Privacy Policy

PRIVACY POLICY

Last Updated: October 14, 2025
Operated by: Aqualanes Limited ("Aqualanes", "Company", "we", "our", or "us")

1. INTRODUCTION AND ACCEPTANCE

Dermxell operates this website and online store (the “Services”), powered by Shopify, to provide customers with a curated shopping and product-discovery experience. This Privacy Policy explains how Aqualanes Limited, as the exclusive operator of the DERMXELL⁺ brand and associated digital properties, collects, processes, uses, discloses, transfers, and safeguards information relating to identified or identifiable natural persons (“Personal Data” or “Personal Information”) when you access our website, mobile applications, purchase our products, or engage with our advertising content across AppLovin, Google Ads, Meta Platforms (Facebook and Instagram), YouTube, TikTok, or any other approved digital advertising networks and platforms.

By accessing, using, or interacting with our website, store, Services, or associated advertising channels, you acknowledge that you have read, understood, and accepted this Privacy Policy and consent to the collection and processing of your information as described herein. If you do not agree with any provision of this Privacy Policy, please discontinue use of our Services and digital properties immediately.

2. SCOPE AND TERRITORIAL APPLICATION

This Privacy Policy applies comprehensively to all customers, prospective customers, website visitors, and end users located in, or accessing our services from, the United States of America, Canada, United Kingdom, European Union member states, Australia, Federal Republic of Germany, Swiss Confederation, Kingdom of Norway, Kingdom of Belgium, New Zealand, United Arab Emirates (Dubai), Kingdom of Sweden, Kingdom of the Netherlands, and such other jurisdictions as may be designated by Aqualanes Limited from time to time.

2.1 Regulatory Compliance Framework

Aqualanes Limited maintains strict adherence to, and this Privacy Policy is expressly designed to satisfy the requirements of, the following data protection and privacy regulatory frameworks:

  • European Union: Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)
  • United Kingdom: UK GDPR and Data Protection Act 2018
  • United States: California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), and other applicable state privacy legislation
  • Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy legislation
  • Australia: Privacy Act 1988 (Cth) and the Notifiable Data Breaches Scheme
  • United Arab Emirates: Federal Decree Law No. 45 of 2021 on Personal Data Protection
  • Switzerland: Federal Data Protection Act (FADP) as amended
  • Other Jurisdictions: Comparable international data protection frameworks as applicable

EU/UK Representative (GDPR/UK GDPR Art. 27) – Added: Where Aqualanes Limited has no establishment in the EU or the UK but offers goods or services there, we will appoint an EU Representative and a UK Representative pursuant to Article 27 GDPR/UK GDPR. Their contact details will be published in Section 21 upon appointment.

3. DEFINITIONS AND INTERPRETATIONS

For purposes of this Privacy Policy, the following terms shall have the meanings ascribed below:

"Controller" means Aqualanes Limited, as the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

"Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"Sensitive Personal Information" includes, but is not limited to, health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation, genetic data, or precise geolocation data.

"Third Country" means a jurisdiction outside the European Economic Area that has not been subject to an adequacy decision by the European Commission.

4. CATEGORIES OF PERSONAL DATA COLLECTED

4.1 Information Provided Directly by Data Subjects

The following categories of Personal Data may be collected when voluntarily provided:

  • Identity Data: Full legal name, date of birth, gender, age demographic
  • Contact Data: Email address, postal address, telephone number, mobile number
  • Financial Data: Payment card information, billing address, transaction history
  • Commercial Data: Order history, product preferences, purchase behavior, customer service interactions
  • Communications Data: Product reviews, survey responses, customer service correspondence, marketing communications preferences
  • Account Data: Account credentials, security questions, profile preferences

4.2 Automatically Collected Technical Data

Through automated technological means, we collect:

  • Device Data: Device identifiers (including but not limited to IP addresses, mobile advertising identifiers (IDFA/AAID), browser type, operating system, device model, screen resolution)
  • Usage Data: Session duration, page interactions, click-through rates, referring URLs, exit pages
  • Location Data: General geographic location (country, state, city level) derived from IP address
  • Cookie Data: Preference settings, authentication tokens, session identifiers
  • Analytics Data: Website navigation patterns, conversion funnel analytics, A/B testing participation

4.3 Information from Third-Party Sources

We may receive Personal Data from authorized third-party sources, including:

  • Advertising Partners: Aggregated performance metrics and audience insights from AppLovin, Google Ads, Meta Platforms, YouTube, and other authorized advertising networks
  • Data Enrichment Services: Demographic and preference data from legitimate commercial data providers
  • Social Media Platforms: Publicly available profile information when you interact with our social media presence
  • Payment Processors: Transaction verification and fraud prevention data
  • Customer Referrals: Contact information provided by existing customers with appropriate consent

4.4 CPRA “Notice at Collection” (Added)

Category

Examples

Purpose of Use

Retention

Shared With

Identifiers

Name, email, phone, address

Order fulfilment, identity verification

7 years

Payment processors, logistics

Commercial Data

Orders, returns, preferences

Customer support, analytics, marketing

7 years

Shopify, marketing partners

Internet Activity

IP, cookies, device data

Site operation, ads measurement

26 months (analytics anonymized)

Google, AppLovin, Meta

Geolocation

Region/country (coarse)

Fraud control, localization

≤ 13 months

Advertising partners

Sensitive PI

Not collected for profiling

N/A

N/A

N/A

Aqualanes Limited does not “sell” Personal Information for monetary value and does not “share” Personal Information for cross-context behavioral advertising within the meaning of CPRA.

5. PURPOSES AND LEGAL BASES OF PROCESSING

Personal Data is processed exclusively for the following lawful purposes under clearly defined legal bases:

5.1 Contractual Necessity (GDPR Art. 6(1)(b))

  • Order processing and fulfillment
  • Customer service provision
  • Account management and authentication
  • Payment processing and transaction completion
  • Product delivery and logistics coordination

5.2 Legitimate Interest (GDPR Art. 6(1)(f))

  • Marketing optimization and campaign performance analysis
  • Fraud prevention and security monitoring
  • Product development and improvement
  • Website analytics and user experience enhancement
  • Business intelligence and strategic planning

5.3 Legal Obligation (GDPR Art. 6(1)(c))

  • Tax reporting and record-keeping
  • Customs documentation for international shipments
  • Regulatory compliance reporting
  • Anti-money laundering verification
  • Consumer protection law compliance

5.4 Explicit Consent (GDPR Art. 6(1)(a))

  • Marketing communications and newsletters
  • Personalized advertising and targeted marketing
  • Non-essential cookies and tracking technologies
  • Third-party data sharing for advertising purposes
  • Optional product recommendations and upselling

IMPORTANT DECLARATION: Aqualanes Limited does not, has not, and will not sell Personal Data for monetary consideration as defined under the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), or any equivalent privacy legislation.

6. ENHANCED HEALTH AND WELLNESS DATA RESTRICTIONS

6.1 Meta Platforms Health & Wellness Compliance (Effective January 2025)

In strict adherence to Meta's enhanced health and wellness data restrictions:

  • Prohibited Targeting: We expressly do not target advertisements based on sensitive health categories, including but not limited to health conditions, fitness data, wellness behaviors, medical history, pharmaceutical interests, or healthcare service utilization
  • Custom Audience Restrictions: All custom audiences exclude health-related behavioral data, demographic health markers, and wellness-indicating activities
  • Sensitive Category Exclusion: All advertising targeting complies with Meta's 2025 sensitive category restrictions applicable to cosmetic and wellness products
  • User Control Mechanisms: Users may exercise granular control over health-related advertising through facebook.com/adpreferences and may request complete exclusion from health/wellness advertising by contacting support@dermxell.com
  • Lookalike Audience Limitations: We do not utilize health data, medical information, or wellness indicators for lookalike audience creation
  • Data Minimization: Processing is strictly limited to anonymized purchase events, general website interactions, and explicitly consented audience matching

7. COOKIES, TRACKING TECHNOLOGIES AND ENHANCED CONSENT MANAGEMENT

7.1 Technology Implementation

Advanced cookies and similar tracking technologies are systematically employed to facilitate:

  • Essential Functionality: Website operation, security protocols, user authentication
  • Performance Analytics: Site optimization, user experience enhancement, conversion tracking
  • Advertising Operations: Campaign measurement, audience segmentation, personalized ad delivery
  • Third-Party Integration: Social media plugins, payment processing, customer support systems

7.2 Consent Management Framework

  • Granular Consent Controls: Users may provide or withdraw consent for specific cookie categories
  • Platform-Specific Opt-Outs: Direct integration with platform-specific preference centers
  • Global Privacy Control (GPC) Recognition: Automatic recognition and response to GPC signals where technically feasible (Added)
  • Do Not Track (DNT) Compliance: Honored where legally required or technically implementable

Prior Consent in the EU/UK/EEA/CH – Added: In jurisdictions requiring opt-in consent, non-essential cookies and tracking tags are activated only after affirmative consent through our Consent Management Platform (CMP).

Comprehensive cookie details are maintained in our separate Cookie Policy, accessible through our website footer.

8. ADVERTISING PARTNERS AND DATA SHARING FRAMEWORK

Limited, pseudonymized, and aggregated Personal Data may be shared with the following categories of trusted partners exclusively for legitimate business and advertising purposes under strict contractual data protection obligations:

8.1 Authorized Advertising Technology Partners

  • AppLovin Corporation: Advanced ad delivery optimization and programmatic advertising
  • Google LLC: Search advertising, YouTube marketing, and performance measurement
  • Meta Platforms, Inc.: Social media advertising on Facebook and Instagram platforms
  • TikTok Pte. Ltd.: Social media advertising and content promotion (where legally permitted)

8.2 Essential Service Providers

  • Shopify Inc.: Secure e-commerce platform hosting and transaction processing
  • Payment Processors: Credit card processing, fraud prevention, and financial verification
  • Logistics Partners: Order fulfillment, shipping, and delivery coordination
  • Customer Support Systems: Help desk software and customer communication platforms

All third-party partners operate under binding written agreements incorporating adequate data protection safeguards, processing limitations, and security requirements equivalent to those maintained by Aqualanes Limited.

9. COMPREHENSIVE PLATFORM-SPECIFIC DISCLOSURES

9.1 Meta Platforms (Facebook & Instagram) Enhanced Compliance

Mandatory Disclosure Language:

"We work with Meta Platforms to deliver personalized advertising content on Facebook and Instagram. Processing includes anonymized conversion data, website interaction events, and consent-verified custom audience matching, subject to Meta's 2025 Health & Wellness Data Restrictions."

Specific Provisions:

  • Data Minimization: Only essential advertising data is processed
  • Health Category Exclusion: No sensitive health or wellness data is utilized for targeting
  • Enhanced Transparency: Users receive clear information about data usage in advertising
  • User Control Integration: Direct links to Meta's ad preference management tools
  • Custom Audience Consent: All uploaded audiences verified for explicit advertising consent

User Rights and Controls:

  • Advertising preference management: facebook.com/adpreferences
  • Data sharing withdrawal: facebook.com/help/568137493302217
  • Custom audience exclusion requests: support@dermxell.com
  • Enhanced user control mechanisms effective January 2025

9.2 Google Advertising and YouTube Services Enhanced Compliance

Google Advertiser Verification (Effective May 2025):

"We are a verified Google advertiser operating under the business name 'Aqualanes Limited' with enhanced transparency reporting available through Google's Ads Transparency Center."

Comprehensive Service Integration:

  • Search Advertising: Google Ads campaign management and keyword targeting
  • YouTube Marketing: Video advertising and content promotion with enhanced transparency
  • Analytics Integration: Google Analytics with Privacy Sandbox implementation
  • Attribution Reporting: Privacy-preserving conversion measurement and campaign attribution

Privacy Sandbox Compliance:

  • Topics API Integration: Interest-based advertising using privacy-preserving topics
  • Protected Audience Implementation: Remarketing without cross-site tracking
  • Attribution Reporting: Conversion measurement with differential privacy

User Control Mechanisms:

  • Google Ads personalization: adssettings.google.com
  • YouTube advertising preferences: youtube.com/account_privacy
  • Privacy Sandbox controls: Available in supported Chrome browsers
  • Google Analytics opt-out: tools.google.com/dlpage/gaoptout

Reference Documentation:

  • Google Privacy Policy: policies.google.com/privacy
  • Google Ads Policies: support.google.com/adspolicy
  • YouTube Privacy Guidelines: support.google.com/youtube/topic/2803240

9.3 AppLovin Advertising Technology Enhanced Disclosure

Mandatory Platform Language:

"We work with AppLovin to deliver ads in our mobile application and other devices and/or platforms. AppLovin's advertising technology processes device identifiers (IDFA/AAID when available), purchase behavior and transaction data, geographic location data (country/region level), and app usage patterns and engagement metrics. Third-party measurement partners may be collecting and processing Personal Data as part of the Open Measurement Working Group to perform ad measurement and other services. For more information about AppLovin's collection and use of your information visit: https://legal.applovin.com/privacy"

Technical Implementation Details:

  • SDK Integration: AppLovin SDK implementation with privacy-compliant data collection
  • Consent Management: Proper consent flag transmission for EU/EEA/UK users in compliance with applicable laws
  • Data Categories: Device identifiers, behavioral data, geographic indicators, engagement metrics
  • Measurement Framework: Integration with Open Measurement SDK for industry-standard ad verification

Compliance Specifications:

  • EU/EEA/UK Consent: Correct collection and transmission of consent flag values for interest-based advertising
  • Data Retention: Advertising data retained for maximum 13 months
  • Children's Privacy: Full compliance with AppLovin's Children's Data restrictions
  • Sensitive Data: Complete adherence to AppLovin's Sensitive Data processing limitations

User Control Options:

  • Device-level advertising settings (iOS: Settings > Privacy & Security > Apple Advertising; Android: Settings > Privacy > Ads)
  • AppLovin Privacy Management Application: Available through AppLovin's privacy portal
  • Email requests: dataprotection@applovin.com

9.4 YouTube Advertising Specific Compliance

Platform-Specific Requirements:

"YouTube advertising campaigns comply comprehensively with YouTube's advertiser-friendly content guidelines, Community Guidelines, and enhanced transparency requirements effective 2025."

Compliance Framework:

  • Content Standards: All video advertisements meet YouTube's quality and safety requirements
  • Age Verification: No targeting of users under 18 years of age on YouTube platform
  • Restricted Content Compliance: Full adherence to YouTube's health and wellness advertising restrictions
  • Cross-Platform Integration: Seamless integration with Google's broader advertising ecosystem

Enhanced Transparency Measures:

  • Advertiser Identity: Clear disclosure of Aqualanes Limited as advertising entity
  • Content Labeling: Appropriate identification of sponsored content and promotional materials
  • Community Guidelines: Strict adherence to YouTube's community standards and policies

10. ENHANCED DATA SUBJECT RIGHTS AND EXERCISE PROCEDURES

10.1 Universal Rights Framework

All Data Subjects may exercise the following rights, subject to identity verification and legal limitations:

Core Rights (GDPR Articles 15-22):

  • Right of Access: Obtain confirmation of processing and copies of Personal Data
  • Right of Rectification: Correct inaccurate or incomplete Personal Data
  • Right of Erasure: Request deletion of Personal Data under specified circumstances
  • Right to Restriction: Limit processing under certain conditions
  • Right to Data Portability: Receive Personal Data in structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests or direct marketing
  • Rights Related to Automated Decision-Making: Protection against solely automated decisions

10.2 Regional Enhancements and Augmentations

Australia (Privacy Act 1988):

  • Right to notification of eligible data breaches within 72 hours
  • Access to complaint resolution through the Office of the Australian Information Commissioner
  • Enhanced correction rights under Australian Privacy Principles

Canada (PIPEDA and Provincial Legislation):

  • Right to withdraw consent for any processing not required by law
  • Right to lodge complaints with the Privacy Commissioner of Canada
  • Enhanced access rights under federal and provincial privacy legislation

Switzerland (Federal Data Protection Act - FADP):

  • Enhanced data portability rights under revised FADP provisions
  • Right to information about automated decision-making processes
  • Strengthened consent withdrawal mechanisms

United Arab Emirates (Dubai - Federal Decree Law No. 45/2021):

  • Right to data rectification with enhanced verification procedures
  • Compliance with data localization requirements where applicable
  • Access to UAE Data Protection Authority complaint mechanisms

United States (State Privacy Laws - CCPA/CPRA/VCDPA/CPA/CTDPA/UCPA):

  • Right to know about Personal Information collection and use
  • Right to delete Personal Information (with specified exceptions)
  • Right to correct inaccurate Personal Information
  • Right to opt-out of "sale" or "sharing" of Personal Information
  • Right to limit use of Sensitive Personal Information
  • Right to non-discrimination for exercising privacy rights

10.3 Rights Exercise Procedures

Request Submission: All privacy rights requests must be submitted to support@dermxell.com with the subject line "Privacy Request" and must include:

  • Full legal name and contact information
  • Specific right(s) being exercised
  • Detailed description of the request
  • Identity verification documentation (as reasonably required)

Response Timeline: Requests will be acknowledged within 72 hours and completed within the timeframes required by applicable law (typically 30-45 days depending on jurisdiction).

Verification Process: Identity verification may be required through government-issued identification, account verification, or other reasonable means to protect against fraudulent requests.

Appeal, Authorized Agent, Non-Discrimination – Added:

  • Appeal: If we deny a request, you may appeal within 45 days by emailing support@dermxell.com with subject “Appeal.”
  • Authorized Agent (California): You may designate an authorized agent to submit requests on your behalf; we require proof of authorization and may ask you to verify your identity directly.
  • Non-Discrimination: We will not deny goods or services, charge different prices, or provide a different level of quality because you exercised a privacy right.

Consumer Links – Added: We provide footer links titled “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information.”

11. INTERNATIONAL DATA TRANSFERS AND CROSS-BORDER PROCESSING

11.1 Transfer Mechanisms and Safeguards

Personal Data may be processed, stored, or transferred to countries outside your jurisdiction, including by service providers and advertising partners located in third countries. All international transfers are protected by appropriate safeguards:

European Union and UK:

  • Standard Contractual Clauses (SCCs): Implementation of EU Commission-approved SCCs for transfers to third countries
  • Adequacy Decisions: Reliance on European Commission adequacy decisions where applicable
  • Supplementary Measures: Additional technical and organizational measures for high-risk transfers
  • Transfer Impact Assessments: Regular evaluation of transfer risks and safeguards

Other Jurisdictions:

  • Contractual Protections: Binding data transfer agreements with equivalent protection standards
  • Certification Programs: Participation in recognized international privacy certification frameworks
  • Regular Auditing: Periodic assessment of international transfer compliance and security

11.2 Specific Transfer Locations

Personal Data may be transferred to and processed in:

  • United States: Under appropriate safeguards including SCCs and supplementary measures
  • Canada: Recognized as adequate under GDPR and with additional PIPEDA protections
  • Singapore: With appropriate contractual safeguards and technical protections
  • Other Locations: As necessary for service provision with equivalent protection standards

12. DATA PROCESSORS AND SUB-PROCESSOR MANAGEMENT

12.1 Processor Selection and Management

Aqualanes Limited engages carefully vetted third-party Processors exclusively under comprehensive written agreements that incorporate:

  • Processing Limitations: Strict limitations to processing only for specified, explicit purposes
  • Confidentiality Obligations: Binding confidentiality and non-disclosure requirements
  • Security Standards: Implementation of appropriate technical and organizational security measures
  • Data Subject Rights: Facilitation of Data Subject rights exercise
  • Audit Rights: Regular compliance monitoring and audit capabilities
  • Breach Notification: Immediate notification of any Personal Data breaches
  • Data Deletion: Secure deletion or return of Personal Data upon contract termination

12.2 Authorized Processor Categories

Technology and Infrastructure:

  • Shopify Inc. (e-commerce platform hosting)
  • Cloud service providers (data storage and processing)
  • Content delivery networks (website performance optimization)

Advertising and Marketing:

  • AppLovin Corporation (advertising technology and optimization)
  • Google LLC (advertising services and analytics)
  • Meta Platforms, Inc. (social media advertising)
  • Email marketing platforms (customer communication)

Financial and Payment Processing:

  • Payment card processors (transaction processing)
  • Financial verification services (fraud prevention)
  • Accounting and tax preparation services (compliance reporting)

Customer Support and Logistics:

  • Customer service platforms (support ticket management)
  • Shipping and logistics providers (order fulfillment)
  • Returns processing services (customer service)

13. ARTIFICIAL INTELLIGENCE AND AUTOMATED CONTENT GENERATION

13.1 AI-Assisted Content Creation and Compliance

Certain marketing materials, creative content, and advertising assets may be partially generated, enhanced, or optimized using artificial intelligence and machine learning technologies in strict compliance with platform-specific AI content policies.

Compliance Framework:

  • AppLovin AI Content Policy: Full compliance with AppLovin's AI-generated content requirements and disclosure standards
  • Google AI Principles: Adherence to Google's responsible AI development and deployment guidelines
  • Meta AI Standards: Compliance with Meta's artificial intelligence content policies and community standards
  • Platform Disclosure Requirements: Appropriate identification of AI-assisted content where required by platform policies

Data Protection Measures:

  • Prohibited Data Usage: No biometric data, medical information, health records, or Sensitive Personal Information is utilized for AI training or content generation
  • Privacy-Preserving Techniques: Implementation of differential privacy and data minimization principles in AI processing
  • Human Oversight: All AI-generated or AI-assisted content undergoes human review and approval prior to publication or distribution
  • Quality Assurance: Internal compliance team verification of all AI-assisted materials before dissemination

13.2 Automated Decision-Making and Profiling

Limited Automated Processing: Aqualanes Limited employs automated processing exclusively for:

  • Product recommendation algorithms based on purchase history
  • Website personalization and user experience optimization
  • Fraud detection and payment security verification
  • Marketing campaign optimization and A/B testing

GDPR Article 22 Compliance: No solely automated decision-making with legal or similarly significant effects occurs without explicit consent, contractual necessity, or legal authorization, and appropriate safeguards including human intervention rights are maintained.

14. ENHANCED DATA RETENTION, SECURITY, AND CONTROLLED ERASURE

14.1 Data Retention Principles and Schedules

Personal Data is retained exclusively for the minimum duration necessary to fulfill the specific purposes for which it was collected, subject to the following retention schedules:

Customer Account Data: Retained for the duration of the customer relationship plus 7 years for legal and tax obligations
Transaction Records: Retained for 7 years from transaction date for financial record-keeping and regulatory compliance
Marketing Communications: Retained until consent withdrawal or 3 years of inactivity, whichever occurs first
Website Analytics: Anonymized after 26 months in compliance with data protection requirements
Advertising Data: Retained per partner-specific policies (AppLovin: 13 months maximum; Google: up to 24 months; Meta: up to 26 months, or as updated by partner policy)
Legal Compliance Data: Retained for periods required by applicable law (typically 7 years for tax and customs records)

14.2 Advanced Security Measures

Technical Safeguards:

  • Encryption: Industry-standard AES-256 encryption for data at rest and TLS 1.3 for data in transit
  • Access Controls: Multi-factor authentication, role-based access permissions, and regular access reviews
  • Network Security: Firewall protection, intrusion detection systems, and regular vulnerability assessments
  • Backup Systems: Secure, encrypted backup systems with regular recovery testing

Organizational Measures:

  • Staff Training: Regular privacy and security training for all personnel with access to Personal Data
  • Incident Response: Comprehensive data breach response procedures with regulatory notification protocols
  • Vendor Management: Regular security assessments and compliance monitoring of all third-party processors
  • Documentation: Detailed records of processing activities, security measures, and compliance procedures

14.3 Data Erasure and Deletion Procedures

User-Initiated Deletion: Data Subjects may request immediate erasure by contacting support@dermxell.com with appropriate identity verification

Automated Deletion: Systematic deletion of Personal Data upon expiration of retention periods using secure deletion methods

Technical Implementation: Multi-pass overwriting of digital storage media and certified destruction of physical media where applicable

Backup Considerations: Reasonable efforts to remove Personal Data from backup systems, with complete removal guaranteed at next backup cycle refresh

Legal Hold Exceptions: Data may be retained longer where required by legal proceedings, regulatory investigations, or other legitimate legal obligations

15. ENHANCED CHILDREN'S PRIVACY PROTECTIONS AND SENSITIVE DATA SAFEGUARDS

15.1 Comprehensive Children's Privacy Framework

Age Restrictions: DERMXELL products, services, and advertising content are expressly designed for and directed exclusively to adults aged 18 years and above.

COPPA Compliance (United States): Strict adherence to the Children's Online Privacy Protection Act, including:

  • No collection of Personal Information from children under 13
  • No targeted advertising to users under 13 across any platform or service
  • Immediate deletion of any inadvertently collected children's data
  • Parental notification and consent procedures where legally required

GDPR-K and International Children's Privacy: Compliance with enhanced protections for minors under international frameworks:

  • No processing of Personal Data from individuals under 18 without verifiable parental consent
  • Enhanced consent verification procedures for users aged 13-17
  • Special category data protections for any minor-related information
  • Right of parents/guardians to access, modify, or delete children's Personal Data

Platform-Specific Protections:

  • Google/YouTube: Compliance with YouTube Kids policies and restricted mode requirements
  • Meta Platforms: Adherence to Instagram and Facebook age verification and minor protection policies
  • AppLovin: Implementation of age-gating and children's privacy restrictions

15.2 Sensitive Personal Information Safeguards

Prohibited Processing: Aqualanes Limited expressly does not collect, process, or utilize the following categories of Sensitive Personal Information:

  • Racial or ethnic origin indicators
  • Political opinions or affiliations
  • Religious or philosophical beliefs
  • Trade union membership information
  • Genetic or biometric data for identification purposes
  • Health data or medical information (beyond cosmetic product usage)
  • Sexual orientation or sexual life information
  • Criminal conviction or offense records

Inadvertent Collection: Should any Sensitive Personal Information be inadvertently collected, it will be immediately deleted upon discovery with documentation of the deletion process.

16. ENHANCED COSMETIC PRODUCT REGULATORY COMPLIANCE AND DISCLAIMERS

16.1 Product Classification and Regulatory Status

Cosmetic Product Declaration: All DERMXELL products are classified as cosmetic preparations under applicable regulatory frameworks and are not medical devices, pharmaceuticals, or therapeutic goods.

FDA Compliance (United States): Full compliance with U.S. Food and Drug Administration cosmetic regulations (21 CFR Parts 700-740), including:

  • Appropriate product labeling and ingredient disclosure
  • Good Manufacturing Practice (GMP) standards adherence
  • Adverse event reporting procedures
  • Claims substantiation requirements

EU Cosmetic Regulation Compliance: Adherence to Regulation (EC) No 1223/2009 on cosmetic products for European Union distribution:

  • Cosmetic Product Safety Report (CPSR) completion by qualified safety assessor
  • Responsible Person designation within the European Union
  • Product Information File (PIF) maintenance with complete technical documentation
  • CPNP (Cosmetic Product Notification Portal) registration for EU market access

International Regulatory Compliance:

  • Health Canada: Cosmetic regulations compliance for Canadian distribution
  • TGA (Australia): Therapeutic Goods Administration cosmetic requirements adherence
  • Additional Jurisdictions: Compliance with local cosmetic regulations in all distribution markets

16.2 Enhanced Product Disclaimers and Limitations

Individual Results Disclaimer: Results from DERMXELL products may vary significantly among individual users based on factors including but not limited to skin type, age, lifestyle, adherence to usage instructions, and individual skin sensitivity.

Medical Limitation Statement: DERMXELL products are not intended to diagnose, treat, cure, prevent, or mitigate any disease, medical condition, or health disorder. Consumers experiencing persistent skin conditions should consult qualified dermatological or medical professionals.

Usage Safety Guidelines:

  • Discontinue use immediately if irritation, redness, or adverse reactions occur
  • Conduct patch testing before full application as recommended in product instructions
  • Consult healthcare professionals before use if pregnant, nursing, or have known skin sensitivities
  • Keep products away from eyes and mucous membranes unless specifically formulated for such use

Claims Substantiation: All product efficacy claims are substantiated by clinical testing, consumer studies, or ingredient research conducted in accordance with applicable regulatory standards and industry best practices.

17. ENHANCED FORCE MAJEURE, LIABILITY LIMITATIONS, AND LEGAL PROTECTIONS

17.1 Comprehensive Force Majeure Provisions

Aqualanes Limited shall not be held liable for any failure to perform, delay in performance, or interruption of service resulting directly or indirectly from circumstances beyond its reasonable control, including but not limited to:

Regulatory and Legal Events:

  • Changes in applicable privacy, advertising, or cosmetic regulations
  • Government actions, sanctions, or trade restrictions
  • Platform policy modifications by advertising partners
  • Data protection authority investigations or enforcement actions
  • Court orders or regulatory compliance requirements

Operational Disruptions:

  • Customs processing delays or import/export restrictions
  • Payment processor outages or financial service disruptions
  • Shipping carrier delays, strikes, or service interruptions
  • Third-party service provider failures or security incidents
  • Cybersecurity attacks or data security breaches affecting third parties

Natural and Economic Events:

  • Pandemics, epidemics, or other public health emergencies
  • Natural disasters, extreme weather events, or environmental catastrophes
  • Currency fluctuations affecting international transactions
  • Economic sanctions or trade war restrictions
  • Supply chain disruptions or raw material shortages

17.2 Comprehensive Liability Limitations

Maximum Liability Cap: Aqualanes Limited's total aggregate liability for any claims arising from or related to DERMXELL products or services shall not exceed the total amount paid by the customer for the specific product or service giving rise to the claim.

Excluded Damages: To the fullest extent permitted by applicable law, Aqualanes Limited shall not be liable for:

  • Indirect, incidental, special, exemplary, or consequential damages
  • Loss of profits, business interruption, or loss of business opportunities
  • Loss of data, information, or privacy breaches not directly caused by our negligence
  • Punitive or exemplary damages regardless of the legal theory of recovery
  • Any damages arising from third-party products, services, or content

Cosmetic Product Specific Limitations:

  • No warranty of specific results or outcomes from product use
  • Limited warranty period of 60 days from purchase date for product defects only
  • Customer responsibility for patch testing and appropriate product usage
  • Exclusion of liability for allergic reactions or skin sensitivities not disclosed in product labeling

17.3 Dispute Resolution and Jurisdictional Framework

Mandatory Arbitration: All disputes, claims, or controversies arising out of or relating to this Privacy Policy, DERMXELL products, or services shall be resolved through binding arbitration rather than in courts of general jurisdiction.

Arbitration Procedures:

  • International Customers: Arbitration conducted under the jurisdiction of England and Wales, governed by English law, administered by the London Court of International Arbitration (LCIA)
  • United States Customers: Arbitration conducted under Delaware state law, administered by the American Arbitration Association (AAA) using Commercial Arbitration Rules
  • Arbitrator Selection: Single arbitrator selected through mutual agreement or AAA/LCIA appointment procedures
  • Location: Arbitration proceedings conducted in London, UK for international disputes or Wilmington, Delaware for US disputes

Class Action Waiver: To the fullest extent permitted by applicable law, all parties waive the right to participate in class action lawsuits, collective arbitrations, or representative proceedings.

Governing Law:

  • International Customers: Governed by the laws of England and Wales, excluding conflict of law principles
  • United States Customers: Governed by the laws of the State of Delaware, excluding conflict of law principles

Exception for Emergency Relief: Notwithstanding the arbitration requirement, either party may seek emergency injunctive relief in courts of competent jurisdiction to prevent irreparable harm.

18. ENHANCED USER CONTROL MECHANISMS AND OPT-OUT PROCEDURES

18.1 Comprehensive Opt-Out Framework

Platform-Specific Controls:

  • Meta Platforms: facebook.com/adpreferences and instagram.com/accounts/privacy_and_security/
  • Google Services: adssettings.google.com and myaccount.google.com/privacy
  • YouTube: youtube.com/account_privacy and youtube.com/account_playback
  • AppLovin: Available through device-level advertising settings and dataprotection@applovin.com

Universal Opt-Out Mechanisms:

  • Global Privacy Control (GPC): Automatic recognition and response to GPC browser signals where technically feasible
  • Do Not Track (DNT): Honored for essential functions where legally required or technically implementable
  • Industry Opt-Out Tools: Integration with Network Advertising Initiative (NAI) and Digital Advertising Alliance (DAA) opt-out tools
  • Email Unsubscribe: One-click unsubscribe mechanism in all marketing communications with immediate processing

18.2 Enhanced Consent Management

Granular Consent Controls:

  • Cookie category-specific consent (essential, functional, analytics, advertising)
  • Platform-specific advertising consent with individual partner control
  • Marketing communication frequency and content type preferences
  • Data sharing consent with specific third-party categories

Consent Withdrawal Procedures:

  • Immediate processing of consent withdrawal requests
  • Confirmation of consent changes within 24 hours
  • Retroactive application to extent technically feasible
  • Documentation of consent history for compliance purposes

Consent Verification and Documentation:

  • Detailed records of consent granted, modified, and withdrawn
  • Timestamp documentation of all consent interactions
  • Regular consent renewal requests for ongoing processing
  • Transparent consent status dashboard for user review

Rights Execution – Added: You may exercise any rights via our Privacy Rights form or by emailing support@dermxell.com. We acknowledge requests within 72 hours and respond within statutory time periods (typically 30–45 days).

19. INTERNATIONAL PRODUCT IMPORT, CUSTOMS COMPLIANCE, AND CUSTOMER OBLIGATIONS

19.1 International Shipping and Import Compliance

Customer Acknowledgments: By completing a purchase of DERMXELL products for international delivery, customers explicitly acknowledge and accept:

Import Duties and Taxes: Local import duties, value-added taxes (VAT), goods and services taxes (GST), or other governmental charges may apply in the destination jurisdiction and are the exclusive responsibility of the recipient.

Customs Processing: Delivery timelines may vary significantly based on customs clearance procedures, documentation requirements, and inspection processes in the destination country.

Regulatory Compliance: Products are formulated and labeled in compliance with origin country regulations (European Union cosmetic standards) but customers are responsible for ensuring compliance with destination country import and cosmetic product requirements.

Documentation Requirements: Aqualanes Limited will provide accurate customs documentation, but customers may be required to provide additional information or documentation to facilitate customs clearance.

19.2 Product Liability and International Legal Considerations

Limited International Warranty: Product warranties and guarantees may be limited by local laws and may not be enforceable in all international jurisdictions.

Local Legal Compliance: Customers are responsible for ensuring that importation and use of DERMXELL products complies with all applicable local laws, regulations, and cosmetic product requirements.

Restricted Jurisdictions: Products may not be available for shipment to certain jurisdictions due to regulatory restrictions, trade sanctions, or other legal limitations.

20. POLICY UPDATES, AMENDMENT PROCEDURES, AND NOTIFICATION PROTOCOLS

20.1 Amendment Authority and Procedures

Aqualanes Limited reserves the right to modify, update, or amend this Privacy Policy periodically to reflect:

  • Changes in applicable data protection or privacy laws
  • Updates to advertising platform policies and requirements
  • Modifications to business practices or service offerings
  • Technological developments affecting data processing
  • Enhanced user protection measures or security improvements

20.2 Notification and Implementation Procedures

Minor Updates: Non-substantive changes (formatting, clarifications, contact information updates) will be implemented immediately upon publication with updated "Last Updated" date notation.

Material Changes: Substantive modifications affecting data processing practices, user rights, or legal obligations will be implemented using the following protocol:

  • 30-Day Advance Notice: Email notification to all registered users with active accounts
  • Website Banner Notification: Prominent notification on website homepage for 30 days
  • Opt-In Consent: Explicit consent collection for material changes affecting user rights or expanding processing purposes
  • Policy Comparison Tool: Side-by-side comparison of previous and updated policy versions

Legal Compliance Updates: Changes required by law or regulatory mandate will be implemented immediately with subsequent user notification and explanation.

20.3 Continued Use and Acceptance

Continued use of DERMXELL products, services, or website following policy updates constitutes acceptance of the revised terms. Users who disagree with material changes may terminate their accounts and request data deletion in accordance with applicable data subject rights.

21. CONTACT INFORMATION AND PRIVACY OFFICE

21.1 Primary Contact Information

Privacy Officer: Aqualanes Limited Privacy Office
Email: support@dermxell.com
Subject Line Requirement: "Privacy Request" (for expedited processing)
Postal Address:
Aqualanes Limited
Privacy Officer
Flat/Rm C1207 12/F, Hang Cheong Factory Building, 1 Wing Ming Street, Cheung Sha Wan, Kowloon, Hong Kong
Hong Kong

21.2 Specialized Contact Procedures

Data Subject Rights Requests: support@dermxell.com with subject "Privacy Request"
Data Breach Notifications: security@dermxell.com
Marketing Opt-Out: unsubscribe@dermxell.com
Technical Support: support@dermxell.com with subject "Technical Support"

Response Timeline Commitments:

  • Rights requests acknowledged within 72 hours
  • Simple requests resolved within 30 days
  • Complex requests resolved within 45 days (with explanation if extension required)
  • Emergency privacy concerns addressed within 24 hours

22. AUTHORITATIVE REFERENCES AND REGULATORY RESOURCES

22.1 Platform Privacy Policies and Guidelines

AppLovin Corporation:
Privacy Policy: https://legal.applovin.com/privacy
Publisher Policies: https://www.applovin.com/policies-publishers/
Data Processing Agreement: https://www.applovin.com/applovin-platform-data-processing-agreement/

Google LLC:
Privacy Policy: https://policies.google.com/privacy
Advertising Policies: https://support.google.com/adspolicy
YouTube Privacy Guidelines: https://support.google.com/youtube/topic/2803240

Meta Platforms, Inc.:
Privacy Policy: https://www.facebook.com/privacy/policy
Advertising Standards: https://www.facebook.com/business/help/488043719226449
Instagram Privacy: https://help.instagram.com/581066165581870/

22.2 Regulatory Authority Resources

European Union:
European Data Protection Board: https://edpb.europa.eu/
GDPR Official Text: https://eur-lex.europa.eu/eli/reg/2016/679/oj

United States:
Federal Trade Commission: https://www.ftc.gov/privacy
California Attorney General (CCPA): https://oag.ca.gov/privacy/ccpa

Canada:
Privacy Commissioner of Canada: https://www.priv.gc.ca/
PIPEDA Information:
https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/

United Kingdom:
Information Commissioner's Office: https://ico.org.uk/
UK GDPR Guidance:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/


23. EFFECTIVE DATE AND LEGAL VALIDITY

This Privacy Policy becomes effective immediately upon publication and supersedes all previous versions. This Policy constitutes a legally binding agreement between Aqualanes Limited and all users of DERMXELL products and services.

Legal Enforceability: Should any provision of this Privacy Policy be deemed invalid, illegal, or unenforceable by a court of competent jurisdiction, such provision shall be severed, and the remainder of the Policy shall remain in full force and effect.

Complete Agreement: This Privacy Policy, together with our Terms of Service, Cookie Policy, and other referenced legal documents, constitutes the complete agreement between parties regarding privacy and data protection matters.

Translation Disclaimer: In the event of conflicts between translated versions of this Privacy Policy, the English language version shall control and supersede all other versions.

24. ADDITIONAL CONSUMER-FACING SECTIONS (Added)

24.1 SMS / Messaging Terms and Conditions

By providing your mobile number and opting in to receive text messages, you consent to receive transactional or customer-care texts from DERMXELL / Aqualanes Limited related to orders and support. Consent is not a condition of purchase. Message frequency varies. Message & data rates may apply. Reply STOP to unsubscribe or HELP for assistance. Mobile opt-in data is never sold or shared for marketing purposes.

24.2 Third-Party Websites and User-Generated Content

Our Services may link to third-party websites we do not operate. We are not responsible for their privacy practices or content. Information you publish publicly (e.g., reviews, social media posts) may be accessible to others and used outside our control; share cautiously.

24.3 Security & Retention Summary (Consumer-Friendly)

While we implement appropriate technical and organizational measures to protect Personal Information, no system is impenetrable and transmission over the Internet carries risk. Retention periods appear in Section 14 and may be extended where legally required.

24.4 Complaints and Escalation

If you have concerns, contact our Privacy Office first (Section 21). If unresolved, you may escalate to your local data-protection authority (e.g., ICO UK, EDPB EU, OAIC Australia, OPC Canada, FTC US, UAE Data Office).

Document Authentication:
Document Version: October 1, 2025, 001
Legal Review Date: October 5, 2025
Next Scheduled Review: January 15, 2026
Regulatory Compliance Status: Current as of October 5, 2025

This Privacy Policy has been prepared in accordance with applicable data protection laws and advertising platform requirements as of the Last Updated date. Aqualanes Limited recommends consulting with qualified legal counsel for specific privacy law compliance questions.

Top of Form