Privacy Policy

Effective Date: April 27, 2026

Introduction

DPhiant Corporation, a Delaware corporation (DPhiant, we, us, or our), provides cosmetic products, including a blemish care product containing 2% salicylic acid, and operates websites, social media pages, and other online services (collectively, the Services). This Privacy Policy explains how we collect, use, disclose, and safeguard Personal Information. This Policy applies to Personal Information we process about consumers, website visitors, customers, creators, influencers, and other individuals located in the United States and, where applicable, the European Economic Area (EEA), the United Kingdom (UK), and Switzerland.

Key Terms

Personal Information means information that identifies, relates to, describes, can be associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as those terms may be defined under applicable law (e.g., GDPR personal data, CCPA personal information).

Sensitive Personal Information includes data such as precise geolocation, account log-in credentials, payment card information with security code, health information, racial or ethnic origin, and other categories defined by applicable law.

Controller means DPhiant when we determine the purposes and means of processing Personal Information.

Processor means a third party that processes Personal Information on our behalf pursuant to our instructions.

Scope and Eligibility

This Policy covers Personal Information collected through the Services, at our events, through our customer service channels, and from third-party partners. It does not apply to job applicants or employees, which are covered by a separate notice, or to information that is de-identified or aggregated. Business-to-business contact information (e.g., from wholesale or retail partners) is within the scope of this Policy to the extent it constitutes Personal Information under applicable law. Independent contractor creators and influencers are covered by this Policy, not by the employee notice. Where applicable law permits requests at the household level, we will respond to verifiable household-level requests in accordance with such law.

Notice at Collection (U.S. State Laws)

We collect the categories of Personal Information described in the Information We Collect section for the purposes described in How We Use Personal Information, retain such information for the retention periods described below, and may sell or share Personal Information for cross-context behavioral advertising as described in Your Privacy Choices. You may exercise your rights as described in State-Specific Disclosures.

Information We Collect

Identifiers and contact information, such as name, alias, username, postal address, email address, phone number, and unique identifiers.

Commercial information, such as products viewed, purchased, returned, or considered; subscription and loyalty information; and interactions with customer service.

Payment and transaction data, such as payment card tokens, billing address, and transaction history processed via PCI-compliant processors; we do not store full card numbers.

Internet or network activity, such as browsing history, search history, clickstream data, device identifiers, IP address, cookie IDs, referral URLs, and analytics.

Geolocation data, including approximate location derived from IP address and, with consent, precise location data.

User Generated Content (UGC), such as photos, videos, reviews, comments, testimonials, social media posts, handles, and content you tag with #DPhiant (or other variants of our name) or otherwise submit to us.

Influencer and creator information, such as name, contact details, social media handles, audience metrics, payment information, tax information, content deliverables, and contractual details.

Health and skin-related information that you choose to provide to us in connection with product inquiries or support (e.g., skin type, sensitivities, acne concerns). We do not require medical information to purchase our cosmetic products, and our products are intended for cosmetic use only.

Inferences drawn from the above, such as preferences, interests, and propensity to purchase.

Automated Decision-Making and Profiling

We may use automated tools to analyze Personal Information for purposes such as fraud detection, content personalization, and marketing segmentation. We do not currently use automated decision-making that produces legal or similarly significant effects on consumers without human review. If we implement such processing in the future, we will provide specific notice, disclose the logic involved, and offer the right to opt out or request human review as required by applicable law, including GDPR Article 22 and applicable U.S. state laws.

Sources of Personal Information

We collect Personal Information directly from you, automatically from your device and browser, from our service providers and partners (including analytics, advertising, payment, shipping, and fraud prevention providers), from social media platforms, and from creators and influencers who collaborate with us.

How We Use Personal Information

To provide, operate, and improve the Services, process orders and payments, fulfill and deliver products, authenticate users, and provide customer service.

To personalize experiences and content, including product recommendations, UGC features, and targeted offers.

For marketing and advertising, including interest-based advertising, cross-context behavioral advertising, and measuring campaign performance across websites, apps, and social media.

To manage creator and influencer programs, including content planning, performance measurement, compliance review, and payments.

To operate our building-in-public activities, including reposting, amplifying, and showcasing UGC and behind-the-scenes content, and engaging with users on social media, subject to the UGC and Creator Terms below.

To detect, investigate, and prevent fraud, abuse, security incidents, and illegal activities; and to protect our rights, property, users, and the public.

For research and product development, quality assurance, and safety monitoring, including assessing product performance and adverse reactions.

To comply with legal obligations, respond to lawful requests and legal process, and exercise or defend legal claims.

Legal Bases for Processing (EEA/UK/Switzerland)

We process Personal Information on the following legal bases: (a) performance of a contract (e.g., to fulfill orders); (b) legitimate interests (e.g., to secure and improve the Services, personalize content, and conduct marketing where not overridden by your interests or rights); (c) consent (e.g., for certain cookies, email marketing where required, precise location, or processing of health-related information you choose to provide); and (d) compliance with legal obligations.

Sharing and Disclosure of Personal Information

We share Personal Information with: service providers and contractors; advertising and analytics partners; payment processors; shipping and logistics providers; fraud prevention and security partners; professional advisors; affiliates; and in connection with business transfers such as mergers or acquisitions.

We may disclose UGC and creator content publicly across our Services and social media channels consistent with your settings, consents, and applicable law.

We may disclose Personal Information to law enforcement, regulators, or courts when required by law or to protect rights and safety.

Selling or Sharing Personal Information (U.S. State Laws)

We may sell or share for cross-context behavioral advertising Identifiers, Internet or network activity, and Inferences with advertising and social media partners to deliver interest-based ads. You may opt out as described in Your Privacy Choices. We do not sell or share Sensitive Personal Information, including health and skin-related information, for cross-context behavioral advertising or any other purpose not permitted by applicable law. We do not knowingly sell or share the Personal Information of consumers under 16 years of age.

Cookies and Online Tracking

We and our partners use cookies, pixels, SDKs, and similar technologies to operate the Services, remember preferences, measure performance, and deliver ads. We categorize these technologies as follows: (a) strictly necessary cookies, which are essential to the operation of the Services and cannot be disabled; (b) functional cookies, which remember your preferences and settings; (c) analytics cookies, which help us understand how visitors interact with the Services; and (d) advertising cookies, which are used to deliver relevant ads and measure campaign performance. Cookie lifespans vary by category; session cookies expire when you close your browser, and persistent cookies remain for up to 13 months unless you delete them sooner. For visitors in the EEA, UK, and Switzerland, we deploy a Consent Management Platform (CMP) that presents a granular, opt-in consent mechanism for all non-essential cookies before they are set. Consent is freely given, specific, informed, and withdrawable at any time through our Cookie Settings. For all other visitors, you can manage preferences via our Cookie Settings and through your browser or device settings. Some features may not function if you disable non-essential cookies.

User Generated Content and Creator Terms

By submitting, posting, or tagging content to us or our handles, or by responding to our request to use your content with a hashtag such as #DPhiant, #iamDPhiant, #YesDPhiant or similar, you grant DPhiant a worldwide, sublicensable, transferable, royalty-free license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform, and publicly display your content in any media now known or later developed for marketing, advertising, promotional, and operational purposes related to the Services, without additional approval or compensation, to the maximum extent permitted by law.

You may request withdrawal of this license by contacting us at hello@dphiant.com with the subject line "UGC Withdrawal." Upon receipt of a verified withdrawal request, we will use commercially reasonable efforts to cease new uses of your content within thirty (30) days; however, the license shall survive with respect to content already distributed, published, sublicensed, or incorporated into materials prior to the effective date of withdrawal. Where your content contains Personal Information and you exercise a right to erasure under applicable data protection law (including GDPR Article 17), we will process the request in accordance with the applicable legal framework, which may require deletion of the content from our systems to the extent technically feasible.

You represent and warrant that you own or control all rights in and to your content, have permission from any identifiable individuals, and that your content does not infringe or violate any rights, including intellectual property, privacy, or publicity rights, or contain misleading claims about cosmetic benefits.

Creators and influencers engaged by DPhiant are subject to written agreements and must comply with applicable advertising and endorsement laws and regulations, including the FTC Endorsement Guides and platform policies. Creators must clearly and conspicuously disclose material connections to DPhiant and make only truthful, non-misleading statements limited to cosmetic claims consistent with product labeling and applicable law.

We may moderate, remove, or decline to use any content at our discretion. We are not responsible for content posted by users or third parties.

Children’s Privacy

Children Under 13. The Services are not directed to children under 13, and we do not knowingly collect Personal Information from children under 13. If we learn that a child under 13 has provided Personal Information, we will delete it promptly. If you are a parent or guardian and believe your child under 13 has provided Personal Information, please contact us at hello@dphiant.com.

Minors Ages 13 to 17. We recognize that our cosmetic products, including blemish care products, may be of interest to minors. We do not knowingly sell or share the Personal Information of consumers under 16 years of age for cross-context behavioral advertising without affirmative authorization as required by the CCPA. For consumers between 13 and 15, such authorization must come from a parent or guardian; consumers aged 16 or 17 may provide their own opt-in. Where we have actual knowledge that a user is a minor, we apply heightened protections, including limiting targeted advertising and profiling directed at minors.

Voidable Sales to Minors. DPhiant may accept orders from minors under the age of 18. Such transactions may be voidable at the election of the minor or their parent or guardian to the extent permitted by applicable law. If a transaction is voided, we will promptly delete or return the Personal Information collected in connection with that transaction upon request, unless retention is required by law.

UK Age Appropriate Design Code. For users under 18 located in the United Kingdom, we design our Services with the best interests of the child in mind, in accordance with the UK Age Appropriate Design Code (Children's Code). We apply age-appropriate default privacy settings, minimize data collection, and do not use personal data in ways that are detrimental to the child's well-being.

Retention

We retain Personal Information for as long as necessary to fulfill the purposes described in this Policy, including to provide the Services, comply with legal obligations, resolve disputes, enforce our agreements, and for backup, archiving, and audit purposes. We apply the following category-level retention criteria:

(a) Account and profile data: retained for the duration of your account and for three (3) years following account closure or last activity, unless longer retention is required by law.

(b) Transaction and payment data: retained for seven (7) years following the transaction date to comply with tax, accounting, and financial reporting obligations.

(c) Marketing and advertising data: retained until you opt out or withdraw consent, plus a reasonable suppression period (not to exceed ninety (90) days) to honor your preference.

(d) Health and skin-related information: retained only for the duration necessary to respond to your inquiry or support request, and in any event no longer than three (3) years, unless retention is required for adverse event reporting or legal compliance.

(e) UGC and creator content: retained for the duration of the license granted under this Policy, subject to any withdrawal request as described in User Generated Content and Creator Terms.

(f) Cookies and device-level data: retained in accordance with the cookie lifespans described in Cookies and Online Tracking.

(g) Legal and compliance records: retained as required by applicable law, regulation, or legal hold.

When retention is no longer necessary, we will securely delete or de-identify Personal Information in accordance with our data retention and disposal procedures.

Security

We use Shopify for our platform. Please see Shopify’s terms and conditions regarding security at www.shopify.com. Shopify is responsible for all security-related aspects of our website, and by accessing and using our website, you agree to Shopify’s terms and conditions regarding security, and agree to hold us harmless in this regard. If you have any questions, however, you may contact us at hello@dphiant.com.

Data Breach Notification

In the event of a security incident involving unauthorized access to, or acquisition of, Personal Information that triggers notification obligations under applicable law, we will notify affected individuals and regulators within the timeframes required by such law (including, where applicable, the seventy-two (72) hour notification requirement under GDPR Articles 33 and 34 for supervisory authorities). Notification will describe the nature of the incident, the categories of Personal Information affected, the likely consequences, and the measures taken or proposed to address the incident. We will also cooperate with applicable regulators and law enforcement as required.

International Data Transfers

Your Personal Information may be transferred to, stored in, or accessed from countries outside your country of residence, including the United States, which may have data protection laws different from those in your jurisdiction. Where required, we implement appropriate safeguards, including:

(a) Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by Transfer Impact Assessments (TIAs) to evaluate the legal framework of the recipient country and implement additional technical and organizational measures where necessary;

(b) reliance on the EU-U.S. Data Privacy Framework, the UK Extension thereto, and the Swiss-U.S. Data Privacy Framework, where our service providers or partners have self-certified under such frameworks;

(c) supplementary measures such as encryption in transit and at rest, pseudonymization, contractual commitments restricting onward disclosure, and, where applicable, commitments regarding government access requests; and

(d) any other transfer mechanism recognized under applicable data protection law.

You may request a copy of the safeguards we rely on by contacting us at hello@dphiant.com.

Your Privacy Choices

We use Shopify for our platform. Please see Shopify’s terms and conditions regarding your privacy choices at www.shopify.com. Shopify is responsible for all privacy choice-related aspects of our website, and by accessing and using our website, you agree to Shopify’s terms and conditions regarding privacy, and agree to hold us harmless in this regard. If you have any questions, however, you may contact us at hello@dphiant.com.

Access, Correction, and Deletion Rights

Subject to applicable law, you may request access to, correction of, or deletion of your Personal Information, and to receive a portable copy of certain information. To exercise your rights, submit a request to https://dphiant.com/pages/contact or hello@dphiant.com. We will verify your request and respond as required by law.

EEA/UK/Swiss Individuals’ Rights

Subject to exceptions, you have the right to object to processing based on legitimate interests, to withdraw consent at any time without affecting the lawfulness of processing before withdrawal, to restrict processing, and to lodge a complaint with a supervisory authority. Our EU/UK representative designated under GDPR Article 27 and UK GDPR Article 27 can be contacted at hello@dphiant.com.

Appeals and Authorized Agents (U.S. State Laws)

If we deny your request, you may appeal by contacting hello@dphiant.com with “Privacy Appeal” in the subject line. You may use an authorized agent to submit requests where permitted by law, subject to our verification steps.

De-Identified and Aggregated Data

We may use, disclose, and maintain de-identified or aggregated data and will not attempt to re-identify de-identified data except as permitted by law to test and maintain its de-identification.

Financial Incentives and Loyalty Programs

We may offer programs that provide benefits in exchange for Personal Information (e.g., referrals, loyalty, or UGC campaigns). We will describe material terms, how to opt in, and how to withdraw at any time. Any difference in price or service will reasonably relate to the value of the Personal Information. We estimate the value of Personal Information collected in connection with each program using a good-faith methodology based on the expense related to the collection and processing of such information, the revenue generated from the program, and the cost of providing the benefit to participants.

Third-Party Links and Features

The Services may contain links to third-party websites, apps, or features, including social media plugins. We do not control these third parties and are not responsible for their privacy practices. We encourage you to read their privacy policies.

Do Not Track

Some browsers transmit Do Not Track signals. Our Services do not respond to Do Not Track signals. We recognize the Global Privacy Control as described above for state law purposes.

Governing Law and Venue

This Policy and any disputes relating to it are governed by the laws of the State of New York, without regard to conflicts of law principles. Any claims shall be brought exclusively in the state or federal courts located in New York County, New York, except that: (a) nothing in this section limits the rights of individuals in the EEA, UK, or Switzerland to bring claims in the courts of their country of habitual residence or to lodge a complaint with their local supervisory authority in accordance with GDPR Article 79 and equivalent provisions under UK and Swiss data protection law; and (b) where mandatory consumer protection laws of your jurisdiction provide otherwise, those laws shall apply to the extent required.

Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will provide notice by: (a) updating the Effective Date and posting the revised Policy on our website; (b) sending email notice to registered users at the email address associated with their account at least thirty (30) days before the changes take effect; and (c) where changes affect processing activities for which we rely on consent, obtaining fresh consent from affected individuals before the changes take effect. For non-material changes, we will update the Effective Date and post the revised Policy. Your continued use of the Services after the effective date of a revised Policy constitutes acceptance of the changes, except where affirmative consent is required by applicable law.

Contact Us

If you have questions or requests, contact us at: DPhiant Corporation, hello@dphiant.com. If you are in the EEA/UK/Switzerland, you may also contact your data protection authority.

State-Specific Disclosures (California, Virginia, Colorado, Connecticut, Utah, and others)

California residents have the right to know the categories and specific pieces of Personal Information collected, sources, purposes, and third parties; to delete Personal Information; to correct inaccuracies; to opt out of sales and sharing; to limit the use and disclosure of Sensitive Personal Information where applicable; and to not be discriminated against. We have disclosed the categories collected, purposes, and recipients in this Policy. We do not use Sensitive Personal Information for purposes other than those permitted by law.

Virginia, Colorado, Connecticut, and Utah residents have rights to access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale, and certain profiling. We honor the Global Privacy Control where required.

Nevada residents may opt out of sales by emailing hello@dphiant.com with “Nevada Opt Out” in the subject line.

Regulatory Disclosures for Cosmetic Products

Our cosmetic products, including the blemish care product containing 2% salicylic acid, are intended for external, cosmetic use only and are not intended to diagnose, treat, cure, or prevent any disease. We may collect and use information you provide regarding product experience, including potential adverse reactions. You should discontinue use and consult a physician if irritation or sensitivity occurs. To report an adverse reaction, contact us at hello@dphiant.com. We may share adverse event information with regulators as required by law.