Privacy Policy

The data controller for the information described in this policy is MedPilot LLC, the legal entity that owns and operates the ByeAcne platform. When this policy refers to "ByeAcne," "we," "us," or "our," it means MedPilot LLC. You can reach our Privacy Officer at privacy@byeacne.co.

We collect the following categories of information when you create an account or submit a consultation:

• Account information: name, email address, date of birth, and phone number (optional).
• Medical information: skin photos, medical history, current medications, allergies, and responses to our intake questionnaire.
• Device and usage data: IP address, browser type, and pages visited, used to maintain security and improve our platform.

We do not collect payment card numbers directly. Payments are processed by our PCI-compliant payment processor.

• To provide telehealth consultations and deliver your treatment plan.
• To communicate with you about your consultations, account, and service updates.
• To comply with legal and regulatory obligations, including HIPAA.
• To maintain the security and integrity of our platform.
• We do not sell your data, use it for advertising, or share it with third parties except as described in this policy or our HIPAA Notice of Privacy Practices.

Medical information you provide constitutes Protected Health Information (PHI) under HIPAA. We handle all PHI in accordance with our HIPAA Notice of Privacy Practices. PHI is encrypted at rest using AES-256 and in transit using TLS 1.3. Access is restricted to the treating physician and authorized ByeAcne staff with a legitimate need.

We share your information only in the following circumstances:

• Treating physicians: Your intake form, photos, and medical history are shared with the licensed physician assigned to your consultation.
• Pharmacies: With your consent, your prescription is sent electronically to your chosen pharmacy.
• Service providers: We use HIPAA Business Associates for hosting, payment processing, and secure messaging. These parties are contractually bound to protect your data.
• Legal requirements: We may disclose information if required by law or to protect the rights and safety of our users or the public.

We retain your medical records for a minimum of 7 years from your last consultation, as required by applicable state and federal law. You may request deletion of non-medical account data at any time by contacting support@byeacne.co.

• Access: You may request a copy of your data through the app under Profile > Export my data.
• Correction: You may ask us to correct inaccurate account information.
• Deletion: You may request deletion of your account and non-PHI data. Medical records may be retained as required by law.
• HIPAA rights: See our HIPAA Notice for a full description of your rights regarding your health information.

We implement industry-standard security measures including AES-256 encryption at rest, TLS 1.3 in transit, multi-factor authentication for all staff and provider accounts, and regular third-party security audits. No transmission over the internet is 100% secure, but we take every reasonable precaution to protect your information.

If you have questions about this Privacy Policy or how we handle your information, contact us at privacy@byeacne.co. For HIPAA-related concerns, see our HIPAA Notice or contact our Privacy Officer at the same address.