Privacy Policy
Effective Date: June 1, 2025 · Last Updated: June 1, 2025
1. Introduction
SkinPick ("Company," "we," "us," "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your personal data when you use our AI-powered skincare consulting service ("Service").
This policy applies to all users worldwide, including users in the European Economic Area (EEA), United Kingdom (UK), United States (including California), South Korea, Japan, Brazil, and Australia. Where specific regulations grant additional rights, those rights are detailed in the relevant sections below.
2. Data Controller
SkinPick is the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection laws. For all data protection inquiries, you may contact us at: tpgus5754@gmail.com.
3. Data We Collect
3.1 Information You Provide Directly
- Survey responses: Skin type, skin concerns, allergies, lifestyle habits, product preferences, and other information you submit through our questionnaire.
- Contact information: Email address and any other information you provide when contacting us for support.
- Feedback: Any feedback, suggestions, or reviews you voluntarily submit.
3.2 Payment Data
Payment information (credit/debit card numbers, billing address, financial account details) is collected and processed directly by our payment processor, Polar. We do not store, process, or have access to your full payment card details. We receive only transaction identifiers, payment status, and confirmation from Polar.
3.3 Automatically Collected Data
- Usage data: Pages visited, features used, timestamps, session duration, and interaction patterns.
- Device data: Browser type and version, operating system, device type, screen resolution, and language preference.
- Network data: IP address, approximate geolocation (country/region level only), referring URL.
3.4 Sensitive Data
Skin-related survey data (e.g., skin conditions, allergies) may be considered health-related data under certain jurisdictions (including the GDPR, where it may qualify as a special category of personal data under Article 9). We process this data solely based on your explicit consent given when you submit the survey, and only for the purpose of providing AI-powered skincare analysis.
4. How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| AI skincare analysis & recommendations | Survey responses | Explicit consent (Art. 6(1)(a), Art. 9(2)(a)) |
| Payment processing | Transaction data via Polar | Contract performance (Art. 6(1)(b)) |
| Customer support | Contact info, correspondence | Contract performance (Art. 6(1)(b)) |
| Service improvement & analytics | Usage data, device data | Legitimate interest (Art. 6(1)(f)) |
| Security & fraud prevention | IP address, usage patterns | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Payment records, correspondence | Legal obligation (Art. 6(1)(c)) |
5. AI and Automated Decision-Making
The Service uses AI models (provided by OpenAI) to analyze your survey responses and generate personalized skincare recommendations. We are transparent about how AI is used:
- Nature of processing: Your survey responses are sent to OpenAI's API, which processes them to generate skincare analysis. This constitutes automated processing of personal data.
- No solely automated decisions with legal effect: The AI recommendations are advisory only and do not produce legal effects or similarly significant effects concerning you (GDPR Article 22). No decisions regarding pricing, access, or eligibility are made solely by automated means.
- Human review: You have the right to request human review of any AI-generated output by contacting us.
- Data minimization: Only the survey responses necessary for analysis are transmitted to OpenAI. We do not send personal identifiers (name, email, IP address) to OpenAI.
- EU AI Act: The Service is classified as a limited-risk AI system. Users are clearly informed that they are interacting with an AI system.
6. Third-Party Data Processors
We share data with the following third-party processors to operate the Service:
| Provider | Purpose | Data Shared | Location | Safeguards |
|---|---|---|---|---|
| OpenAI | AI analysis engine | Survey responses (anonymized, no personal identifiers) | United States | SCCs, DPA |
| Polar | Payment processing | Billing & payment information | United States / EU | PCI DSS, SCCs |
| Cloudflare | Hosting, CDN, security | IP address, access logs, traffic data | Global (edge network) | SCCs, DPA |
| Firebase (Google) | Infrastructure, analytics | Usage data, device data, analytics events | United States | SCCs, DPA, SOC 2 |
SCCs = Standard Contractual Clauses; DPA = Data Processing Agreement; PCI DSS = Payment Card Industry Data Security Standard; SOC 2 = Service Organization Control 2.
We do not sell, rent, or trade your personal data to any third party. Data is shared with processors only as necessary to provide the Service.
7. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States. These countries may have different data protection laws than your jurisdiction.
When transferring data outside the EEA/UK, we ensure appropriate safeguards:
- Standard Contractual Clauses (SCCs): Approved by the European Commission (Decision 2021/914) for transfers to third countries.
- Data Processing Agreements (DPAs): In place with all sub-processors requiring adequate data protection measures.
- Supplementary measures: Including encryption in transit and at rest, access controls, and data minimization.
- Adequacy decisions: Where the European Commission has determined that a country provides adequate data protection, we may rely on that decision.
You may request a copy of the safeguards we use for international data transfers by contacting us.
8. Data Retention
We retain your data only for as long as necessary to fulfill the purposes described in this policy:
| Data Type | Retention Period | Basis |
|---|---|---|
| Survey responses | Not stored after AI analysis is complete | Data minimization |
| AI analysis results | Delivered to user; not stored server-side | Data minimization |
| Payment records | 5 years from transaction date | Tax/commerce law obligations |
| Usage & analytics logs | Up to 12 months, then deleted or anonymized | Legitimate interest |
| Support correspondence | Up to 24 months after resolution | Legitimate interest, legal defense |
| Cookie/tracking data | See Section 11 (Cookies) | Consent / legitimate interest |
When data is no longer needed, it is securely deleted or irreversibly anonymized. You may request early deletion subject to legal retention obligations.
9. Your Rights
9.1 All Users
Regardless of your location, you have the right to:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your personal data (subject to legal retention obligations).
- Withdraw consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
9.2 EEA/UK Users (GDPR / UK GDPR)
In addition to the rights above, you have the right to:
- Restriction of processing: Request that we limit how we process your data in certain circumstances.
- Data portability: Receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON, CSV) and transmit it to another controller.
- Object to processing: Object to processing based on legitimate interests, including profiling.
- Automated decision-making: Not be subject to a decision based solely on automated processing that produces legal effects (see Section 5 above).
- Lodge a complaint: File a complaint with your local Data Protection Authority (DPA). A list of EU DPAs is available at edpb.europa.eu. UK users may contact the Information Commissioner's Office (ICO).
9.3 California Users (CCPA / CPRA)
If you are a California resident, you have the right to:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties with whom we share it.
- Right to Delete: Request deletion of your personal information, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined by the CCPA/CPRA.
- Right to Limit Use of Sensitive PI: You may limit the use and disclosure of sensitive personal information to purposes necessary for providing the Service.
- Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
CCPA Categories of Personal Information Collected: Identifiers (IP address, email); internet activity (browsing history, usage data); geolocation data (approximate); health information (skin-related survey responses); commercial information (purchase history).
9.4 Korean Users (PIPA)
Under the Korean Personal Information Protection Act (PIPA), you have the right to:
- Access, correct, delete, or suspend processing of your personal data.
- Request data portability.
- Withdraw consent for data collection and use at any time.
- File complaints with the Personal Information Protection Commission (PIPC) or the Korea Internet & Security Agency (KISA).
9.5 Brazilian Users (LGPD)
Under the Lei Geral de Proteção de Dados (LGPD), you have the right to:
- Confirmation of data processing and access to your data.
- Correction, anonymization, blocking, or deletion of unnecessary or excessive data.
- Data portability to another service provider.
- Information about third parties with whom your data is shared.
- Revocation of consent.
- File complaints with the Autoridade Nacional de Proteção de Dados (ANPD).
9.6 Japanese Users (APPI)
Under the Act on the Protection of Personal Information (APPI), you have the right to:
- Request disclosure of your retained personal data.
- Request correction, addition, or deletion of inaccurate data.
- Request cessation of use or deletion if data is being handled improperly.
- Request cessation of third-party data provision.
9.7 Australian Users (Privacy Act 1988)
Under the Australian Privacy Act and the Australian Privacy Principles (APPs), you have the right to:
- Access personal information held about you.
- Request correction of inaccurate, out-of-date, or misleading information.
- Complain about a breach of the APPs to the Office of the Australian Information Commissioner (OAIC).
9.8 How to Exercise Your Rights
To exercise any of the rights described above, please contact us at tpgus5754@gmail.com. We will verify your identity before processing your request and respond within the timeframes required by applicable law (generally within 30 days, or within 45 days for CCPA requests).
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption: Data is encrypted in transit (TLS 1.2+) and at rest where applicable.
- Access controls: Strict role-based access controls limit who can access personal data.
- Infrastructure security: Cloudflare provides DDoS protection, WAF, and network security.
- Data minimization: We collect and process only the minimum data necessary for each purpose.
- Regular review: Security practices are reviewed and updated regularly.
Despite these measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.
11. Cookies and Tracking Technologies
We may use cookies and similar tracking technologies. For EU/UK users, non-essential cookies are only placed with your explicit consent (in compliance with the ePrivacy Directive).
| Type | Purpose | Duration | Legal Basis |
|---|---|---|---|
| Strictly necessary | Essential Service functionality | Session / up to 12 months | Legitimate interest (exempt from consent) |
| Analytics | Usage patterns, Service optimization | Up to 12 months | Consent (EU/UK) / Legitimate interest |
You can manage cookie preferences through your browser settings. Disabling cookies may limit certain features of the Service.
12. Do Not Track (DNT)
Some browsers transmit "Do Not Track" (DNT) signals. There is currently no universally accepted standard for how to respond to DNT signals. We do not currently respond to DNT signals, but we do not engage in cross-site tracking of our users.
13. Children's Privacy
The Service is not directed to children under 16 years of age (or 13 in the US under COPPA, or the applicable minimum age of digital consent in your jurisdiction). We do not knowingly collect personal data from children below the applicable age. If we become aware that we have collected data from a child without valid parental consent, we will take prompt steps to delete that data. If you believe a child has provided us with personal data, please contact us immediately.
14. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33). Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay (GDPR Article 34). Notifications to other regulators (e.g., CCPA, PIPA, LGPD) will be made in accordance with their respective requirements.
15. Data Minimization and Privacy by Design
We follow the principles of data minimization and privacy by design. We only collect data that is strictly necessary for the stated purposes and build privacy considerations into the design and operation of the Service. Survey data is processed in real-time and not persistently stored. Personal identifiers are not transmitted to our AI analysis provider.
16. Changes to This Policy
- We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this page will be revised.
- Material changes will be communicated through the Service or via email at least 30 days before taking effect.
- For EU/UK users, where required by law, we will seek your explicit consent for material changes to data processing activities.
- Changes will not apply retroactively to data collected before the effective date, unless we obtain your consent.
17. Contact Us
For any privacy-related inquiries, data access requests, complaints, or to exercise your rights under applicable law:
- Email: tpgus5754@gmail.com
We aim to respond to all requests within 30 days (or sooner if required by applicable law; e.g., 15 days for PIPA, 45 days for CCPA). If we need additional time, we will inform you of the reason and the expected timeframe.