Privacy Policy

Skinora Labs (the "Company", "we", "us") is the controller of personal data collected through the Skinora app and skinora.io. We are registered in Amsterdam, Netherlands. See our Imprint for full corporate details.

We collect and process the following categories:

• Account data — name, email (from Google/Apple sign-in), user ID, preferred language.
• Facial images and biometric analysis — selfies you upload for skin scans, AI-derived scores (acne, redness, pores, texture, hydration, oil, wrinkles, dark circles, melanin, skin type). These are treated as special-category biometric data under GDPR Article 9. See our Biometric Notice.
• Product data — product labels you scan, ingredient lists, barcodes, photos of packaging.
• Routine and chat data — routine choices, logs, streaks, chat messages sent to our AI coach.
• Device and usage data — device model, OS version, app version, crash logs, feature-level analytics.
• Payment data — processed by Apple App Store or Google Play. We do not receive your card details.

Under GDPR Article 6 and Article 9, we rely on:

• Contract (Art. 6(1)(b)) — to provide core app features you request.
• Explicit consent (Art. 9(2)(a)) — for biometric/facial analysis. You may withdraw consent at any time in Settings.
• Legitimate interests (Art. 6(1)(f)) — analytics, security, fraud prevention.
• Legal obligation (Art. 6(1)(c)) — tax, accounting, law-enforcement requests.

We share data with the following sub-processors, each under a Data Processing Agreement:

• AILab (China) — performs AI skin analysis on your uploaded image. Image is transmitted, analyzed, and the response returned. Transfer uses supplementary measures and a Transfer Impact Assessment (TIA). You can opt out by disabling face scan in Settings.
• Google Firebase (USA/EU) — image storage, authentication, crash reporting. SCCs apply.
• OpenAI (USA) — processes chat prompts to our AI coach. OpenAI does not use our API data for model training. SCCs apply.
• Apple / Google — sign-in and payment.

See our full sub-processors list for the current roster.

Data may be transferred outside the EEA. For transfers to the USA (OpenAI, Firebase), we use Standard Contractual Clauses (SCCs) and supplementary measures. For transfers to China (AILab), we use SCCs plus a documented Transfer Impact Assessment.

We retain data only as long as needed:

• Facial images: 90 days after your last scan, or until you delete your account — whichever is first.
• Biometric scores and analysis: until account deletion.
• Chat history: until you delete or your account is closed.
• Crash logs and analytics: 13 months.
• Billing records: 7 years (NL tax law).

Under GDPR you have the right to: access your data, correct inaccuracies, delete your data, restrict processing, object, data portability, and withdraw consent. To exercise these rights, email privacy@skinora.io. You may also lodge a complaint with the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

Skinora is not intended for users under 16. Under GDPR-K (NL digital consent age = 16), we do not knowingly collect data from children. If you believe a child has signed up, please contact us to have the account removed.

We use encryption in transit (TLS 1.3) and at rest (AES-256), least-privilege access controls, regular security reviews, and audited third parties. No system is perfectly secure — we recommend you keep your device and authenticator credentials safe.

We may update this policy. Material changes will be notified via in-app banner at least 30 days before taking effect. The "Last updated" date above shows the current version.

Data Protection Officer: dpo@skinora.io
Legal: legal@skinora.io
General privacy: privacy@skinora.io