Privacy Policy
Table of Contents
- Who We Are
- Information We Collect
- How We Use Your Information
- Facial Photo Processing
- Biometric Data Notice
- How We Store and Secure Your Data
- Third-Party Service Providers
- Data Retention
- Your Rights
- For Users in the European Economic Area (GDPR)
- For California Residents (CCPA)
- Children's Privacy
- Cookies and Tracking
- What We Do NOT Do
- Changes to This Privacy Policy
- Contact Us
1. Who We Are
Skinsign ("we", "us", "our") operates the Skinsign mobile application and website (skinsign.app).
Skinsign is a wellness and lifestyle tracking tool that helps you understand the connection between your daily habits and your skin health. Skinsign is not a medical device and does not provide medical advice.
Contact: info@skinsign.app
2. Information We Collect
2a. Waitlist and Website
- Email address when you join our waitlist
- Referral attribution data (referral links)
- Basic browsing analytics via Vercel Analytics (privacy-focused, no cookies)
2b. Account Information (App)
- Email address, Apple ID, or Google account identifier (via Sign in with Apple or Google)
- Skin concern preferences (e.g., breakouts, redness, texture)
- Condition duration and suspected triggers (selected during onboarding)
2c. Lifestyle Data You Provide
- Food and drink selections from preset categories (dairy, sugar, processed food, alcohol, fresh foods, etc.)
- Sleep duration and quality ratings
- Stress level ratings
- Water intake estimates
- Optional free-text daily notes
2d. Facial Photographs
- Selfie photos you take for skin analysis
- Stored as JPEG files in encrypted, private cloud storage
- Accessible only via time-limited signed URLs that expire after 1 hour
- Never publicly accessible
2e. AI-Generated Data
- Overall skin health score (0-100)
- Dimension scores: acne, redness, texture, hydration (each 0-100)
- Acne classification (type and affected zones)
- Correlation insights between your lifestyle and skin patterns
2f. Usage and Technical Data
- Feature usage events and article reads
- Rate limit tracking (to enforce fair usage)
- Notification preferences
- Subscription status
2g. Data Stored on Your Device
- Draft logs and cached scan results stored locally via SQLite
- This data does not leave your device unless you explicitly submit it
3. How We Use Your Information
- Provide AI-powered skin analysis from your photos
- Generate personalized lifestyle-skin correlation insights
- Personalize your experience based on your skin concerns and lifestyle patterns
- Send waitlist updates and product communications (only with your consent)
- Improve the app and fix issues (using aggregated, de-identified analytics only)
- Enforce our terms of service and prevent abuse
We never use your data for advertising. We never sell your data.
4. Facial Photo Processing
Your photos are never used to train AI models. They are never shared with third parties beyond what is described below. They are never sold.
- Your facial photos are processed by Anthropic's Claude AI to analyze skin conditions (acne, redness, texture, hydration).
- Photos are transmitted through our secure server-side functions (Supabase Edge Functions). You never connect directly to the AI provider.
- The AI returns numerical scores and classifications only. No photo data is retained by the AI provider after processing.
- Photos are stored in a private storage bucket. Access requires an authenticated, time-limited URL that expires after 1 hour.
- Per Anthropic's API terms, data submitted through their API is not used to train their models.
5. Biometric Data Notice
Skinsign processes facial photographs to analyze skin surface conditions such as acne severity, redness, texture, and hydration levels.
- We do not use facial recognition technology.
- We do not create biometric identifiers, facial geometry templates, or faceprints.
- We do not use photos for identification purposes.
- Our analysis evaluates visible skin surface conditions only, similar to how a dermatologist would assess your skin visually.
State-Specific Notices
Illinois (BIPA): Our processing does not constitute collection of biometric identifiers or biometric information as defined under BIPA, as we do not scan or capture facial geometry for identification purposes.
Texas and Washington: Photos are processed exclusively for skin condition analysis and are subject to the deletion rights described in this policy.
6. How We Store and Secure Your Data
- All data is hosted on Supabase infrastructure with enterprise-grade security.
- Row-Level Security (RLS) on every database table ensures you can only access your own data.
- Facial photos stored in a private storage bucket with time-limited signed URLs (1-hour expiry).
- All AI processing keys are stored server-side only (never in the app code).
- All data transmitted over HTTPS with TLS encryption.
- No direct connections between your device and AI providers.
7. Third-Party Service Providers
We work with the following service providers to operate Skinsign:
| Provider | Purpose | Data Shared |
|---|---|---|
| Anthropic | AI skin analysis and insight generation | Facial photos (via secure server functions); quantified lifestyle aggregates (no free text or personal identifiers) |
| Supabase | Database, authentication, storage, server functions | All account and app data |
| Apple | Sign-in, subscription management | Apple ID, subscription status |
| Sign-in | Google account identifier | |
| RevenueCat | Subscription lifecycle management | Subscription status, anonymous user ID |
| Kit (ConvertKit) | Email communications | Email address |
| GetWaitlist | Waitlist management | Email address, referral data |
| Vercel | Website hosting, privacy-focused analytics | Browsing behavior (anonymized) |
| Cloudflare | CDN and security | IP address, request metadata |
8. Data Retention
- Active accounts: Your data is retained as long as your account exists.
- Account deletion: All photos, scans, logs, insights, usage records, and authentication data are permanently deleted.
- Waitlist data: Retained until you unsubscribe or request deletion.
- Aggregated analytics: May be retained indefinitely in de-identified, non-personal form.
Note: The 30-day scan history limit in the free tier is a display limitation, not a storage limitation. Your data is stored securely regardless of your subscription tier.
9. Your Rights
You have the right to:
- Access your personal data and request a copy
- Export your data in a machine-readable format
- Delete your account and all associated data at any time
- Correct inaccurate personal data
- Restrict processing of your data
- Portability - receive your data in a structured, commonly used format
To exercise any of these rights, contact us at info@skinsign.app. We will respond within 30 days.
10. For Users in the European Economic Area (GDPR)
If you are located in the European Economic Area (EEA), the following additional provisions apply:
- Legal bases for processing: Consent (photo processing, marketing communications), contract performance (core app features), legitimate interest (analytics, security).
- Data controller: Skinsign.
- International transfers: Your data is processed in the United States. We rely on our sub-processors' standard contractual clauses and data processing agreements for lawful transfer.
- You have the right to lodge a complaint with your local data protection supervisory authority.
11. For California Residents (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to know what personal information is collected, used, and shared.
- Right to delete your personal information.
- Right to opt-out of sale: We do not sell your personal information. We have never sold personal information.
- Right to non-discrimination for exercising your privacy rights.
To submit a request, contact info@skinsign.app.
12. Children's Privacy
- Skinsign is not intended for children under 13 years of age.
- We do not knowingly collect personal information from children under 13.
- If we become aware that we have collected data from a child under 13, we will delete it promptly.
- Users aged 13 to 17 should have parental or guardian consent before using Skinsign.
14. What We Do NOT Do
We do NOT sell your personal data to anyone.
We do NOT use your photos to train AI models.
We do NOT share your data with advertisers.
We do NOT use facial recognition for identification purposes.
We do NOT send spam or unsolicited marketing without your consent.
We do NOT allow third parties to use your data for their own purposes.
15. Changes to This Privacy Policy
- We may update this policy from time to time.
- Material changes will be communicated via email or in-app notification.
- The "Last Updated" date at the top of this page will be revised.
- Your continued use of Skinsign after being notified of changes constitutes acceptance.
16. Contact Us
If you have questions about this Privacy Policy or want to exercise your data rights:
- Email: info@skinsign.app
- Skinsign is operated from the United States.