This document is a working draft prepared as a structural template. It has NOT been reviewed by qualified legal counsel and should NOT be relied upon as a binding legal agreement until reviewed and approved by a licensed lawyer in your jurisdiction.
Who we are
Skinora Labs (the "Company", "we", "us") is the controller of personal data collected through the Skinora app and skinora.io. We are registered in Amsterdam, Netherlands. See our Imprint for full corporate details.
What data we collect
We collect and process the following categories:
- Account data — name, email (from Google/Apple sign-in), user ID, preferred language.
- Facial images and biometric analysis — selfies you upload for skin scans, AI-derived scores (acne, redness, pores, texture, hydration, oil, wrinkles, dark circles, melanin, skin type). These are treated as special-category biometric data under GDPR Article 9. See our Biometric Notice.
- Product data — product labels you scan, ingredient lists, barcodes, photos of packaging.
- Routine and chat data — routine choices, logs, streaks, chat messages sent to our AI coach.
- Device and usage data — device model, OS version, app version, crash logs, feature-level analytics.
- Payment data — processed by Apple App Store or Google Play. We do not receive your card details.
Legal bases for processing
Under GDPR Article 6 and Article 9, we rely on:
- Contract (Art. 6(1)(b)) — to provide core app features you request.
- Explicit consent (Art. 9(2)(a)) — for biometric/facial analysis. You may withdraw consent at any time in Settings.
- Legitimate interests (Art. 6(1)(f)) — analytics, security, fraud prevention.
- Legal obligation (Art. 6(1)(c)) — tax, accounting, law-enforcement requests.
Third-party processors
We share data with the following sub-processors, each under a Data Processing Agreement:
- AILab (China) — performs AI skin analysis on your uploaded image. Image is transmitted, analyzed, and the response returned. Transfer uses supplementary measures and a Transfer Impact Assessment (TIA). You can opt out by disabling face scan in Settings.
- Google Firebase (USA/EU) — image storage, authentication, crash reporting. SCCs apply.
- OpenAI (USA) — processes chat prompts to our AI coach. OpenAI does not use our API data for model training. SCCs apply.
- Apple / Google — sign-in and payment.
See our full sub-processors list for the current roster.
International transfers
Data may be transferred outside the EEA. For transfers to the USA (OpenAI, Firebase), we use Standard Contractual Clauses (SCCs) and supplementary measures. For transfers to China (AILab), we use SCCs plus a documented Transfer Impact Assessment.
Retention
We retain data only as long as needed:
- Facial images: 90 days after your last scan, or until you delete your account — whichever is first.
- Biometric scores and analysis: until account deletion.
- Chat history: until you delete or your account is closed.
- Crash logs and analytics: 13 months.
- Billing records: 7 years (NL tax law).
Your rights
Under GDPR you have the right to: access your data, correct inaccuracies, delete your data, restrict processing, object, data portability, and withdraw consent. To exercise these rights, email privacy@skinora.io. You may also lodge a complaint with the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
Children under 16
Skinora is not intended for users under 16. Under GDPR-K (NL digital consent age = 16), we do not knowingly collect data from children. If you believe a child has signed up, please contact us to have the account removed.
Security
We use encryption in transit (TLS 1.3) and at rest (AES-256), least-privilege access controls, regular security reviews, and audited third parties. No system is perfectly secure — we recommend you keep your device and authenticator credentials safe.
Changes to this policy
We may update this policy. Material changes will be notified via in-app banner at least 30 days before taking effect. The "Last updated" date above shows the current version.
Contact
Data Protection Officer: dpo@skinora.io
Legal: legal@skinora.io
General privacy: privacy@skinora.io