Privacy Policy

Effective Date: June 19, 2026
Last Updated: July 9, 2026

This Privacy Policy ("Policy") describes how Top Dermatology, Inc. ("Top Dermatology," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal information in connection with the website located at https://www.topdermatology.com and any related pages, features, content, and online services we provide (collectively, the "Site"). By accessing or using the Site, you acknowledge that you have read and understood this Policy.

1. About the Site and Scope of This Policy

The Site is an online directory that helps consumers locate and contact dermatologists and dermatology providers, and that allows dermatology providers to create profiles and free listings, or purchase paid or sponsored listings. The Site connects consumers with providers; it does not provide any of the underlying professional services that providers offer.

We are not a healthcare provider. Top Dermatology is not a medical or healthcare provider, is not a "covered entity" or "business associate" under the Health Insurance Portability and Accountability Act ("HIPAA"), and does not provide medical advice, diagnosis, or treatment. Use of the Site does not create a doctor-patient, provider-patient, or any other professional relationship between you and Top Dermatology. The information you submit through the Site is general contact and inquiry information and is not intended to be, and should not be treated as, protected health information. Please do not submit sensitive medical, clinical, or health-condition details through the Site's forms. Any health-related information you choose to include in a free-text message is provided voluntarily and at your own discretion.

This Policy applies to two principal categories of users:

  • Consumers — individuals who search, browse, or submit contact or per-provider inquiry forms through the Site.
  • Providers — dermatologists and dermatology practices who register accounts and may pay for listings on the Site.

This Policy does not apply to: (a) the information practices of the third-party providers listed in the directory or any provider you choose to contact, who handle your information under their own privacy policies and applicable laws (including, where applicable, HIPAA); or (b) any third-party websites, applications, products, or services that may be linked from the Site. We encourage you to review the privacy policies of any third party before providing them with personal information.

2. Information We Collect

We collect personal information from and about you in several ways: information you provide to us directly, information we collect automatically through your use of the Site, and information we receive from third parties and service providers. The categories of personal information we collect, the sources of that information, and the business or commercial purposes for which it is collected are described below. The bracketed labels correspond to the statutory categories of personal information identified under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA").

2.1 Information You Provide Directly

Provider account and profile information. When a provider registers for or maintains an account or listing, we collect: name; email address; password (stored in hashed form); practice or business name; business mailing address; telephone number; photograph; and professional details such as credentials, specialties, education, board certifications, languages spoken, financing or payment options offered, website address, and social media links. [CCPA categories: Identifiers; Professional or Employment-Related Information; Commercial Information; in some cases visual information from a photo.]

Consumer contact and inquiry information. When a consumer submits a contact form or a per-provider inquiry, we collect: first and last name; email address; daytime telephone number; the reason for the inquiry; and the content of the message. Per-provider inquiries are forwarded to the provider you select. [CCPA categories: Identifiers; Commercial Information; and any information you voluntarily include in your message.]

Search inputs. When you use the directory's search and filtering tools, we collect the search criteria you enter, which may include ZIP code; city, county, or state; insurance; specialty; and gender preference. [CCPA categories: Identifiers (approximate location); Internet or Other Electronic Network Activity; potentially Inferences.]

Billing and payment information. When a provider purchases a paid or sponsored listing, payment is processed by our third-party payment processor. The cardholder name, payment card number, and billing details are collected and processed directly by the payment processor; we receive only limited transaction-related information (such as confirmation of payment and partial card details). We do not store full payment card numbers on our systems. [CCPA categories: California Customer Records information (Cal. Civ. Code Section 1798.80(e)), including payment/financial details; Commercial Information; Identifiers.]

2.2 Information We Collect Automatically

When you access or use the Site, we and our analytics and security service providers automatically collect certain information through cookies, tags, scripts, and similar technologies, including: Internet Protocol (IP) address; device and browser type and settings; operating system; the pages and content you view; the links you click; the website or source that referred you to the Site; approximate geographic location (derived from IP address); dates and times of access; and other usage and diagnostic data. [CCPA categories: Identifiers; Internet or Other Electronic Network Activity Information; Geolocation Data (approximate); Inferences.]

2.3 Information From Third Parties and Service Providers

We may receive information about you or about provider listings from third parties, including: our payment processor (transaction confirmation and limited payment metadata); review and ratings data displayed through the Yelp API; mapping data from Google Maps; analytics and measurement data from Google Tag Manager and Google Analytics 4; and risk and fraud signals from Google reCAPTCHA. [CCPA categories: Identifiers; Commercial Information; Internet or Other Electronic Network Activity Information; Inferences.]

2.4 Sensitive Personal Information

The only "sensitive personal information" (as defined under the CCPA) that we collect is the account log-in credentials — an email address in combination with a password — that providers use to access their accounts. We use these credentials solely to authenticate and secure provider accounts, which is a purpose that does not trigger the right to limit the use of sensitive personal information. We do not otherwise seek to collect sensitive personal information, and we ask that you not submit health, medical, or other sensitive information through the Site. To the extent you voluntarily include sensitive information in a free-text message or inquiry, you do so at your own discretion, and we use it only for the purpose of responding to or forwarding your request.

3. How We Use Personal Information

We use the personal information we collect for the following business and commercial purposes:

  • To operate, provide, maintain, and improve the Site and the directory service, including displaying provider profiles and enabling search and filtering;
  • To create, authenticate, and manage provider accounts and listings;
  • To process and forward consumer contact forms and per-provider inquiries to the provider you select;
  • To process payments and manage billing for paid and sponsored listings through our payment processor;
  • To send transactional and administrative communications, such as account notices, inquiry confirmations, listing status, receipts, and service-related announcements;
  • To respond to your questions, requests, and customer-support needs;
  • To personalize and improve your experience, including remembering your preferences andsearch inputs;
  • To measure and analyze traffic, usage, and trends, and to develop new features and content;
  • To detect, prevent, investigate, and respond to fraud, abuse, spam, security incidents, and other malicious, deceptive, or illegal activity, including through bot-detection technologies;
  • To enforce our Terms of Use and other agreements, and to protect the rights, property, and safety of Top Dermatology, our users, providers, and others;
  • To comply with applicable laws, regulations, legal processes, and governmental requests, and to establish, exercise, or defend legal claims;
  • To carry out a merger, acquisition, financing, reorganization, or other corporate transaction as described below; and
  • For any other purpose disclosed to you at the time of collection or to which you consent.

We may de-identify, aggregate, or anonymize personal information and use it for any lawful purpose, including analytics, research, and improving our services. We maintain de-identified information in de-identified form and do not attempt to re-identify it except as permitted by law.

4. Cookies and Tracking Technologies

We and our service providers use cookies, pixels, tags, scripts, software development kits, and similar technologies (collectively, "cookies") to operate the Site, remember your preferences, secure the Site, and understand how the Site is used. The types of cookies we use include:

  • Strictly necessary / session cookies. Required for the Site to function, including for navigation, account login and authentication, session management, and security. The Site may not work properly without these.
  • Analytics and measurement cookies. Used through Google Tag Manager and Google Analytics 4 to collect usage and performance data so we can understand and improve how visitors use the Site. In the preference center described below these fall under the Statistics category, and they are not set if you opt out.
  • Security and fraud-prevention cookies. Used through Google reCAPTCHA and similar tools to distinguish humans from automated traffic and to help protect the Site against spam, abuse, and fraud. These tools collect device and usage signals for this purpose.

The WordPress blog located at /blog may set its own cookies, including in connection with blog comments and content delivery.

How to control cookies. Most web browsers allow you to manage cookies through their settings, including to block or delete cookies. You can also typically refuse or remove cookies through your device or browser controls. Disabling certain cookies may affect the availability or functionality of parts of the Site. For Google Analytics, you may opt out using Google's browser add-on available at https://tools.google.com/dlpage/gaoptout.

Global Privacy Control and browser signals. Some browsers and extensions transmit an opt-out preference signal, such as the Global Privacy Control ("GPC"). Where required by applicable law, we treat a recognized opt-out preference signal received from your browser or device as a valid request to opt out of the "sale" or "sharing" of personal information for that browser or device. Because such signals are typically device- or browser-specific, they may not be associated with your account or other devices unless you are logged in.

"Do Not Track." Some browsers offer a "Do Not Track" ("DNT") setting. Because there is no common industry or legal standard for recognizing or honoring DNT signals, the Site does not currently respond to DNT signals. We do, however, honor recognized GPC signals as described above.

4.1 Your Cookie Choices — "Your Privacy Choices"

When you first visit the Site we display a cookie-consent banner. You can review or change your choices at any time by selecting "Your Privacy Choices" or "Do Not Sell or Share My Personal Information" in the website footer, which opens a preferences panel where you can turn these categories on or off:

  • Strictly necessary (always active) — security, sign-in, forms, and remembering your privacy choice. These never track you for advertising and cannot be switched off.
  • Preferences — remembers functional choices, such as blog-comment details.
  • Statistics — Google Analytics 4, to understand Site usage in aggregate.
  • Marketing — advertising and remarketing. We do not set Marketing cookies on a typical visit today; the category is available should we enable advertising in the future.

Consistent with California's opt-out model, Statistics and Marketing cookies are used unless you opt out. You may opt out at any time by (a) selecting "Your Privacy Choices" or "Do Not Sell or Share My Personal Information" in the footer and turning a category off, then saving; (b) selecting Reject on the cookie banner; or (c) enabling a recognized opt-out preference signal such as the Global Privacy Control (described above), which we honor automatically. When you opt out, we stop setting new Statistics and Marketing cookies and disable analytics collection on later page loads; strictly necessary cookies remain. If you visit from the European Economic Area, the United Kingdom, or Switzerland, these categories are denied by default until you opt in.

Your choice is stored in a first-party cookie on your device so we do not ask again on your next visit. Clearing your cookies, or using a different browser or device, resets your choice; on some browsers (for example, Safari) the cookie may be retained for a shorter period, in which case we will ask again.

The specific cookies and similar technologies we use for these purposes — including their providers and how long they last — may change from time to time as we add, remove, or update Site features and service providers. Regardless of the specific technologies in use at any given time, each is handled according to the four categories described above, and you can review or change your choices at any time using the options described in this section.

Google reCAPTCHA and session/security cookies are strictly necessary and are set to protect the Site regardless of your Statistics or Marketing choice.

5. How We Share and Disclose Personal Information

We disclose personal information in the following circumstances:

  • Providers you choose to contact. When you submit a per-provider inquiry, we forward your inquiry — including your name, email address, telephone number, reason for inquiry, and message — to the provider you select so that the provider can respond. Once shared, that information is handled by the provider under its own privacy practices and applicable law.
  • Public profile information. Provider profile information (such as name, practice name, business address, phone, photo, credentials, specialties, and links) is published publicly on the Site and may be indexed by search engines and viewed by anyone. Providers should not include information in their profiles that they do not wish to be public.
  • Service providers and processors. We share personal information with vendors and service providers who perform services on our behalf — such as payment processing, email delivery, mapping, analytics and measurement, bot and fraud prevention, hosting, and IT support — under contracts that limit their use of the information to providing services to us. These are described in Section 6.
  • Legal, safety, and compliance. We may disclose personal information when we believe in good faith that disclosure is necessary to: comply with applicable law, regulation, legal process, subpoena, or governmental request; enforce our Terms of Use or other agreements; detect, prevent, or address fraud, security, or technical issues; or protect the rights, property, or safety of Top Dermatology, our users, providers, or others.
  • Business transfers. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, personal information may be transferred or disclosed as part of, or in connection with the diligence for, that transaction, subject to standard confidentiality protections.
  • With your consent or at your direction. We may share personal information for any other purpose disclosed to you at the time of collection or with your consent.

5.1 "Sale" and "Sharing" Under California Law

We do not sell personal information in exchange for money. However, under the CCPA, the terms "sell" and "share" are defined broadly and can include disclosures of certain identifiers and internet-activity information to third-party advertising and analytics technologies for purposes such as cross-context behavioral advertising or analytics. Our use of analytics and advertising-related technologies (such as Google Analytics and Google Tag Manager) may be considered a "sale" or "sharing" of personal information under those broad definitions.

You have the right to opt out of any such "sale" or "sharing." To exercise this right, you may: (a) use the "Do Not Sell or Share My Personal Information" link or mechanism made available on the Site; (b) submit a request through the methods described in Section 9; or (c) enable a recognized opt-out preference signal such as the Global Privacy Control, which we will honor for the applicable browser or device as described in Section 4. We do not knowingly sell or share the personal information of consumers under 16 years of age.

6. Third-Party Services and Links

We use the following third-party service providers, each of which processes information in accordance with its own privacy policy:

The Site also hosts a WordPress blog at /blog, which may set its own cookies and collect information you submit through blog comments. The Site may contain links to third-party websites, including provider websites and social media pages. We are not responsible for the privacy practices or content of any third party, and the inclusion of a link does not imply our endorsement. We encourage you to review the privacy policy of every third-party service or website you visit.

7. Data Retention

We retain personal information for as long as reasonably necessary to fulfill the purposes for which it was collected, as described in this Policy, including to provide the Site and directory service, maintain provider accounts and listings, process and forward inquiries, complete transactions, and to comply with our legal, accounting, tax, and reporting obligations, resolve disputes, and enforce our agreements. When personal information is no longer needed for these purposes, we will delete, de-identify, or securely dispose of it in accordance with our retention practices and applicable law. The criteria we use to determine retention periods include the nature and sensitivity of the information, the purposes for which it is processed, the duration of the account or listing relationship, and applicable legal requirements.

Analytics data. Usage information collected through Google Analytics is retained for up to 14 months, in accordance with the data-retention controls available in Google Analytics; when that period expires, the associated user-level and event-level analytics data is automatically deleted. Aggregated or de-identified analytics reporting that is not linked to an individual identifier may be retained for longer.

8. Data Security

We maintain reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, alteration, disclosure, and destruction. These measures include encryption in transit, access controls, hashed storage of account passwords, and the use of a PCI-compliant payment processor for payment transactions. However, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee the absolute security of your personal information. You are responsible for maintaining the confidentiality of your account credentials and for any activity under your account. If you have reason to believe your interaction with the Site is no longer secure, please contact us using the information in Section 15.

9. California Privacy Rights (CCPA/CPRA)

This Section applies to California residents and supplements the rest of this Policy. Under the CCPA, California residents have the following rights, subject to certain exceptions and limitations:

  • Right to know / access. You may request that we disclose the categories and specific pieces of personal information we have collected about you; the categories of sources; the business or commercial purposes for collecting, selling, or sharing it; and the categories of third parties to whom we disclose it.
  • Right to delete. You may request that we delete personal information we collected from you, subject to certain exceptions (for example, where we need to retain information to complete a transaction, comply with law, detect security incidents, or exercise legal rights).
  • Right to correct. You may request that we correct inaccurate personal information we maintain about you.
  • Right to opt out of sale or sharing. You may opt out of the "sale" or "sharing" of your personal information as described in Section 5.1, including through the "Do Not Sell or Share My Personal Information" mechanism and recognized opt-out preference signals.
  • Right to limit use of sensitive personal information. To the extent we use sensitive personal information for purposes beyond those permitted without a limitation right under the CCPA, you may direct us to limit such use. As noted, we do not use sensitive personal information for purposes that trigger this right; we use it only to perform the service you request.
  • Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA rights, such as by denying service, charging different prices, or providing a different level or quality of service.

9.1 How to Exercise Your Rights

You may submit a request to know, delete, or correct by: (a) using the Contact form on the Site; or (b) emailing us at the address shown in the “How to Contact Us” section (Section 15). You may also exercise the right to opt out of sale or sharing through the methods described in Section 5.1, which do not require account verification.

9.2 Verification

To protect your information, we will take reasonable steps to verify your identity before responding to a request to know, delete, or correct. Verification may require us to match information you provide in your request (such as your name, email address, and details about your interactions with the Site) against information in our records. We may request additional information if necessary to verify your identity or the authority of an authorized agent. We will use information collected for verification only for that purpose.

9.3 Authorized Agents

You may use an authorized agent to submit a request on your behalf. We may require the agent to provide proof that you gave the agent signed permission to act on your behalf, require you to verify your identity directly with us, and require you to confirm that you provided the agent permission to submit the request.

9.4 Response Timeline and Appeals

We will confirm receipt of a verifiable request within ten (10) business days and respond within forty-five (45) calendar days, with the ability to extend by an additional forty-five (45) days where reasonably necessary, in which case we will notify you. If we deny your request, you may appeal our decision by contacting us using the information in Section 15; we will respond to your appeal within the time required by applicable law. If you have concerns about our response, you may also contact the California Privacy Protection Agency or the California Attorney General.

9.5 Notice at Collection Summary

At or before the point of collection, we provide this summary of our practices. The categories of personal information we collect are: identifiers; California customer records information (including payment details); commercial information; internet or other electronic network activity information; geolocation data (approximate); professional or employment-related information; sensory/visual information (such as provider photos); and inferences (collectively as described in Section 2). We collect this information for the business and commercial purposes described in Section 3. We retain each category as described in Section 7. We disclose personal information to the categories of recipients described in Section 5. Our use of analytics and advertising technologies may constitute a "sale" or "sharing" under the CCPA, and you may opt out as described in Section 5.1. We do not use or disclose sensitive personal information for purposes that would require us to offer a right to limit beyond what is described in this Policy.

9.6 California "Shine the Light"

California Civil Code Section 1798.83 permits California residents to request information about our disclosure of personal information to third parties for those third parties' own direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes. California residents may request this information by contacting us using the information in Section 15.

10. Other U.S. State Privacy Rights

Depending on where you reside, you may have rights under other U.S. state privacy laws — including those of Virginia, Colorado, Connecticut, Utah, and a growing number of other states. Subject to the specific law and its exceptions, these rights may include: the right to confirm whether we process your personal data and to access it; the right to correct inaccuracies; the right to delete personal data you provided or we obtained; the right to obtain a portable copy of your data; the right to opt out of targeted advertising, the sale of personal data, and certain profiling; and the right to appeal a refusal to act on a request. We do not use personal data for decisions that produce legal or similarly significant effects through solely automated profiling.

Nevada. Nevada residents have the right to submit a verified request directing a website operator not to sell certain covered personal information. As stated above, we do not sell personal information for monetary consideration; a Nevada resident may nonetheless submit such a request using the contact methods in Section 15.

To exercise any of these rights, please contact us using the methods in Section 15. We will verify and respond to your request as required by the applicable state law, generally within forty-five (45) days (extendable as permitted). If we decline to act, you may appeal as described in Section 9.4 and, where applicable, contact your state Attorney General. We will not discriminate against you for exercising your rights.

11. Children's Privacy

The Site is intended for users who are 18 years of age or older. Individuals between the ages of 13 and 18 should use the Site only with the involvement and consent of a parent or legal guardian. The Site is not directed to children under 13, and we do not knowingly collect personal information from children under 13 in violation of the Children's Online Privacy Protection Act ("COPPA"). If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly. If you believe a child under 13 may have provided us with personal information, please contact us using the information in Section 15.

12. International Users and U.S.-Only Operation

The Site is operated in the United States and is intended for users located in the United States. If you access the Site from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States, where data-protection laws may differ from those of your jurisdiction. By using the Site, you consent to the transfer and processing of your information in the United States.

13. Third-Party Payment Processing and PCI

Payments for paid and sponsored listings are processed by our third-party payment processor, Authorize.Net. When you submit payment, your cardholder and billing information is collected and processed directly by the payment processor in accordance with the Payment Card Industry Data Security Standard ("PCI DSS") and the processor's own privacy policy. We do not store full payment card numbers on our systems and receive only limited transaction-related information. Your use of the payment functionality is also subject to the payment processor's terms and privacy policy.

14. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will revise the "Last Updated" date above and, where required by law, provide additional notice (such as by posting a notice on the Site). Your continued use of the Site after the updated Policy becomes effective constitutes your acceptance of the changes. We encourage you to review this Policy periodically.

15. How to Contact Us

If you have questions about this Policy or our privacy practices, or if you wish to exercise your privacy rights, you may contact us through any of the following methods:

  • Contact form: available on the Site at /contact/ (the fastest way to reach us)
  • Email: Our privacy email address, shown as an image to reduce spam (shown as an image — please type it into your email program)

If you have a disability and need to access this Policy in an alternative format, please contact us using the information above and we will work to accommodate your request.