COMPREHENSIVE RIGHTS EXERCISE PROCEDURES

4.1 REQUEST SUBMISSION FRAMEWORK

Primary Request Channels:

Email: support@dermxell.com with subject line "Privacy Rights Request"
Postal Address: Aqualanes Limited, Privacy Rights Office, Flat/Rm C1207 12/F, Hang Cheong Factory Building, 1 Wing Ming Street, Cheung Sha Wan, Kowloon, Hong Kong
Phone: +852 6516 5836 (for urgent privacy concerns)

Required Information for Rights Requests:

Full legal name and contact information
Specific right(s) being exercised
Detailed description of the request
Identity verification documentation (as reasonably required)
Platform-specific data if requesting platform controls

4.2 IDENTITY VERIFICATION PROCEDURES

Standard Verification Methods:

Government-issued photo identification
Account verification through existing customer credentials
Email confirmation from registered email address
Phone verification through registered phone number
Additional verification for high-sensitivity requests

Enhanced Security Measures:

Multi-factor authentication for sensitive requests
Secure document upload through encrypted channels
Verification callbacks for phone-based requests
Legal guardian verification for minor-related requests

4.3 RESPONSE TIMELINE COMMITMENTS

Processing Timelines by Jurisdiction:

EU/UK/EEA: 30 days (extendable to 60 days for complex requests)
United States: 45 days (extendable to 90 days with explanation)
Canada: 30 days (as required under PIPEDA)
Australia: 30 days (under Privacy Act 1988)
Other Jurisdictions: As required by applicable local law

Priority Processing:

Emergency Privacy Concerns: 24-hour response
Security-Related Requests: 72-hour response
Deletion Requests: 5 business days implementation
Correction Requests: 10 business days implementation

5. ADVANCED OPT-OUT MECHANISMS AND PREFERENCE MANAGEMENT

5.1 UNIVERSAL OPT-OUT FRAMEWORK

Global Privacy Control (GPC) Recognition:

Automatic recognition and response to GPC browser signals where technically feasible
Implementation across all supported browsers and devices
Real-time processing of GPC preferences
Comprehensive scope including advertising and analytics

Do Not Track (DNT) Compliance:

Honored for essential functions where legally required
Technical implementation across all digital properties
Clear communication of DNT limitations and scope
Alternative control mechanisms for enhanced privacy

Industry Standard Opt-Out Tools:

Network Advertising Initiative (NAI): optout.networkadvertising.org
Digital Advertising Alliance (DAA): optout.aboutads.info
European Digital Advertising Alliance (EDAA): youronlinechoices.eu
Integration with platform-specific opt-out mechanisms

5.2 GRANULAR CONSENT MANAGEMENT

Cookie and Tracking Controls:

Essential cookies (always active for site functionality)
Functional cookies (user preference for enhanced features)
Analytics cookies (opt-in consent for performance tracking)
Advertising cookies (explicit consent for personalized advertising)

Platform-Specific Consent Controls:

AppLovin: Device-level and email-based controls
Google: Account-based preference management
Meta: Platform-specific advertising controls
YouTube: Video and channel-specific privacy settings

Consent Withdrawal Procedures:

Immediate processing of consent withdrawal requests
Confirmation of consent changes within 24 hours
Retroactive application to extent technically feasible
Documentation of consent history for compliance purposes

5.3 MARKETING COMMUNICATION CONTROLS

Email Marketing Preferences:

One-click unsubscribe mechanism in all marketing communications
Granular control over email frequency and content types
Immediate processing of unsubscribe requests
Confirmation of marketing preferences changes

SMS/Text Message Privacy Rights:

Immediate Opt-Out: Reply STOP for instant unsubscribe from all text communications
Help and Information: Reply HELP for assistance and preference management
Consent Documentation: Complete records of SMS opt-in and opt-out history
Mobile Data Controls: Management of phone number usage and retention
Carrier Compliance: Full adherence to carrier requirements and telecommunications regulations
Message Frequency Control: Customizable messaging frequency preferences
Content Category Selection: Choose specific types of SMS communications (order updates, promotions, alerts)
Cross-Platform Coordination: SMS preferences synchronized with email and other communication channels

Enhanced SMS Privacy Protections:

No Sale or Sharing: Mobile numbers never sold or shared for marketing purposes
Minimal Data Collection: Only essential information for service delivery
Secure Transmission: End-to-end encryption for sensitive communications
Retention Limitations: Automatic deletion of SMS interaction data after defined periods
Regulatory Compliance: Full compliance with TCPA, CAN-SPAM, and international messaging laws

Social Media Communication Controls:

Platform-specific privacy settings management
Direct message and interaction controls
Social media advertising preference management
Community engagement privacy options

6. INTERNATIONAL DATA RIGHTS AND CROSS-BORDER PROTECTIONS

6.1 EUROPEAN UNION AND UNITED KINGDOM ENHANCED RIGHTS

GDPR Article 17 (Right to Erasure) Enhanced Implementation:

Comprehensive deletion across all systems and backups
Third-party processor notification and deletion requirements
Clear exceptions for legal compliance and legitimate interests
Timeline for complete erasure from all systems

UK GDPR Post-Brexit Enhancements:

UK-specific Data Protection Impact Assessments (DPIAs)
Enhanced subject access request procedures
Strengthened consent mechanisms for UK residents
Direct integration with ICO complaint procedures

Data Protection Authority Integration:

Direct complaint forwarding to relevant DPA
Cooperation with regulatory investigations
Proactive compliance reporting where required
Regular compliance audits and assessments

6.2 UNITED STATES STATE PRIVACY LAW COMPLIANCE

California (CCPA/CPRA) Enhanced Rights:

Comprehensive "Do Not Sell or Share My Personal Information" controls
"Limit the Use of My Sensitive Personal Information" mechanisms
Authorized agent support for rights exercise
Non-discrimination protections for rights exercise

Virginia, Colorado, Connecticut, Utah Privacy Rights:

State-specific data processing transparency
Enhanced consent mechanisms for sensitive data
Appeal procedures for denied requests
Consumer-friendly rights exercise interfaces

Multi-State Compliance Framework:

Unified privacy rights dashboard for all US residents
State-specific legal requirement compliance
Automated processing for common rights requests
Legal compliance monitoring and updates

6.3 INTERNATIONAL IMPORT AND CUSTOMS DATA PRIVACY RIGHTS

CUSTOMS AND IMPORT DATA PROCESSING TRANSPARENCY: "International customers have comprehensive rights regarding data processed for customs clearance, import documentation, and international shipping compliance."

Import-Related Data Subject Rights:

Customs Documentation Access: Right to obtain copies of all customs declarations and import documents
Shipping Data Deletion: Right to request deletion of international shipping and tracking data
Import Data Portability: Right to receive customs and import data in structured format
Cross-Border Processing Transparency: Clear disclosure of all data shared with customs authorities

International Shipping Data Controls:

Shipping address and contact information management
Import duty and tax calculation data access
Customs clearance communication records
International tracking and delivery confirmation data

Regulatory Compliance Data Rights:

Access to all regulatory compliance documentation
Control over data shared with international trade authorities
Right to correction of customs and import documentation errors
Notification of data sharing with destination country authorities

Enhanced International Customer Protections:

Clear notification of destination country data protection laws
Local data protection authority contact information
Cross-border data transfer safeguard explanations
International dispute resolution procedures and rights

6.4 MULTI-JURISDICTIONAL DATA TRANSFER CONTROL RIGHTS

CROSS-BORDER DATA TRANSFER TRANSPARENCY: "All international data transfers are conducted with appropriate safeguards and provide customers with comprehensive control over cross-border data processing."

Transfer Control Mechanisms:

Transfer Notification: Advance notice of all cross-border data transfers
Transfer Opt-Out: Right to restrict data transfers to specific jurisdictions
Transfer Documentation: Access to all data transfer agreements and safeguards
Transfer Monitoring: Regular updates on international data processing activities

Jurisdiction-Specific Controls:

Country-specific data processing preferences
Regional data retention and deletion controls
Local law compliance notification and procedures
Jurisdiction-specific rights exercise mechanisms

Australia Privacy Act Enhanced Compliance:

Notifiable data breach response procedures
Australian Privacy Principles (APP) compliance
Office of the Australian Information Commissioner (OAIC) integration
Consumer Data Right (CDR) preparation and compliance

Other Jurisdictions:

Singapore Personal Data Protection Act (PDPA) compliance
Hong Kong Personal Data (Privacy) Ordinance compliance
Japan Personal Information Protection Act compliance
Emerging privacy law monitoring and adaptation

6.4 INTERNATIONAL IMPORT DATA PRIVACY IMPLICATIONS

Cross-Border Commerce Data Rights:

Customs Data Processing Rights: Control over personal data shared with customs authorities
Import Documentation Privacy: Management of identity verification for international shipping
Cross-Border Data Transfer Notifications: Real-time alerts for international data processing
Customs Data Retention Control: Defined retention periods for import-related personal data

International Shipping Privacy Protections:

Address Data Minimization: Use only essential address information for delivery
Recipient Verification Privacy: Secure methods for delivery confirmation without excess data collection
International Carrier Data Sharing: Limited data sharing with shipping partners with strict controls
Customs Authority Data Sharing: Transparent disclosure of required customs data sharing

Global Import Compliance Data Rights:

Import Duty Calculation Privacy: Personal data protection in duty and tax calculations
Regulatory Documentation Rights: Access to all regulatory compliance data submitted on behalf of customers
Import License Privacy: Protection of personal data in import permit and license applications
Trade Compliance Data Management: Control over data used for international trade compliance verification

Consumer Responsibilities and Rights:

Import Regulation Awareness: Right to clear information about destination country data protection laws
Local Privacy Law Application: Understanding of which privacy laws apply to international orders
Cross-Border Complaint Mechanisms: Access to complaint resolution across jurisdictions
International Data Transfer Safeguards: Transparency about data protection measures for international transfers

Enhanced International Consumer Protections:

Currency Conversion Privacy: Protection of financial data in international transactions
Time Zone Data Processing: Control over when and how personal data is processed across time zones
Language Preference Privacy: Protection of language and cultural preference data
International Customer Service: Privacy-protecting customer service across different jurisdictions

7. AUTOMATED DECISION-MAKING AND PROFILING RIGHTS

7.1 GDPR ARTICLE 22 COMPLIANCE FRAMEWORK

Automated Decision-Making Protections:

No solely automated decision-making with legal or similarly significant effects without explicit consent
Human intervention rights for all automated processing
Clear explanation of automated decision logic and significance
Right to contest automated decisions and request human review

Profiling Activity Transparency:

Clear disclosure of all profiling activities
Purpose and legal basis for each profiling operation
Consumer control over profiling preferences
Opt-out mechanisms for non-essential profiling

7.2 ALGORITHMIC TRANSPARENCY

Platform Algorithm Controls:

AppLovin: Ad delivery optimization transparency
Google: Search and YouTube recommendation controls
Meta: Feed algorithm and ad targeting transparency
Understanding of recommendation system logic

User Control Mechanisms:

Algorithm preference customization
Recommendation system opt-out options
Transparency reports for algorithmic decision-making
Regular algorithm impact assessments

8. CHILDREN'S PRIVACY RIGHTS AND ENHANCED PROTECTIONS

8.1 COPPA AND INTERNATIONAL CHILDREN'S PRIVACY COMPLIANCE

Age Verification and Protection Framework:

Strict 18+ age requirement for all DERMXELL⁺ services
Enhanced age verification procedures
Immediate deletion of any inadvertently collected children's data
Parental notification and consent procedures where legally required

Platform-Specific Children's Protections:

Google/YouTube: Compliance with YouTube Kids policies
Meta Platforms: Instagram and Facebook minor protection standards
AppLovin: Age-gating and children's privacy restrictions
Enhanced monitoring for underage access attempts

8.2 PARENTAL RIGHTS AND GUARDIAN CONTROLS

Parental Access Rights:

Right to access any data collected from children under 18
Right to modify or delete children's Personal Data
Enhanced consent verification for users aged 13-17
Clear communication of parental rights and procedures

9. DATA BREACH NOTIFICATION AND CONSUMER RIGHTS

9.1 BREACH NOTIFICATION FRAMEWORK

Consumer Notification Timeline:

High-Risk Breaches: 72 hours maximum notification to affected individuals
Standard Breaches: As required by applicable law (typically 30 days)
Regulatory Notification: 72 hours to relevant data protection authorities
Ongoing Communication: Regular updates during breach investigation and resolution

Breach Notification Content:

Clear description of the nature of the breach
Categories and approximate number of affected individuals
Categories and approximate number of affected Personal Data records
Likely consequences of the breach and measures taken to address it
Contact point for more information and assistance

9.3 ENHANCED SECURITY INCIDENT AND POST-BREACH CONSUMER RIGHTS

COMPREHENSIVE SECURITY INCIDENT RESPONSE RIGHTS: "In the event of any security incident affecting your personal data, you have enhanced rights and protections beyond standard breach notification requirements."

Real-Time Incident Notification Rights:

Immediate Alert Preferences: Choice of notification method (email, SMS, phone, postal)
Incident Severity Customization: Different notification preferences for different risk levels
Third-Party Notification: Right to have trusted contacts notified of security incidents
Regular Status Updates: Ongoing communication during incident investigation and resolution

Post-Breach Enhanced Protection Services:

Free Identity Monitoring: Complimentary identity monitoring services for high-risk breaches
Credit Monitoring Services: Free credit report monitoring and alert services
Enhanced Account Security: Automatic implementation of additional security measures
Priority Customer Support: Dedicated support team for affected customers

Incident Investigation Participation Rights:

Investigation Updates: Regular communication about breach investigation progress
Forensic Report Access: Right to receive summary of security incident investigation
Corrective Measure Notification: Information about steps taken to prevent future incidents
Independent Security Assessment: Right to request third-party security evaluation

Compensation and Remediation Rights:

Direct Damage Compensation: Reimbursement for direct costs related to security incidents
Inconvenience Compensation: Consideration for time and effort related to breach response
Service Credits: Account credits or service extensions for affected customers
Legal Support: Information and assistance with legal remedies and proceedings

Enhanced Future Protection Rights:

Proactive Security Monitoring: Enhanced monitoring for future security threats
Security Preference Customization: Additional security measure options and controls
Incident Prevention Participation: Input on security improvements and enhancements
Long-Term Protection Services: Extended identity and security monitoring services

9.4 CYBERSECURITY AND DATA PROTECTION INCIDENT PREVENTION RIGHTS

PROACTIVE SECURITY PARTICIPATION RIGHTS: "You have the right to participate in and influence our cybersecurity and data protection measures to enhance your personal data security."

Security Preference Customization:

Enhanced Authentication Options: Choice of multi-factor authentication methods
Security Alert Preferences: Customizable security monitoring and alert systems
Account Access Controls: Advanced login and access restriction options
Data Encryption Preferences: Choice of encryption standards for personal data storage

Security Transparency Rights:

Security Audit Reports: Access to summary reports of security assessments and audits
Vulnerability Disclosure: Notification of security vulnerabilities and remediation plans
Security Improvement Updates: Regular communication about security enhancements
Third-Party Security Verification: Access to independent security certification reports

Enhanced Protection Measures:

Free identity monitoring services for high-risk breaches
Enhanced account security measures and monitoring
Priority customer service for affected individuals
Clear remediation and compensation procedures where applicable

Legal Right Preservation:

Preservation of all legal rights following data breaches
Clear information about legal recourse options
Cooperation with legal proceedings and investigations
Documentation of breach impact and resolution measures

9.3 ENHANCED SECURITY INCIDENT RIGHTS

Real-Time Security Incident Notifications:

Immediate Alert Systems: Real-time notifications for security incidents affecting personal data
Customizable Alert Preferences: Choice of notification methods (email, SMS, app notifications, postal mail)
Incident Severity Classification: Clear categorization of security incidents by risk level
Proactive Communication: Regular updates during incident investigation and resolution

Enhanced Post-Incident Consumer Rights:

Credit Monitoring Services: Free credit monitoring for financial data breaches lasting minimum 24 months
Identity Theft Protection: Comprehensive identity theft protection and restoration services
Account Recovery Assistance: Dedicated support for account recovery and security restoration
Fraudulent Activity Monitoring: Enhanced monitoring for fraudulent use of personal information

Advanced Security Incident Management:

Incident-Specific Data Rights: Enhanced data access rights following security incidents
Breach Impact Assessment: Detailed explanation of specific data affected and potential risks
Security Enhancement Implementation: Notification of security improvements implemented post-incident
Third-Party Security Audits: Right to information about independent security assessments following breaches

Consumer Security Incident Response:

Emergency Response Hotline: 24/7 dedicated security incident support line (+852 6516 5836)
Incident Response Documentation: Complete documentation of incident response actions taken
Recovery Timeline Communications: Regular updates on account and data recovery progress
Legal Assistance Coordination: Support for coordinating with law enforcement and legal counsel

Preventive Security Rights:

Security Assessment Requests: Right to request security assessments of personal data protection
Enhanced Authentication Options: Access to advanced security features and two-factor authentication
Security Preference Management: Granular control over security settings and monitoring preferences
Proactive Threat Intelligence: Notification of relevant cybersecurity threats and protection recommendations

Cross-Platform Security Coordination:

Multi-Platform Breach Coordination: Coordinated response across all connected platforms and services
Unified Security Incident Dashboard: Centralized view of security status across all accounts and services
Platform-Specific Security Controls: Enhanced security options for each connected advertising and service platform
Security Incident Impact Analysis: Comprehensive analysis of potential cross-platform security implications

10. ENFORCEMENT MECHANISMS AND COMPLAINT RESOLUTION

10.1 INTERNAL COMPLAINT RESOLUTION

Escalation Hierarchy:

Initial Contact: Customer service team (support@dermxell.com)
Privacy Officer Review: Specialized privacy rights team
Senior Management Escalation: Executive review for complex cases
External Mediation: Independent dispute resolution services

Resolution Timeline:

Initial Response: 72 hours acknowledgment
Standard Resolution: 30 days for most requests
Complex Cases: 60 days with regular status updates
Appeal Process: 45 days for denied request appeals

10.2 EXTERNAL COMPLAINT MECHANISMS

Regulatory Authority Complaints:

United States: Federal Trade Commission (ftc.gov/complaint)
European Union: European Data Protection Board (edpb.europa.eu)
United Kingdom: Information Commissioner's Office (ico.org.uk)
Canada: Privacy Commissioner of Canada (priv.gc.ca)
Australia: Office of the Australian Information Commissioner (oaic.gov.au)

Alternative Dispute Resolution:

Independent privacy ombudsman services
International arbitration for cross-border disputes
Industry-specific dispute resolution mechanisms
Legal action preservation and support

10.3 APPEAL AND REVIEW PROCEDURES

Internal Appeal Process:

Appeal Deadline: 45 days from request denial notification
Appeal Submission: support@dermxell.com with subject "Privacy Rights Appeal"
Independent Review: Senior privacy officer or external legal review
Appeal Resolution: 45 days maximum with detailed explanation

Right to Legal Action:

Preservation of all legal remedies
No waiver of legal rights through internal processes
Clear information about limitation periods
Cooperation with legal proceedings

11. EMERGING TECHNOLOGY AND FUTURE PRIVACY RIGHTS

11.1 ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING RIGHTS

AI Transparency Requirements:

Clear disclosure of AI-assisted content creation and optimization
Explanation of machine learning algorithms used for personalization
User control over AI-driven recommendations and targeting
Opt-out mechanisms for AI-based processing

Future AI Rights Framework:

Preparation for emerging AI regulation compliance
Enhanced transparency for algorithmic decision-making
User control over AI training data usage
Regular assessment of AI impact on privacy rights

11.3 THIRD-PARTY INTEGRATION AND SERVICES PRIVACY RIGHTS

COMPREHENSIVE THIRD-PARTY DATA SHARING CONTROL: "You have complete control over how your data is shared with and processed by third-party services, plugins, and integrations used to provide DERMXELL⁺ services."

Third-Party Service Categories and Rights:

Payment Processor Privacy Rights:

Payment Data Isolation: Right to limit payment processor data access to transaction essentials only
Financial Data Deletion: Right to request deletion of payment data from processor systems
Payment History Portability: Right to receive payment transaction data in portable format
Processor Data Sharing Transparency: Clear disclosure of all payment processor data sharing

Analytics and Measurement Service Rights:

Analytics Opt-Out: Right to exclude personal data from analytics processing
Measurement Data Access: Right to access analytics data associated with your interactions
Cross-Platform Analytics Control: Management of data sharing between analytics providers
Analytics Data Retention Control: Right to limit retention periods for analytics data

Social Media Plugin and Widget Rights:

Social Plugin Opt-Out: Right to disable social media plugins and widgets
Cross-Platform Data Sharing Control: Management of data sharing with social platforms
Social Authentication Data Rights: Control over social login and authentication data
Social Media Integration Transparency: Clear disclosure of all social media data processing

Customer Service Platform Rights:

Support Data Access: Right to access all customer service interaction records
Support Platform Data Deletion: Right to request deletion of support system data
Service Quality Data Control: Management of service quality and satisfaction data
Support Data Portability: Right to receive customer service data in portable format

Marketing and Advertising Technology Rights:

AdTech Opt-Out: Right to exclude data from advertising technology processing
Marketing Automation Control: Management of marketing platform data sharing
Campaign Data Access: Right to access marketing campaign interaction data
Advertising Data Deletion: Right to request deletion of advertising technology data

11.4 INTEGRATED PLATFORM ECOSYSTEM PRIVACY RIGHTS

CROSS-PLATFORM DATA SYNCHRONIZATION CONTROL: "You have comprehensive control over data synchronization and sharing across the entire DERMXELL⁺ platform ecosystem and integrated services."

Ecosystem Integration Rights:

Unified Privacy Dashboard: Single interface for managing all platform integrations
Cross-Service Data Mapping: Clear visibility into data sharing between integrated services
Integration Opt-Out Options: Granular control over individual service integrations
Data Flow Transparency: Real-time visibility into data movement between platforms

Shopify E-Commerce Integration Rights:

E-Commerce Data Isolation: Right to limit Shopify data access to essential order processing
Transaction Data Control: Management of transaction data sharing with marketing platforms
Customer Profile Integration: Control over customer profile data synchronization
E-Commerce Analytics Opt-Out: Right to exclude data from e-commerce analytics

Email Marketing Platform Rights:

Email List Management: Complete control over email list data and segmentation
Marketing Automation Data: Access to all marketing automation interaction data
Email Engagement Control: Management of email engagement tracking and analytics
List Portability Rights: Right to export email marketing data in standard formats

Customer Relationship Management (CRM) Rights:

CRM Data Access: Complete access to CRM customer profile and interaction data
Customer Journey Data: Right to access customer journey mapping and analytics data
CRM Data Deletion: Right to request deletion of CRM system data
Customer Insight Transparency: Clear disclosure of customer profiling and segmentation

Biometric Data Prohibition:

Complete prohibition on biometric data collection
Enhanced protection against biometric tracking
Clear policies against facial recognition and fingerprint tracking
Proactive monitoring for biometric data infiltration

Advanced Tracking Protection:

Enhanced cross-device tracking controls
Advanced fingerprinting protection measures
Emerging tracking technology monitoring and protection
Proactive privacy technology implementation

12. PLATFORM-SPECIFIC ADVANCED PRIVACY CONTROLS

12.1 ENHANCED APPLOVIN PRIVACY MANAGEMENT

Advanced AppLovin Controls:

Granular audience segmentation opt-out
Enhanced consent management for EU/EEA/UK users
Advanced data retention customization
Real-time privacy preference synchronization

AppLovin Data Rights Integration:

Direct integration with AppLovin privacy portal
Automated consent signal transmission
Enhanced data minimization controls
Regular privacy preference validation

12.2 GOOGLE ECOSYSTEM COMPREHENSIVE CONTROLS

Advanced Google Privacy Integration:

Google Account privacy settings synchronization
YouTube premium privacy features access
Google Analytics enhanced opt-out mechanisms
Google Ads comprehensive personalization controls

Chrome Browser Enhanced Features:

Privacy Sandbox advanced configuration
Enhanced cookie controls and management
Advanced tracking protection settings
Real-time privacy preference enforcement

12.3 META PLATFORMS ADVANCED PRIVACY FEATURES

Enhanced Meta Privacy Controls:

Advanced custom audience management
Enhanced health and wellness data protection
Real-time advertising preference updates
Cross-platform privacy setting synchronization

Instagram and Facebook Integration:

Unified privacy settings across platforms
Enhanced data portability between services
Advanced content recommendation controls
Comprehensive social interaction privacy management

13. CONSUMER EDUCATION AND PRIVACY LITERACY

13.1 PRIVACY EDUCATION RESOURCES

Educational Content Library:

Comprehensive privacy rights guides
Platform-specific privacy tutorials
Regular privacy webinars and Q&A sessions
Interactive privacy preference tools

Consumer Empowerment Programs:

Privacy literacy workshops
Personal data audit tools
Privacy preference optimization guidance
Regular privacy rights communications

13.2 TRANSPARENCY REPORTING

Regular Privacy Reports:

Annual transparency reports on data processing
Quarterly privacy rights exercise statistics
Regular updates on privacy program enhancements
Clear communication of policy changes and impacts

Real-Time Privacy Dashboard:

Personal data processing transparency
Real-time privacy preference management
Historical data processing activity
Enhanced control and customization options

14. ADDITIONAL CONSUMER-FACING PRIVACY RIGHTS

14.1 THIRD-PARTY WEBSITE AND EXTERNAL LINK PRIVACY RIGHTS

EXTERNAL WEBSITE DATA PROTECTION: "Our Services may link to third-party websites we do not operate. You have specific rights regarding data sharing and privacy when transitioning between our platform and external websites."

Third-Party Website Privacy Rights:

Link Notification: Clear indication when leaving DERMXELL⁺ platform for external websites
Data Sharing Transparency: Disclosure of any data shared with third-party websites
Return Data Protection: Privacy protection when returning from external websites to our platform
Third-Party Privacy Policy Access: Links to relevant third-party privacy policies and terms

External Integration Privacy Controls:

Cross-Platform Tracking Opt-Out: Prevention of data sharing between our platform and external websites
Referral Data Management: Control over referral and affiliate tracking data
External Account Linking: Management of external account connections and data sharing
Third-Party Cookie Controls: Management of third-party cookies from external websites

14.2 SECURITY AND RETENTION CONSUMER SUMMARY

CONSUMER-FRIENDLY SECURITY OVERVIEW: "While we implement appropriate technical and organizational measures to protect Personal Information, we want you to understand your role in maintaining data security and your rights regarding data retention."

Security Partnership Rights:

Security Education Access: Right to receive security best practices and education materials
Personal Security Assessment: Tools and guidance for personal account security evaluation
Security Incident Reporting: Easy mechanisms for reporting suspected security issues
Security Preference Customization: Personal security setting optimization guidance

Data Retention Transparency:

Retention Period Disclosure: Clear information about how long different data types are retained
Retention Customization: Options to request shorter retention periods where legally permissible
Retention Extension Notification: Advance notice when retention periods may be extended for legal reasons
Automatic Deletion Confirmation: Notification when data is automatically deleted after retention periods

Risk Communication Rights:

Honest Risk Assessment: Transparent communication about data security limitations and risks
Transmission Risk Disclosure: Clear information about internet transmission risks
Personal Risk Management: Tools and guidance for personal data risk assessment and management
Security Update Notifications: Regular communication about security improvements and updates

14.3 COMPLAINTS AND ESCALATION FRAMEWORK

COMPREHENSIVE COMPLAINT RESOLUTION RIGHTS: "If you have concerns about privacy practices or data handling, you have multiple escalation options and resolution pathways available."

Internal Escalation Rights:

Multi-Level Resolution: Progressive escalation through customer service, privacy office, and senior management
Response Timeline Guarantees: Committed response times for different types of privacy complaints
Resolution Documentation: Written documentation of complaint resolution and corrective actions
Follow-Up Rights: Right to follow-up evaluation and satisfaction confirmation

External Escalation Options:

Regulatory Authority Assistance: Guidance and assistance with regulatory complaints
Independent Mediation: Access to third-party mediation services for unresolved complaints
Legal Resource Information: Information about legal rights and remedies
International Complaint Support: Assistance with cross-border privacy complaints and resolution

Complaint Prevention and Improvement Rights:

Feedback Integration: Right to see how complaints lead to policy and practice improvements
Prevention Program Participation: Opportunity to participate in privacy program improvement initiatives
Community Advisory Input: Option to provide input on privacy practices and policies
Continuous Improvement Updates: Regular communication about privacy program enhancements

15. CONTACT INFORMATION AND PRIVACY OFFICE

14.1 PRIMARY PRIVACY RIGHTS CONTACTS

Privacy Rights Office: Aqualanes Limited
Privacy Rights Officer
Email: support@dermxell.com
Subject Line: "Privacy Rights Request"
Phone: +852 6516 5836

Postal Address: Aqualanes Limited
Privacy Rights Officer
Flat/Rm C1207 12/F, Hang Cheong Factory Building
1 Wing Ming Street, Cheung Sha Wan, Kowloon
Hong Kong

14.2 SPECIALIZED PRIVACY CONTACTS

Emergency Privacy Concerns: support@dermxell.com with the subject line "Emergency Privacy"
Data Breach Notifications: support@dermxell.com with the subject line "Data Breach"
Children's Privacy Issues: support@dermxell.com with subject "Child Privacy Concern"
International Privacy Matters: support@dermxell.com with subject "International Privacy Rights"

14.3 PLATFORM-SPECIFIC PRIVACY CONTACTS

AppLovin Privacy Issues: dataprotection@applovin.com (direct to AppLovin)
Google Privacy Controls: Via Google Account privacy settings
Meta Platform Privacy: Via Facebook/Instagram privacy settings
YouTube Privacy: Via YouTube privacy and safety settings

15. LEGAL VALIDITY AND ENFORCEMENT

15.1 DOCUMENT AUTHORITY

This Data Privacy Rights document becomes effective immediately upon publication and supersedes all previous versions. This document constitutes a legally binding agreement between Aqualanes Limited and all users of DERMXELL⁺ products and services regarding privacy rights exercise and enforcement.

Legal Enforceability: Should any provision of this Data Privacy Rights document be deemed invalid, illegal, or unenforceable by a court of competent jurisdiction, such provision shall be severed, and the remainder of the document shall remain in full force and effect.

15.2 INTEGRATION WITH OTHER POLICIES

Complete Privacy Framework: This Data Privacy Rights document, together with our Privacy Policy, Terms of Service, FDA Disclaimer, Ingredient Safety Guidelines, and Cookie Policy, constitutes the complete privacy and data protection framework governing DERMXELL⁺ products and services.

Policy Hierarchy: In the event of conflicts between privacy-related documents, the most protective provision for consumer privacy rights shall prevail.

15.3 UPDATES AND AMENDMENTS

Amendment Procedures:

30-day advance notice for material changes affecting user rights
Immediate implementation for changes enhancing user protections
Regular review and update cycle every 6 months
Proactive updates for new regulatory requirements

Change Notification:

Email notification to all registered users
Prominent website notification for 30 days minimum
Side-by-side comparison tool for policy changes
Enhanced notification for changes affecting platform-specific rights

Document Authentication:
Document Version: October 14, 2025, 001
Legal Review Date: October 14, 2025
Next Scheduled Review: April 15, 2026
Platform Compliance Status: Current as of October 15, 2025

This Data Privacy Rights document has been prepared to meet the highest standards of consumer privacy protection, advertising platform policy compliance, and international legal frameworks. For specific privacy rights questions or complex request procedures, consult with qualified legal counsel familiar with data protection law and international privacy regulations.

Menu

Your cart is empty

Cart • 0 items

Shipping Protection

Data Privacy Rights