Legal
Biometric Data Policy
Version 1.0 — Effective July 17, 2026.
1. Scope of This Policy
This Biometric Data Policy explains how Skin Intelligence handles your facial images and any information derived from them. It supplements our Privacy Policy and applies wherever biometric-privacy law does — including, for Texas residents, under the Capture or Use of Biometric Identifier Act (CUBI, Tex. Bus. & Com. Code § 503.001); for Colorado residents, under the biometric provisions of the Colorado Privacy Act (HB 24-1130, codified at C.R.S. § 6-1-1314); and in any other jurisdiction that regulates biometric identifiers or biometric data.
As Texas CUBI requires, we inform you and obtain your consent in the app before any facial image is captured, and we retain no biometric identifier after the analysis completes. We never sell or lease your facial images, and we do not disclose them to anyone other than the AI processing providers acting on our behalf to perform the analysis you request, under contracts that prohibit any other use.
Skin Intelligence is a cosmetic skincare guidance app. It is not a medical device and does not diagnose, treat, cure, monitor, or prevent any skin disease or condition. Your facial images may be treated as biometric identifiers or biometric data under some privacy laws; where they are, this policy governs how we collect, use, share, retain, and delete them, and describes the choices you have. The service is not offered in Illinois, Washington, or Quebec — see the Service Availability section of our Privacy Policy.
2. Biometric Data We Collect, and Why
We collect the facial images you voluntarily capture through the in-app camera, and we use them for a single purpose: to generate cosmetic skin-appearance scores and to show you how those scores change over time.
We do not use your facial images to identify or recognise you, we do not create or store a facial-recognition template or face embedding, and we do not use them for identity verification, advertising, profiling, or to train AI models.
To help you line up the camera, your device computes on-device facial-landmark data (a set of on-screen points) as you position your face. This on-device data is used only for framing, and is never transmitted to our servers or stored.
3. Your Consent
We collect and process your facial images only with your express consent. At sign-up, before your first scan, we ask you to agree to separate, unbundled consent items — one to capture and process your facial images for cosmetic analysis, and one to transmit them to our AI providers to generate your scores — each of which you must select before you can continue.
You may withdraw your consent at any time in the app (Profile → Privacy & Data). Withdrawing turns off scanning, so no new images are captured or analyzed. It does not delete your existing scans or your account — those stay on your device (and in your cloud backup, if you enable it) until you choose to delete them (Delete Scan or Delete Account).
4. How We Process and Share Your Biometric Data
When you take a scan, your image is transmitted to Skin Intelligence servers for transient processing only — held in server memory during analysis and immediately discarded — and then transmitted to our AI processing providers to generate your scores:
OpenAI, L.L.C. (United States) Google LLC, via Google Cloud Vertex AI (United States)
We share your facial images with these providers solely to perform the cosmetic analysis you request, and for no other purpose. To improve accuracy, your age range and gender are included in the request. Under the zero-retention terms we have enabled with both providers, your images are never used for model training and are not logged or retained for abuse monitoring — an image is kept only where an automated child-safety system flags it — in which case, as United States federal law (18 U.S.C. § 2258A) requires, the provider may retain and report it to the National Center for Missing and Exploited Children (NCMEC) — or where a longer period is required by law, as described in our Privacy Policy. These providers return only the analysis output — your numerical scores, your detected skin tone and skin type, and the brief written skin-appearance observations used to produce them, which are discarded once your scores are generated — to Skin Intelligence; your image is never returned with these results.
You can review how each provider handles data in their privacy terms:
— OpenAI — Enterprise Privacy— Google — Cloud Privacy NoticeWe do not sell, lease, or trade your facial images or any biometric data — we receive no money or other value in exchange for them — and we have no affiliates that receive them.
5. Retention Schedule
We retain no facial image or biometric identifier on our servers beyond the active cosmetic-scoring session. Your image is processed in memory only and immediately discarded once your scores are generated; it is never stored, logged, or retained, and we cannot retrieve or reproduce it after the request completes.
The facial images and scores you choose to keep are stored on your device only — unless you enable optional cloud backup to your own iCloud or Google Drive — and remain there until you delete them or uninstall the app.
Because we do not store biometric identifiers, no ongoing retention period applies. Where a jurisdiction sets an outer limit — for example, Colorado requires permanent destruction by the earliest of the date the collection purpose is satisfied, twenty-four (24) months after your last interaction with us, or a date no more than forty-five (45) days after an at-least-annual review finds continued storage no longer necessary — our transient, no-storage handling meets or exceeds that limit, because nothing is retained in the first place.
6. Deletion
On our servers: your facial image is deleted automatically when the scan completes. There is nothing further you need to request.
On your device: you can delete individual scans or all scan data at any time from within the app. If you delete your account, the scans and scores on your device are deleted immediately, and we attempt to remove any cloud backup from your personal iCloud or Google Drive.
If you have enabled cloud backup, you should also confirm the backup has been removed from your own cloud-storage settings.
7. Data Security & Incident Response
We protect facial images in transit and during processing using at least the reasonable standard of care within our industry — including encryption in transit, transient in-memory processing with no server-side storage, and role-based access controls — and in a manner at least as protective as the manner in which we store, transmit, and protect other confidential and sensitive information. Because we retain no facial image or biometric identifier after a scan completes, no biometric identifier is ever held beyond the outer limit any law sets — for example, the three (3) years after your last interaction that Illinois law (740 ILCS 14/15(a)) sets as a maximum.
We maintain a written protocol for responding to a data security incident that may compromise biometric data. In the event of such an incident, we will act without undue delay to contain and assess it, and we will notify affected individuals and the relevant authorities as required by applicable data-breach law — including, for Colorado residents, C.R.S. § 6-1-716; for Canadian users, the Office of the Privacy Commissioner of Canada (and the Office of the Information and Privacy Commissioner of Alberta for Alberta residents); and, for other US residents, the notifications required by your state's data-breach law. Because we hold no facial image or biometric identifier on our servers, the scope of any incident involving biometric data is inherently limited.
8. Your Rights
Depending on where you live, you may have the right to confirm whether we collect, share, or sell your biometric data and to access it; to obtain a list of any third parties with whom we have shared it; to correct it; to withdraw your consent; and to have it deleted. We do not sell your biometric data, and we do not share it other than with the AI providers named above to perform the analysis you request.
You can access, withdraw consent, and delete directly in the app, or by emailing privacy@skinintelligence.ai. We will respond to any request within 45 days of receiving it — or sooner where your state's law requires a shorter deadline; where reasonably necessary we may extend this once by a further 45 days and will tell you if we do. If we decline a request, you may appeal by emailing privacy@skinintelligence.ai with the subject "Biometric Data Appeal"; we will respond within 45 days (or any shorter period your state requires), after which, where your jurisdiction provides one, you may complain to your state Attorney General or privacy regulator. Separately, where an automated child-safety system flags an image, United States federal law (18 U.S.C. § 2258A) requires the provider to report it to the National Center for Missing and Exploited Children (NCMEC); this is the one disclosure of an image we cannot prevent, as described in our Privacy Policy.
9. Contact, Controller & Changes
The controller responsible for your biometric data is Skin Intelligence Inc., 329 Howe St #2031, Vancouver, BC V6C 3N2, Canada. Our Privacy Officer can be reached at privacy@skinintelligence.ai for any question or request under this policy.
We may update this Biometric Data Policy from time to time. For material changes we will notify you in the app and, where required, ask you to re-accept before you continue using the scan feature.