Biometric Data Notice

Facial analysis involves processing of biometric data — a special category of personal data under GDPR Article 9, and regulated by biometric-specific laws in several US states (including Illinois BIPA, Texas CUBI, and Washington MyHealth My Data Act). This notice provides the disclosures those laws require.

When you perform a skin scan:

• You upload a photo of your face.
• The image is sent to our AI provider (AILab, see Privacy Policy) where facial regions are detected and analyzed for skin metrics.
• The derived metrics (acne score, redness, pores, texture, hydration, oil, wrinkles, dark circles, melanin, skin type) are returned to us and stored in your account.

We do not use facial data to uniquely identify you in the sense of 1:1 face matching. However, because the raw image is analyzed for biometric characteristics, we treat it as biometric data out of caution.

Biometric data is processed solely to:

• Generate your personalized skin scores and trend analysis.
• Provide personalized skincare recommendations.
• Show you before/after overlays and progress visualizations.

We do not use biometric data for advertising, for training AI models without your consent, or to identify individuals.

We process biometric data only with your explicit opt-in consent. You provide consent before your first scan. You may withdraw consent at any time in Settings → Privacy → Face Scan. Withdrawal does not affect processing that already occurred.

We retain facial images for 90 days after your last scan. Biometric scores remain attached to your account until you delete your data. Upon account deletion, we destroy all biometric data within 30 days from our primary systems and within 90 days from all backups.

Under Illinois BIPA, if we collect biometric identifiers of Illinois residents, we will destroy them when the initial purpose is satisfied or within 3 years of your last interaction, whichever is first.

Biometric data is shared only with:

• AILab — contracted sub-processor that performs the analysis, under an agreement restricting their use to providing the service to us.
• Firebase Storage (Google) — encrypted storage of images, access limited to our engineering team.

We do not sell, lease, or otherwise disclose biometric data. Disclosure to government authorities requires a valid legal request.

You have the right to:

• Know what biometric data we have about you.
• Request its deletion at any time.
• Withdraw your consent.
• Receive a copy of your biometric scores in a portable format.

Contact privacy@skinora.io to exercise any of these rights.

If you reside in Illinois, Texas, or Washington, you have additional rights under state biometric privacy laws. We will honor those rights and maintain the specific retention schedules required. A signed biometric release is on file for each user who opts into face scanning.