Privacy Policy

Skin Intelligence is a cosmetic skincare guidance app. It is not a medical device and does not diagnose, treat, cure, monitor, or prevent any skin disease or condition.

Skin scores reflect appearance metrics; routine suggestions are advisory cosmetic guidance, not medical advice. Always consult a qualified healthcare provider for medical concerns.

The data controller responsible for your personal information is Skin Intelligence Inc.

Our Privacy Officer can be reached at privacy@skinintelligence.ai for any privacy inquiries or data requests.

Account Data: Your email address, collected when you create your account. Your email and subscription information (plan, subscription status, payment platform) are stored on Skin Intelligence servers.

Profile Data: Your name, age range, gender, skin type, skin tone, and experience level. Your name, age range, gender, and experience level are provided by you. Your skin type and skin tone are detected from your scan photos by our AI analysis providers as part of each scan and returned together with your skin scores; you can review and change them in the app at any time. Skin tone is a cosmetic shade indicator used only to personalise your routine — we do not use it to determine, infer, or record your race or ethnicity. Some privacy laws may treat skin-tone information as sensitive personal information, and we handle it on that basis: it is stored only on your device, is never sold, and is never used for profiling or advertising. This information is stored only on your device — we never retain or store any of it on Skin Intelligence servers. Some of these fields are briefly transmitted to our servers when needed to perform a request you initiate: your age range and gender accompany each scan to improve AI accuracy, and your skin type, skin tone, experience level, your selected or score-derived focus areas, and your weekly routine pace are sent when you generate a routine so the engine can build it. In all cases the data is held only in memory for the duration of the request, processed, and immediately discarded. Your name never leaves your device under any circumstance.

Routine Filter Selections: Your Routine Preferences selections (such as Maternity & Nursing, Peeling or Sensitive, Recent Facial or Laser) are stored on your device only and are never transmitted to or stored on Skin Intelligence servers. When you generate a routine, only the resulting list of excluded ingredient identifiers is sent to our servers — your underlying filter choices remain private to your device. These excluded ingredient identifiers are used solely to build your routine; they are held only in memory for the duration of the request and are never logged or stored on our servers. This means we never receive, process, or store any information about your pregnancy status, recent professional treatments, or skin conditions.

Scan Data: Facial images that you voluntarily capture through the app for cosmetic skin appearance analysis, along with the numerical skin scores generated from each scan. Your photos are transmitted to Skin Intelligence servers for transient processing only. Photos are held in server memory during analysis and are immediately discarded — they are never stored, logged, or retained on our servers. Your photos and scores are stored on your device only, unless you enable optional cloud backup to your personal iCloud (iOS) or Google Drive (Android), as described in Section 8. Facial images may be treated as biometric or sensitive data under some privacy laws. We use them solely to generate cosmetic appearance scores; we do not use them to identify or recognise you, we do not create or store a facial-recognition template or face embedding, and we do not use them for identity verification. We do not sell, lease, trade, or otherwise profit from your facial images or any biometric data.

Shelf Data: If you use the optional My Shelf feature, you may photograph cosmetic products you own. Your product photos are sent to Skin Intelligence servers and read by an AI model (Google, accessed through Google Cloud Vertex AI) to extract the product's details — brand, name, category, size, and ingredient list. The photos are used only to perform this read and are not stored on our servers — they are held in memory during the read and then discarded. Your shelf itself — the products and photos you save — is stored on your device only. Separately, each successful read creates one anonymous research record on our servers: the product details above and a read-quality flag, stored under a random identifier. This record contains no photo, no account identifier, no name, no IP address, and only a calendar date — it cannot be linked to you. We use these anonymous records to improve label reading and to decide which ingredients to support next. Product photos are photos of packaging, never of you. If a read is refused because the item appears to be a medicine or is not a cosmetic product, nothing is stored.

Device & Usage Data: Basic device information (device type, operating system) and usage patterns (features used, session duration) to improve the platform experience.

We use your data for the following purposes:

Account Management — To create and maintain your user account. Your account information (email, subscription plan) is stored on our servers. Your name, age range, and gender are stored on your device only. Skin Analysis — To generate cosmetic appearance metrics and skin scores. When you take a scan, your photo is sent to Skin Intelligence servers for transient processing, then transmitted to our AI analysis providers for analysis. The photo is not stored on or retained by Skin Intelligence servers. Routine Suggestions — To generate personalized cosmetic skincare routine recommendations based on your scores and preferences. Trend Tracking — To show you how your skin metrics change over time. Your skin scores are stored on your device. Your scan photos remain on your device and are never stored on Skin Intelligence servers. You can delete individual scan photos and scores at any time from within the app. Product Analytics — To improve platform features using anonymous usage data (page views, clicks) collected via PostHog, as described in Section 11. We do not use your photos or skin scores to train or improve any AI models. We do not collect, use, or sell any personal data for the purpose of training large language models or any other AI system, and our agreements prohibit our AI providers from using your data to train theirs. If we ever decide to train our own AI models using user data, we will request separate, explicit, opt-in consent before doing so. Marketing Communications — If you opt in, we use your email address to send you skincare tips, product updates, and promotional offers. Marketing emails are optional and sent only with your consent; you can withdraw consent at any time in your profile settings or via the unsubscribe link in any marketing email. This is separate from essential service messages (such as subscription renewal reminders, security notices, and changes to these terms), which we may send regardless of your marketing preference. We do not sell your email address or share it for third-party advertising.

If you are located in the EU/EEA, we process your personal data on the following legal bases:

Consent (Article 6(1)(a) GDPR) — For collecting and processing your facial images and sharing data with AI partners (we do not use them to uniquely identify or recognise you), and, where you opt in, for sending you marketing communications. You may withdraw consent at any time. Contract (Article 6(1)(b)) — For processing necessary to provide you with the services you have requested (account creation, scan analysis, routine generation). Legitimate Interests (Article 6(1)(f)) — For platform improvement and security purposes, where our interests do not override your fundamental rights; you may object at any time.

To generate your skin analysis results, your facial images are sent from your device to Skin Intelligence servers, which then transmit them to the following AI processing partners for analysis:

OpenAI (OpenAI, L.L.C., United States) — AI-powered skin appearance analysis. Google (Google LLC, United States) — AI-powered skin appearance analysis, accessed through Google Cloud Vertex AI.

Your photos are transmitted to Skin Intelligence servers for transient processing only. Photos are held in server memory during analysis and are immediately discarded — they are never stored, logged, or retained on our servers. To improve analysis accuracy, your age range and gender are also included in the scan request.

Under our agreements with these providers, your facial images are never used for model training or fine-tuning, and are never shared with any third party or used for any unrelated purpose. We have enabled zero-retention terms with both providers: your facial images and the analysis request are not logged or retained for abuse monitoring or human review, and are not retained once your skin scores have been generated — except where an automated child-safety scan flags an image, or where a longer period is required by law (see below).

Both OpenAI and Google operate automated safety systems under their own policies that check images submitted to their services for child sexual abuse material (CSAM); we cannot disable these checks. United States federal law (18 U.S.C. § 2258A) requires these providers to report any such material they become aware of. In the unlikely event that a safety system flags an image, the AI provider may retain the image for manual review and report it to the National Center for Missing and Exploited Children (NCMEC), regardless of the zero-retention terms described above. Skin Intelligence does not control this process and cannot prevent it.

Your account data is stored by our hosting provider (Supabase) in Canada. Most personal data (photos, scores, profile preferences) is stored on your device only and is never stored or retained on our servers — photos and certain profile fields transit our servers for transient processing per request, as described in Sections 3 and 6. Image processing by our AI partners involves data transfers to the following locations:

OpenAI — United States Google — United States

Subscription and payment processing relies on additional US-based service providers:

Stripe, Inc. (United States) — payment processing for web subscriptions. Receives your email address, account identifier, subscription plan, and payment metadata. Stripe does not receive your scan photos, scan scores, profile preferences, or any health-related information. RevenueCat, Inc. (United States) — subscription management for iOS. Receives your account identifier, the product purchased, and subscription status. RevenueCat does not receive your scan photos, scan scores, email address, profile preferences, or any health-related information.

Analytics and error monitoring rely on additional US-based service providers:

PostHog, Inc. (United States) — product analytics, as described in Section 11. May process your IP address to derive an approximate, country-level location. Sentry / Functional Software, Inc. (United States) — error monitoring, as described in Section 11.

Transactional email — such as sign-in codes and essential service messages — is delivered by Resend, Inc. (United States), which receives your email address solely to deliver these messages.

Your photos transit Skin Intelligence servers (hosted by Vercel, Inc. in the United States) before being forwarded to AI providers for analysis. For transfers from the EU/EEA and UK to the United States, we rely on appropriate safeguards: where a US recipient is certified under the EU–US Data Privacy Framework (including Google, PostHog, and Sentry), transfers rely on the European Commission's adequacy decision (Implementing Decision (EU) 2023/1795); for other recipients we rely on Standard Contractual Clauses (SCCs), and for UK transfers additionally on the UK International Data Transfer Addendum. Account data hosted by Supabase in Canada relies on the Commission's adequacy decision for Canada. You may request a copy of the relevant safeguards at privacy@skinintelligence.ai.

Each third party with whom we share your data — OpenAI, Google / Vertex AI, Stripe, RevenueCat, Supabase, Vercel, PostHog, Sentry, and Resend — is contractually required to provide the same or equal level of protection for your data as described in this Privacy Policy and as required by applicable law, and to use it only to provide services to us.

Device Data — Your scan photos and skin scores are stored on your device only. You have full control over this data and can delete individual scans or all scan data at any time from within the app. If you uninstall the app or clear app data, your scan photos and scores will be permanently removed from your device. Skin Intelligence cannot recover device-stored data on your behalf.

Server Data — Your account information (email, subscription plan and status, payment platform) is stored on our servers for as long as your account is active. Your name, age range, and gender are stored on your device only and are not held on our servers. This data does not include your scan photos or skin scores.

AI Provider Data — Your photos are received by Skin Intelligence servers for transient processing only. Photos are held in server memory during analysis and are immediately discarded — they are never stored, logged, or retained by Skin Intelligence. Our AI providers do not use your images for training and, under the zero-retention terms we have enabled with them, do not log or retain them for abuse monitoring or human review; an image is kept only where a child-safety scanner flags it, or where required by law, as described in Section 6 (AI Partners). We do not have the ability to retrieve or reproduce any photo after the analysis request completes.

Biometric Data — We retain no facial image or biometric identifier on our servers beyond the active cosmetic-scoring session: images are processed in memory only and immediately discarded. Facial images you choose to keep are stored on your device and are destroyed when you delete them or uninstall the app. On-device facial-landmark data used to frame your photo is never transmitted or stored. We do not retain any biometric identifier for longer than is needed to provide the cosmetic-scoring service.

Account Deletion — Upon receiving your account deletion request, your account will be immediately deactivated. You may log back in within 30 days to cancel the deletion. After 30 days, your account data (email, subscription information) will be permanently and irreversibly deleted from our servers — we retain nothing. Third-party records held by payment processors (Stripe, Apple, Google) are subject to those providers' own retention policies. When you delete your account, the scan photos and scores stored on this device are also deleted immediately, and we attempt to remove any cloud backup from your personal iCloud or Google Drive (see "Cloud Backup" below).

Cloud Backup — You may optionally back up your scan data to your personal iCloud or Google Drive account. Your backup includes your photos and scores together with a copy of your account details (including your email, plan, consent record, and marketing preference). When you enable this feature, your data transfers directly from your device to your own cloud storage. Skin Intelligence does not receive, access, or store your backup data. Your backup is governed by Apple's or Google's privacy policies and your own cloud storage settings. When you delete your Skin Intelligence account, we attempt to remove the backup from your personal iCloud or Google Drive; you should also verify it has been removed from your own cloud storage settings.

Depending on your jurisdiction, you have the following rights regarding your personal data:

Access — Request a copy of the personal data we hold about you. Correction — Request correction of inaccurate or incomplete data. Deletion — Request deletion of your personal data and account. Portability — Request your data in a structured, commonly used, machine-readable format. Withdraw Consent — Withdraw previously given consent at any time, without affecting the lawfulness of processing before withdrawal. Object — Object at any time to processing based on our legitimate interests, including our use of analytics. Complain — Lodge a complaint with your local data protection authority (for UK residents, the Information Commissioner's Office).

Self-Serve Export: You can download a copy of your personal data directly from the app at any time. Open Profile → Backup & Restore → Export File to download a ZIP archive containing your account information (email, plan, subscription status, marketing preferences, and your consent record — the date you accepted and the version of the terms/consent you accepted), your on-device preferences and routine selections, your scan metadata and skin scores, and your scan photos. The archive uses standard JSON and image formats (JPEG, and on some Apple devices HEIC) and can be opened on most devices.

To exercise any other rights, or if you have questions, contact us at privacy@skinintelligence.ai. You may also complain directly to us at the same address: we will acknowledge your complaint within 30 days and respond without undue delay.

We implement industry-standard technical and organizational measures to protect your personal data, including:

Encryption of data in transit (TLS) and at rest. Server-side account data is encrypted at rest by our hosting provider (Supabase). Device-stored data (photos, scores, profile preferences) is protected by operating system-level encryption (iOS Data Protection, Android file-based encryption). Role-based access controls limiting data access to authorized personnel. Regular security reviews and monitoring.

Data Breaches — If a personal data breach is likely to result in a risk to your rights, we will act without undue delay. For EU/EEA and UK users, we will notify the competent supervisory authority (and the UK Information Commissioner's Office for UK users) where feasible within 72 hours, and notify you directly where the breach is likely to result in a high risk to you. For Canadian users, where a breach creates a real risk of significant harm we will report it to the Office of the Privacy Commissioner of Canada — and, for Alberta residents, to the Office of the Information and Privacy Commissioner of Alberta — and notify affected individuals as soon as feasible. For US residents, we will notify you and the relevant state authorities of any breach of your personal information as required by your state's data-breach notification law.

This platform uses local storage to maintain your session state and preferences (such as dark mode). On web, this is browser localStorage. On mobile apps, session data is stored in the app's internal storage.

Product Analytics: We use PostHog (PostHog, Inc., United States) for first-party, anonymous product analytics (page views, clicks) so we can improve the app. We do not send your name, email, scan photos, or device-stored data to PostHog, and we do not create identified analytics profiles. PostHog may process your IP address to derive an approximate, country-level location; it is not used to identify you, and session recording is disabled.

Error Monitoring: We use Sentry (Functional Software, Inc., United States) to detect and diagnose technical errors. When an error occurs, technical metadata such as the error type, stack trace, request method, and HTTP status code is transmitted to Sentry, along with limited diagnostic detail about the failure (for example, a truncated error message returned by a processing step). We do not send scan photos, scan scores, profile data, payment information, email addresses, or any health-related information to Sentry. Session replay is disabled.

We do not use advertising cookies, cross-site tracking, or sell data.

This platform is intended for users who are 18 years of age or older. We do not knowingly collect personal information from individuals under 18.

If we discover that we have collected data from a user under 18, we will promptly delete their account and associated data.

Skin Intelligence is not available to residents of the State of Illinois. We do not knowingly offer the service to, collect personal information from, or process biometric identifiers or biometric information of Illinois residents.

We restrict access from Illinois IP addresses, and by agreeing to our Terms you represent that you are not an Illinois resident. These measures reduce but cannot entirely eliminate access by Illinois residents — for example, where IP location is unavailable or circumvented. If you are an Illinois resident, please do not create an account or attempt to use the platform. If we identify an account as belonging to an Illinois resident, we will deactivate it and delete the associated data in accordance with Section 8.

This restriction is in effect as of the effective date of this Privacy Policy. Should Illinois availability change in the future, we will update this section and provide appropriate disclosures pursuant to the Illinois Biometric Information Privacy Act (740 ILCS 14).

Skin Intelligence is also not available to residents of the State of Washington. We restrict access from Washington IP addresses, and by agreeing to our Terms you represent that you are not a Washington resident. These measures reduce but cannot entirely eliminate access — for example, where IP location is unavailable or circumvented. If you are a Washington resident, please do not create an account or attempt to use the platform. If we identify an account as belonging to a Washington resident, we will deactivate it and delete the associated data in accordance with Section 8. Should Washington availability change in the future, we will update this section and provide appropriate disclosures pursuant to the Washington My Health My Data Act.

Skin Intelligence is offered in English only and is not available to residents of the province of Quebec. We restrict access from Quebec IP addresses, and by agreeing to our Terms you represent that you are not a Quebec resident. These measures reduce but cannot entirely eliminate access — for example, where IP location is unavailable or circumvented. If you are a Quebec resident, please do not create an account or attempt to use the platform. If we identify an account as belonging to a Quebec resident, we will deactivate it and delete the associated data in accordance with Section 8.

Depending on your state of residence, you may have additional privacy rights under state law.

California (CCPA/CPRA): If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA): — Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected. — Right to Delete: Request deletion of your personal information, subject to certain exceptions. — Right to Correct: Request correction of inaccurate personal information. — No Sale of Data: We do not sell your personal information to third parties. — No Sharing for Cross-Context Behavioral Advertising: We do not share your personal information for cross-context behavioral advertising.

Sensitive Personal Information: Under CPRA, your facial images constitute Sensitive Personal Information (SPI). Your facial images are stored on your device only (unless you have enabled optional cloud backup to your personal iCloud or Google Drive, as described in Section 8). When you initiate a scan, your image is sent to Skin Intelligence servers for transient processing (held in memory only, immediately discarded), then transmitted to our AI analysis providers for analysis. Skin Intelligence does not retain your photos; our AI providers do not use them for training and, under the zero-retention terms we have enabled, do not log or retain them for abuse monitoring, keeping an image only where a child-safety scanner flags it or where required by law, as described in Section 6. We process SPI solely for the purpose of providing the skin analysis service you have requested. Because this use is necessary to perform the service you have asked us to perform, it falls within the service-necessary exemption set out at 11 CCR § 7027(m)(1) — a separate "Limit the Use of My Sensitive Personal Information" mechanism is therefore not required for this processing. To the extent your skin-tone classification may be considered information that relates to racial or ethnic origin, it is likewise treated as Sensitive Personal Information: we classify it solely to build the cosmetic routine you request and never to infer characteristics about you; it is stored on your device only, processed in memory only when you generate a routine, and never sold. Because this use is service-necessary (11 CCR § 7027(m)(1)) and is not for the purpose of inferring characteristics about you (Cal. Civ. Code § 1798.121(d)), a separate "Limit the Use" mechanism is not required for it either. You retain full control over your photos: they remain on your device and may be deleted by you at any time, individually or in bulk, from within the app. For any other privacy request, contact us at privacy@skinintelligence.ai.

California — Additional Disclosures: We do not discriminate against you for exercising your privacy rights. We use and disclose your sensitive personal information only for the purposes permitted by 11 CCR § 7027 — to perform the cosmetic skin-analysis you request — and for no other purpose, including no profiling, enrichment, advertising, or AI-model training; we are therefore not required to offer a "Limit the Use of My Sensitive Personal Information" option. We do not track you across third-party websites and do not respond to Do Not Track signals because we do not perform such tracking.

Texas (TDPSA): If you are a Texas resident, the Texas Data Privacy and Security Act provides you with rights to access, correct, delete, and obtain a copy of your personal data. You may also opt out of the processing of personal data for targeted advertising. Facial geometry data is classified as sensitive data under TDPSA and requires your consent before processing. Your facial images are stored on your device only. When you initiate a scan, your image is sent to Skin Intelligence servers for transient processing, then transmitted to AI providers. Photos are held in server memory only during analysis and immediately discarded. Texas also regulates biometric identifiers under the Capture or Use of Biometric Identifier Act (CUBI, Tex. Bus. & Com. Code § 503.001). As that law requires, we inform you and obtain your consent in the app before any facial image is captured; we never sell, lease, or disclose facial images except to our AI providers to perform the analysis you request; and we retain no biometric identifier after the analysis completes.

Virginia (CDPA): If you are a Virginia resident, the Virginia Consumer Data Protection Act provides you with rights to access, correct, delete, and obtain a copy of your personal data. You may appeal a denied request by contacting us at privacy@skinintelligence.ai.

Colorado (CPA): If you are a Colorado resident, the Colorado Privacy Act provides you with rights to access, correct, delete, and opt out of targeted advertising or the sale of personal data. Biometric data is classified as sensitive data requiring your consent. You may appeal a denied request by contacting us at privacy@skinintelligence.ai. Colorado Biometric Identifier Notice: Colorado law (HB 24-1130) requires that we tell you, before collection, the following — the facial images you capture may be treated as biometric identifiers; they are collected for the sole purpose of generating your cosmetic skin-appearance scores; they are disclosed only to our AI processing providers (OpenAI and Google), and only to perform the analysis you request; and they are not retained — photos are processed in server memory and immediately discarded, and the copies you keep stay on your device until you delete them. We obtain your consent in the app before your first scan, and we never sell biometric identifiers or use them to identify you.

Connecticut (CTDPA): If you are a Connecticut resident, the Connecticut Data Privacy Act provides you with rights to access, correct, delete, and obtain a copy of your personal data. You may also opt out of the processing of personal data for targeted advertising. You may appeal a denied request by contacting us at privacy@skinintelligence.ai.

Nevada (Consumer Health Data): If you are a Nevada resident, your facial images and skin-appearance scores may be "consumer health data" under the Nevada Consumer Health Data Privacy Law (SB 370). How we collect, use, share, store, and delete that data, and the rights you have over it, are described in our separate Consumer Health Data Privacy Policy, which you can open from the Terms, Privacy & Data screen and from the footer of our website. Skin Intelligence is not available in Washington (see Section 13); should that change, that policy also gives effect to the Washington My Health My Data Act.

Other States: If you reside in any other US state with a comprehensive consumer privacy law (including Utah, Oregon, Montana, Iowa, Delaware, Nebraska, New Hampshire, New Jersey, Minnesota, Maryland, Tennessee, Indiana, Kentucky, and Rhode Island), you have the rights described above to the extent that law applies to us. We do not sell your personal data or sensitive data, and we do not process it for targeted advertising, in any US state — so there is no sale, sharing, or targeted advertising for a Global Privacy Control (GPC) signal to opt you out of: you are treated as opted out by default, because there is nothing to opt out of. If we ever introduce any sale, sharing, or targeted advertising, we will detect and honor GPC signals before we do. We process facial images, and any skin-tone information that may be considered sensitive data, only with your opt-in consent and only where strictly necessary to provide the service; we do not use skin tone to infer your race or ethnicity. If we decline a request, you may appeal by emailing privacy@skinintelligence.ai with the subject "Privacy Appeal"; we will respond within 60 days, and you may then complain to your state Attorney General. Maryland residents: we collect facial images and skin-tone information only where strictly necessary and never sell sensitive data.

To exercise any of your U.S. state privacy rights, contact us at privacy@skinintelligence.ai. You do not need an account to make a request, and we will not charge you for it. We will respond within 45 days of receiving your request; where reasonably necessary we may extend this once by a further 45 days and will tell you if we do. You may also designate an authorized agent to submit a request on your behalf — we may ask the agent for proof of your written permission and may ask you to verify your identity. If we decline your request, you may appeal by emailing privacy@skinintelligence.ai with the subject "Privacy Appeal"; we will respond within 60 days, after which, if your appeal is denied, you may contact your state Attorney General. This appeal right applies in every US state whose law provides one, including Texas.

If you are located in the EU/EEA, you have additional rights under the General Data Protection Regulation (GDPR):

Supervisory Authority — You have the right to lodge a complaint with your local data protection supervisory authority. UK residents may complain to the Information Commissioner's Office (ICO). Data Portability — You may request your personal data in a structured, commonly used, machine-readable format. Restrict Processing — You may request that we restrict the processing of your personal data under certain circumstances. Object — You may object at any time to processing based on our legitimate interests, including our use of analytics.

Automated Processing — Your skin scores and routine suggestions are generated automatically by AI. These are cosmetic, advisory outputs and do not produce legal or similarly significant effects, so they are not solely automated decisions under Article 22 GDPR. You may contact us to ask about, or request human review of, a result.

AI Transparency (EU AI Act) — An AI system analyses your facial photo to generate your cosmetic skin-appearance scores. We tell you this in the app before your first scan, and the personal data involved is processed in accordance with the GDPR as described in this Privacy Policy.

Data Protection Impact Assessment — We maintain an internal data protection impact assessment of this processing, prepared on the European (EDPB) framework, and will review and update it before offering the Service in the EU/EEA or UK.

Skin Intelligence Inc. is incorporated in British Columbia, and your account data is hosted in Canada. The person responsible for the protection of personal information is our Privacy Officer (privacy@skinintelligence.ai), who is the designated responsible person under the Canadian privacy regimes.

You may access, correct, and obtain a portable copy of your personal information (Profile → Backup & Restore → Export File), and you may withdraw your consent at any time.

Some of your personal information is processed by our service providers outside Canada, in the United States: your scan photos are processed there transiently by our AI providers (OpenAI and Google) to generate your skin scores, and your email, subscription, analytics, and error-monitoring data are handled by the US-based providers listed in Sections 6 and 7. These transfers are governed by written agreements requiring a comparable level of protection. While your information is outside Canada, it may be subject to access by the courts, law enforcement, and national-security authorities of that jurisdiction. Our policies and practices for using service providers outside Canada are described in this Privacy Policy (see Sections 6 and 7) and are available on request. If you have any questions about the collection, use, disclosure, or storage of your personal information by our service providers outside Canada, you may contact our Privacy Officer at privacy@skinintelligence.ai.

In line with our accountability obligations, we have conducted and maintain an internal Privacy Impact Assessment of the platform under PIPEDA, prepared on the European (GDPR) data protection impact assessment framework. This assessment is reviewed whenever our processing changes materially and is available to privacy regulators on request.

Our skin analysis does not verify or confirm your identity and does not create any database of biometric characteristics. Facial landmarks used to frame your photo are computed on your device and are never stored or used to recognise you.

You may complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca). British Columbia residents may also complain to the Office of the Information and Privacy Commissioner for BC, and Alberta residents to the Office of the Information and Privacy Commissioner of Alberta.

If you join the waitlist on our website, we collect your email address and use it solely to send you a launch notification and related product updates. Our lawful basis under GDPR is your consent, given when you submit the waitlist form; you may withdraw it at any time via the unsubscribe link in any email we send.

Our waitlist contact list is stored and managed by Resend (Resend, Inc., United States). Waitlist emails are retained until you unsubscribe or request deletion at privacy@skinintelligence.ai.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you within the app and request your re-acceptance before you can continue using the platform.

For questions, concerns, or requests regarding this Privacy Policy, contact us:

Skin Intelligence Inc. Email: privacy@skinintelligence.ai