Katarzyna Radan ("we," "us," or "our") operates the Beauty AI mobile application (the "App"). This Privacy Policy explains how we collect, store, use, and share your personal information when you use our App. By using the App, you agree to the collection and use of information in accordance with this Privacy Policy. 1. INFORMATION WE COLLECT 1.1 Personal Information You Provide When you use the App, we may collect: - Account Information: Email address and name (via Google or Apple Sign-In). - Face Data: Images of your face that you upload or capture via the camera for analysis. - Preferences: Your skincare goals, concerns, and product preferences. 1.2 Information Collected Automatically - Usage Data: Features accessed, time spent, and navigation patterns (via PostHog). - Device Information: Device model, OS version, and language settings. - Purchase History: Subscription status and transaction IDs (we do not see your credit card details). 2. FACE DATA POLICY Because our Service relies on facial analysis, we treat your Face Data with the highest level of security. This section provides comprehensive information about our face data practices. 2.1 Collection and Purpose We strictly collect facial images only when you actively use the camera or upload a photo for analysis. We use Face Data solely to perform skin analysis (detecting concerns like acne, wrinkles, texture, dark circles, and other skin characteristics) and to provide personalized makeup and skincare recommendations. 2.2 Storage, Retention, and Reasons WHY WE STORE FACE DATA: We store your facial images and analysis results to enable the "Scan History" feature, which allows you to track your skin's progress over time, compare before-and-after results, and monitor the effectiveness of your skincare routine. HOW LONG WE STORE IT: We retain your Face Data for one (1) year from the date of each scan. This specific retention period was chosen because: - It provides sufficient time to track meaningful skin improvements (most skincare routines show results within 3-12 months) - It allows seasonal comparison (skin conditions can vary across different seasons) - It balances the utility of historical tracking with privacy protection by not retaining data indefinitely - After one year, the data is automatically deleted unless you perform a new scan, which resets the retention period for that specific scan 2.3 Third-Party Sharing of Face Data We share Face Data with the following third-party AI providers strictly for the purpose of generating your skin analysis: OPENAI (ChatGPT/GPT-4 Vision): - Purpose: AI-powered analysis of facial images to detect skin concerns and generate personalized recommendations - Data Shared: Facial images you upload or capture - Retention by OpenAI: OpenAI does NOT retain your face data. According to OpenAI's API data usage policies (as of this policy's date), data sent via their API is not used to train their models and is not retained after processing is complete. Images are processed transiently and deleted immediately after analysis - Location: United States GOOGLE GEMINI (Vertex AI): - Purpose: AI-powered analysis of facial images to provide additional skin analysis perspectives - Data Shared: Facial images you upload or capture - Retention by Google: Google Vertex AI does NOT retain your face data beyond the processing period. According to Google Cloud's data processing terms, customer data sent to Vertex AI for prediction requests is not used to train or improve Google's models and is deleted after processing - Location: United States and other Google Cloud regions AWS S3 (Amazon Web Services): - Purpose: Secure cloud storage for your facial images and scan results - Data Shared: Facial images and analysis metadata - Retention by AWS: AWS S3 acts as our storage provider and retains data according to our instructions (1 year, or until account deletion). AWS does not access or use your face data for any purpose other than storage - Location: United States and other AWS regions IMPORTANT: We have contractual agreements with OpenAI and Google that prohibit them from using your data to train their general public models. Your face data is processed solely for your individual analysis and is not retained by these AI providers after processing. 2.4 Deletion - Automatic Deletion: Face Data is automatically deleted after one (1) year from the scan date - Account Deletion: If you delete your account via the App settings, all your Face Data (including images stored on AWS S3) is immediately scheduled for permanent deletion from all our systems - Manual Deletion: You can request deletion of specific scans or all your data at any time by contacting [email protected] 3. HOW WE USE YOUR INFORMATION We use the collected information to: - Provide the Service: Analyze your skin and generate reports. - Track Progress: Store historical results so you can compare skin health over time. - Improve the App: Understand usage trends to fix bugs and enhance features. - Customer Support: Respond to your inquiries. 4. HOW WE SHARE YOUR INFORMATION We do not sell your personal data. We strictly share data with trusted infrastructure providers who help us run the App: - Face Data Sharing: See Section 2.3 above for detailed information about how we share face data with OpenAI, Google Gemini, and AWS S3, including their retention practices. - Supabase: Purpose: Authentication (Login) and database management for your user profile. Data: Email, Name, User IDs (does NOT include face data). Location: United States and other regions. - PostHog: Purpose: Analytics and product improvement. Data: Anonymized usage data (e.g., "User clicked Scan button"). PostHog does NOT receive face data or personally identifiable information. Location: United States. - Apple: Purpose: Processing payments for in-app subscriptions. Data: Transaction receipts (Beauty AI does not store your financial information). Apple does NOT receive face data. Location: United States. 5. DATA RETENTION - Face Data: Retained for 1 year from the date of each scan to provide history and progress tracking features, then automatically deleted. See Section 2.2 for detailed explanation of why we chose this retention period. - Account Data: Retained as long as your account is active. - Usage Analytics: Anonymized analytics data may be retained indefinitely for product improvement purposes. - Account Deletion: If you delete your account via the App settings, all your data (including Face Data and images on AWS S3) is immediately scheduled for permanent deletion from all our systems and third-party storage providers. 6. SECURITY MEASURES We use industry-standard security measures, including: - Encryption: Data is encrypted in transit (HTTPS) and at rest (in AWS S3 and Supabase). - Access Control: Only specific automated systems and authorized personnel have access to the database for maintenance purposes. - Authentication: Secure login via Apple and Google prevents unauthorized access to your account. 7. CHILDREN'S PRIVACY The App is rated for users aged 13 and older. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will delete it immediately. 8. YOUR RIGHTS (GDPR / CCPA) Depending on your location, you have the right to: - Access: Request a copy of the data we hold about you. - Delete: Request permanent deletion of your account and data. - Rectify: Update incorrect information. - Opt-Out: You may opt out of analytics tracking or marketing communications. To exercise these rights, contact us at: [email protected] 9. INTERNATIONAL DATA TRANSFERS Beauty AI is operated from the United Arab Emirates. By using the App, you acknowledge that your information may be transferred to, stored, and processed in countries where our third-party service providers (AWS, Supabase, OpenAI) operate, including the United States. We ensure strictly legal transfer mechanisms are in place. 10. CHANGES TO THIS POLICY We may update this Privacy Policy to reflect changes in our practices. We will notify you of any significant changes via the App or email. 11. CONTACT US Data Controller: Katarzyna Radan Location: United Arab Emirates Email: [email protected]