Privacy Policy

This Privacy Policy explains how Dermaspace Esthetic & Wellness Centre Ltd ("Dermaspace", "we", "us") collects, uses, stores and shares the personal data of visitors and clients who interact with us in person at our Victoria Island and Ikoyi locations, on our website dermaspaceng.com, in our progressive web app, and through our Derma AI virtual assistant.

We are a Nigerian company and our processing of personal data is governed by the Nigeria Data Protection Act 2023 (NDPA) and any applicable subsidiary regulations issued by the Nigeria Data Protection Commission (NDPC).

Information you give us

• Account details — name, email, phone number, date of birth, gender, and password hash when you create an account.
• Booking & consultation data — services chosen, preferred location, skin and wellness concerns, allergies, and relevant medical history you choose to disclose.
• Payment data — wallet top-ups, gift card requests, and transaction references. Card numbers are processed by our payment partners (e.g. Paystack) and never stored on our servers.
• Communications — messages sent through contact forms, complaints, feedback surveys and Derma AI conversations.

Information collected automatically

• Device & usage data — IP address, device type, browser, pages viewed, referring URL, approximate location (city-level) and time-stamps of activity.
• Cookies & similar technologies — see our cookie section below.
• Push notification tokens — when you opt in to appointment reminders or admin announcements.

We process your personal data on the following lawful bases:

• Performance of a contract — to schedule and deliver treatments you have booked, process payments, manage wallets and gift cards, and provide customer support.
• Legitimate interest — to keep our website secure (rate-limiting, fraud prevention), improve our services, and measure aggregate usage.
• Consent — to send marketing emails, push notifications, location-aware banners and to operate Derma AI voice/video sessions.
• Legal obligation — to retain records required for accounting, tax and health-and-safety regulations.

Derma AI is our in-app virtual concierge. When you chat, speak or share images with Derma AI we collect the message contents and any attached media in order to answer your question and recommend relevant treatments.

• Conversation transcripts are stored against your account so you can review prior chats and we can resume context. You can delete a conversation at any time from the Derma AI panel.
• Snippets of conversation may be reviewed by trained staff to improve the assistant's quality. We never associate reviewed snippets with marketing profiles.
• Derma AI is a wellness tool — not a medical device. Recommendations do not replace consultation with a qualified physician. See our separate Derma AI Terms & Acceptable Use for the full ground rules.

We share personal data only with carefully selected partners:

• Hosting & infrastructure — our website, database and file storage run on infrastructure operated by Imoogle Technology, our technology partner. Your data is held in environments configured and monitored by Imoogle Technology under contractual data-protection commitments aligned with the NDPA.
• Communications — email and SMS providers used to deliver booking confirmations, OTPs and reminders.
• Payments — Paystack and other licensed payment processors for card and bank transactions.
• Analytics — we run our own first-party analytics, DermaspaceNG Analytics, hosted on Imoogle Technology infrastructure. It only stores aggregate, anonymised usage signals (page views, device class, referrer) so we can understand how the site is used. We do not share your activity with third-party advertising networks.
• AI providers — large-language-model providers used inside Derma AI. We contractually prohibit these providers from using your conversations to train their general models, and messages are scrubbed of identifying information before they leave our infrastructure where possible.

We never sell your personal data. We disclose data to law enforcement only when legally compelled by a valid Nigerian court order or equivalent process.

• Account data — kept for as long as your account is active. Deleting your account removes profile data within 30 days, except records we are legally required to retain.
• Booking & treatment records — kept for 7 years after your last visit to comply with health and tax regulations.
• Marketing consent records — kept until you opt out, plus 12 months for proof of consent.
• Derma AI transcripts — kept for 12 months unless you delete them sooner.

Protecting your information is not a checkbox for us — it is a system of real, layered controls maintained jointly by our team and our infrastructure partner Imoogle Technology. The following safeguards are live in production today:

• Encryption in transit and at rest — every request is served over HTTPS (TLS 1.2+), and all stored personal data, backups and uploaded files are encrypted at rest using industry-standard AES-256.
• Strong authentication — passwords are hashed with bcrypt at a high work factor; we never store passwords in plaintext. Two-factor authentication and passkeys (WebAuthn) are available to every account, and high-risk actions (password changes, wallet withdrawals, account deletion) require step-up re-authentication.
• Hardened sessions — sessions use HTTP-only, Secure, SameSite cookies with device-binding and a rolling 30-day expiry. Sessions can be revoked instantly from your dashboard.
• Abuse & intrusion controls — every public endpoint is rate-limited; suspicious sign-in attempts trigger automatic lockouts and email alerts; CSRF tokens, strict CSP headers and bot-protection challenges run on every page.
• Least-privilege access — production database and file-storage access is restricted to a small number of vetted engineers, gated behind multi-factor authentication, and every access is audit-logged. We never grant blanket read access to customer data.
• Continuous monitoring — DermaspaceNG Analytics, error monitoring and uptime checks run 24/7 on Imoogle Technology infrastructure, with on-call rotation for security incidents.
• Regular backups & recovery drills — point-in-time database backups are taken automatically and tested on a recurring schedule so we can recover quickly without data loss.
• Responsible disclosure — found a vulnerability? Email security@dermaspaceng.com and we will respond promptly.

No system is perfectly secure, but we work hard to make sure the controls above stay in place and improve over time. If a security incident ever affects your data, we will notify you and the Nigeria Data Protection Commission within the timelines required by the NDPA.

Under the NDPA you have the right to access, correct, port, delete or object to the processing of your personal data, and to withdraw consent at any time. To exercise these rights, email info@dermaspaceng.com with the subject line "Data request". We will respond within 30 days.

You also have the right to lodge a complaint with the Nigeria Data Protection Commission at ndpc.gov.ng.

We use a small number of strictly-necessary cookies (session, CSRF, consent state) and, with your consent, analytics cookies that help us understand how the site is used. You can clear cookies through your browser at any time; doing so will sign you out of the site.

Our services are intended for adults aged 18 and above. Bookings for minors must be made by a parent or guardian who provides consent on their behalf. We do not knowingly collect personal data from children.

We may update this Privacy Policy from time to time. Material changes will be announced on this page and, where appropriate, by email or push notification before they take effect.