Privacy Policy

Skinreo ("we", "us", "our") is an AI-powered skin tracking application. We operate this service and are the data controller responsible for your personal data.

You can reach us at: hello@skinreo.com

This Privacy Policy applies to all users of the Skinreo web application and any related services. By using Skinreo, you agree to the collection and use of your data as described here.

We collect the following categories of personal data:

• →Account data: Your email address when you register or sign in.
• →Profile data: Optional information you provide — age, sex, skin type, skin concerns, and goals.
• →Scan photos: Facial photographs you submit for skin analysis. These are stored privately in encrypted cloud storage (Supabase Storage). They are never publicly accessible.
• →Analysis results: Skin scores, metric readings (acne, hydration, redness, texture, wrinkles), and skin age estimates generated from your photos.
• →Usage data: Pages visited, features used, timestamps, and general interaction patterns — used to improve the service.
• →Device data: Browser type, operating system, and device type — used for technical compatibility.
• →Push notification tokens: If you enable scan reminders, we store a push subscription endpoint to deliver notifications.
• →Chat messages: If you use the in-app AI chat or coaching feature, your messages and the AI-generated responses are stored in our database and linked to your account.
• →Product shelf data: If you save or track skincare products, we store product names and associated data in your account.
• →Automated insights: After each skin scan, we automatically generate and store AI-written insights and recommendations linked to that scan.
• →Browser storage: We use your browser's localStorage to cache non-sensitive preferences (such as routine state, dismissed UI notices, and recap cache). We use sessionStorage to temporarily hold your latest scan result and scan ID within a single browser session — this data is cleared automatically when you close the tab.

We do not collect payment information, government IDs, or any financial data. We do not store ingredient scanner photos — they are analysed in real time by our AI and discarded immediately.

We use your data solely to provide, maintain, and improve the Skinreo service. Specifically:

• →To authenticate you and manage your account.
• →To perform AI skin analysis on photos you submit.
• →To store your scan history and display your progress over time.
• →To generate personalised routine recommendations based on your skin profile.
• →To send scan reminder notifications if you have enabled them. Notifications are dispatched by an automated background process (a scheduled cron job) that runs on our servers and sends push messages to your registered endpoint.
• →To automatically generate AI-written skin insights and recommendations immediately after you complete a scan. This processing occurs on our servers without additional action from you.
• →To power the AI coaching and chat features by sending your messages to OpenAI and storing the conversation in your account.
• →To search for relevant skincare products using Serper's API when you use the ingredient scanner or product features — using search terms only, never your photos or personal data.
• →To send product and feature updates if you have subscribed to our newsletter (you can unsubscribe at any time).
• →To diagnose technical problems and improve the app.

Lawful basis (GDPR): We process your data on the basis of your consent (Article 6(1)(a)) and, where applicable, the performance of a contract (Article 6(1)(b)). For biometric/facial data, we rely on your explicit consent (Article 9(2)(a)).

We do not use your data for advertising, profiling for third-party purposes, or automated decision-making that produces legal or similarly significant effects.

We do not sell your personal data to anyone. We share data only with the following trusted service providers who process data on our behalf:

We may disclose your data to law enforcement or regulatory authorities if required by law, or to protect the rights and safety of our users and ourselves.

Your facial photographs and the biometric inferences derived from them (such as skin condition scores and estimated skin age) are sensitive personal data under GDPR (Article 9) and may be classified as biometric data under applicable laws including the Illinois Biometric Information Privacy Act (BIPA) and similar legislation.

We take the following measures to protect this data:

• →Photos are stored in a private, non-public Supabase Storage bucket.
• →Photos are accessed exclusively through short-lived signed URLs (10-minute expiry) — never permanent public links.
• →Photos are transmitted over encrypted HTTPS connections at all times.
• →We do not share your photos with any third party other than OpenAI for the purpose of analysis, as described above.
• →You can delete any individual scan at any time from the app, which permanently removes both the photo and the associated analysis data.

By submitting a facial photo for analysis, you provide explicit consent to the processing of this biometric data for the purpose of skin analysis. You may withdraw this consent at any time by deleting your scans.

We retain your data for as long as you maintain an active account with Skinreo.

• →Scan photos: Retained until you delete the individual scan. You can delete scans at any time within the app.
• →Analysis results, AI insights, and skin scores: Retained until the associated scan is deleted.
• →Chat messages: Retained as long as your account is active. You may request deletion at any time.
• →Product shelf data: Retained until you remove the product from your shelf or delete your account.
• →Account data: Retained until you request account deletion.
• →Notification tokens: Deleted when you disable notifications or delete your account.
• →Browser localStorage / sessionStorage: Stored locally in your browser. sessionStorage is cleared automatically when you close the tab. localStorage data can be cleared via your browser settings at any time.

To request full account deletion and erasure of all associated data, contact us at hello@skinreo.com. We will complete deletion within 30 days.

Depending on your location, you may have the following rights regarding your personal data:

• →Right of access: Request a copy of the personal data we hold about you.
• →Right to rectification: Request correction of inaccurate or incomplete data.
• →Right to erasure: Request deletion of your personal data ("right to be forgotten").
• →Right to restriction: Request that we limit how we process your data.
• →Right to data portability: Receive your data in a structured, machine-readable format.
• →Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
• →Right to withdraw consent: Withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@skinreo.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Skinreo is operated from Lithuania (EU). Some of our third-party providers — including Supabase, OpenAI, Serper, and Vercel — are based in the United States. When your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

By using Skinreo, you acknowledge that your data may be transferred to and processed in countries outside your own, including the United States, in accordance with this policy.

Skinreo uses a minimal approach to cookies and local storage:

• →Authentication cookies: Set by Supabase to maintain your login session. These are strictly necessary and cannot be disabled without breaking the service.
• →Local storage: We may store non-sensitive preferences (such as skin type selection during onboarding) in your browser's local storage.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies that track you across other websites.

Skinreo is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16 years of age. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at hello@skinreo.com and we will delete the data promptly.

Users in the EU must be at least 16 years old to consent to data processing under Article 8 of the GDPR.

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For significant changes, we will notify you by email (if we have your address) or by a prominent notice within the app.

Your continued use of Skinreo after changes are posted constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: