Security

Data Security & Compliance

Your health data deserves the highest level of protection. Here’s how we safeguard it.

GDPR / DSGVO Compliance

As a German company (drylabs GmbH), GDPR is our primary data protection framework. We comply with all requirements of the EU General Data Protection Regulation.

Data Protection Principles

Purpose limitation — data collected only for specified, legitimate purposes

Data minimisation — only data necessary for the service is collected

Storage limitation — data retained only as long as necessary

Integrity & confidentiality — appropriate security measures at all times

Your Rights

Under GDPR, you have the right to access, rectify, erase, port, and restrict processing of your data. You can exercise these rights directly in the app (Settings → Privacy & Data) or by contacting us at info@drylabs.de.

Technical Security

Encryption: AES-256 encryption at rest, TLS 1.3 in transit

Certificate pinning: The iOS app pins TLS certificates to prevent man-in-the-middle attacks

Row-level security: Database policies ensure you can only access your own data

Photo privacy: EXIF metadata (GPS, camera, timestamps) stripped from all photos before upload

Biometric auth: Face ID / Touch ID via Apple Secure Enclave — biometrics never leave your device

Backups: Encrypted daily backups with automated drift detection

EU Data Hosting

Your data is hosted on servers physically located in the European Union via Supabase. Cloudflare provides CDN and DDoS protection under the EU-U.S. Data Privacy Framework. Standard Contractual Clauses (SCCs) govern any data transfers outside the EEA.

Not a Medical Device

Aesthetic Pass is not a medical device under EU Medical Device Regulation (MDR 2017/745). It is a record-keeping and information platform for aesthetic treatments. It does not provide medical advice, diagnosis, or treatment recommendations. On the App Store, it is categorised as Health & Fitness, not Medical.

International Standards

GDPR is our primary compliance framework and we apply its protections to all users worldwide, regardless of their location. Our technical security measures — including AES-256 encryption, certificate pinning, row-level security, and encrypted backups — meet or exceed the standards required by major international data protection regulations.