Privacy Policy

Last Updated: June 2, 2026

1. Introduction

Welcome to ClearSkin AI ("we," "our," or "us"). We are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application (the "App"). ClearSkin AI is operated by Teddy-Michael Sannan and is based in Ontario, Canada.

By using the App, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use the App.

2. Information We Collect

LEGAL NOTICE: By using this App, you acknowledge that all data collection is for informational and educational purposes only. We do not provide medical advice and are not responsible for any health outcomes.

2.1 Personal Information

When you create an account, we collect:

  • Email address
  • Password (encrypted)
  • Full name (optional, if provided)

If you choose to sign in using Apple Sign-In or Google Sign-In, we receive your name and email address from the respective provider to create and authenticate your account.

2.2 Demographic Information

To provide personalized skin analysis and accurate skin age estimation, we collect:

  • Date of birth (used to calculate your age)
  • Gender (male, female, other, or prefer not to say)

This information is required for new users during account setup and is used to personalize your AI skin analysis. Once provided, this demographic information cannot be changed to ensure consistent analysis results. We use this data solely to improve the accuracy of your skin age estimation and to provide gender-appropriate skincare recommendations, as male and female skin have different characteristics.

2.3 Face Data and Skin Analysis Data

When you use our skin analysis features, we collect the following face data and related skin analysis data:

  • Photographs of your face (front, left side, right side) captured through the App's camera for the purpose of skin analysis
  • Analysis results and recommendations derived from those photos
  • Skin condition assessments (e.g. breakouts, oiliness, redness, dryness, pores)
  • Estimated skin age and skin age comparison to your actual age
  • Historical scan data and progress tracking
  • Subscription and free-trial status

What face data is collected. The face data we collect is limited to photographs of your face that you choose to capture in the App. We do not generate, store, or transmit a faceprint, face template, face embedding, or any other biometric identifier. We do not perform face recognition and we cannot use our data to identify you from your face.

How face data is used. Your face photos are used solely to generate your personal skin analysis results — skin score, skin conditions, skin age estimate, heatmap, skincare routine, and product recommendations — which are shown to you inside the App and saved to your scan history so you can track changes over time. Face photos are never used for advertising, are never sold, and are never used to train any artificial intelligence or machine-learning models (ours or any third party's).

On-device face detection. Before a photo is uploaded, the App runs Google ML Kit's on-device face detector to confirm a single face is present and well-framed. This detection runs entirely on your device. The face landmarks and contours computed during this check are held only in memory on your device, are used only to position the on-screen heatmap and to gate the capture, and are discarded when you leave the screen. They are never uploaded to our servers, never stored, and are not used to identify you. No biometric template is created or retained.

Sharing of face data with third parties. Your face photos and your demographic context (age and gender) are transmitted to OpenAI's API to perform the AI skin analysis. OpenAI processes this data as our sub-processor under a Data Processing Agreement with Standard Contractual Clauses. Per our agreement with OpenAI and OpenAI's API data policy, your face photos are not used to train OpenAI's models. We do not share your face photos with any other third parties, do not sell them, and do not use them for advertising.

Where face data is stored. After analysis, your face photos and analysis results are stored in a private storage bucket and database operated by Supabase (our hosting and database sub-processor). Both are protected by row-level security so that one user cannot access another user's photos or scan data. Data in transit is encrypted with TLS/HTTPS; data at rest is encrypted by our hosting provider.

How long face data is retained. Your face photos and skin analysis results are retained in your account only for as long as your account exists, so that you can view your scan history and track your progress over time. When you delete your account from within the App, all of your face photos and all of your skin analysis results are permanently deleted from our database and storage. You may also delete individual scans at any time, which removes the associated face photos and results immediately. Face photos and skin analysis results are not retained after account deletion (subject only to short-lived backups in the normal course of operating the service, which expire automatically).

2.4 Payment Information

When you subscribe to premium features, payment processing is handled entirely by Apple (App Store) on iOS and Google (Play Store) on Android. We never receive, see, or store your payment card information, billing address, or transaction history. Apple and Google collect and process this information under their own terms and privacy policies.

We use RevenueCat as a service layer to receive subscription status updates from Apple and Google (e.g., active, renewed, cancelled, expired). RevenueCat receives a signed receipt or purchase token that confirms the transaction. Neither RevenueCat nor ClearSkin AI receives your payment card details.

The only purchase-related data we store is: a store-side transaction identifier, the subscription product purchased (monthly or yearly), the current period dates, and the subscription status.

2.5 Contact and Communication Data

When you contact us through the App's contact form, we collect:

  • Your contact messages and inquiries
  • Subject lines and message content
  • Your email address for response purposes
  • Timestamp of your communication

2.6 Notification Data

When you enable notifications in the App, we collect:

  • Push notification tokens (Expo push tokens) used to deliver notifications to your device
  • Notification preferences, including scan reminder day and time, and AM/PM skincare routine reminder times

2.7 Automatically Collected Information

When you use the App, we may automatically collect:

  • Device information (model, operating system, unique device identifiers)
  • App usage data (features accessed, time spent in app)
  • Camera permissions (only when you actively use the scan feature)
  • Error logs and crash reports (via Sentry; see Section 7 for details)
  • Authentication session tokens, stored locally on your device using AsyncStorage to maintain your signed-in session. These tokens are not transmitted to third parties and are removed when you sign out.
  • IP address, used transiently at the server level for rate limiting and abuse prevention (e.g., preventing abuse of our APIs). Your IP address is held only in short-lived rate-limiting records, which expire within one minute to one hour depending on the operation, and it may appear briefly in our server security logs. It is never stored in your account profile, is not used to build a profile of you, and is not retained for longer than necessary for these security purposes.
  • Device locale and language information, which may be collected via the app framework to present content appropriately.

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process your personal data under the following legal bases:

  • Account data (email, name, password, date of birth, gender): Contract performance (Article 6(1)(b)) — necessary to provide the ClearSkinAI service.
  • Face photos and skin analysis results (skin scores, conditions, skin age, heatmaps, routines, product recommendations): Explicit consent (Article 6(1)(a) and Article 9(2)(a)) — you provide explicit consent during onboarding before your first scan. You may withdraw this consent at any time from Settings.
  • Payment and subscription data: Contract performance (Article 6(1)(b)) — necessary to process your subscription. Payment data is handled entirely by Apple App Store and Google Play Store and never touches our servers.
  • Crash reports and error logs (Sentry): Legitimate interest (Article 6(1)(f)) — necessary to maintain app stability and fix technical issues. Sentry is configured with PII collection disabled.
  • Push notification tokens and preferences: Consent (Article 6(1)(a)) — collected only when you enable notifications.
  • Contact form messages: Contract performance (Article 6(1)(b)) — necessary to respond to your support request.

4. International Data Transfers

ClearSkinAI is operated from Canada. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to and processed in countries outside your jurisdiction, including Canada and the United States. We ensure appropriate safeguards are in place for these transfers through the following mechanisms:

  • OpenAI (AI skin analysis): We have a Data Processing Agreement (DPA) with OpenAI that includes Standard Contractual Clauses (SCCs) approved by the European Commission for the transfer of personal data to third countries.
  • Supabase (database and authentication): We have executed a Data Processing Agreement with Supabase that includes Standard Contractual Clauses and allows selection of data center regions.
  • Resend (transactional email): We have a Data Processing Agreement with Resend that includes Standard Contractual Clauses for international data transfers.
  • Apple (App Store) and Google (Play Store) (payment processing): Apple and Google each maintain their own GDPR compliance programs and Standard Contractual Clauses for international transfers. RevenueCat (subscription status service) maintains a Data Processing Agreement with Standard Contractual Clauses.
  • Sentry (crash reporting): Sentry is configured with PII collection disabled. Crash reports contain only technical data.
  • PostHog (product analytics): PostHog processes anonymized usage events that we explicitly send (such as “scan_completed” or “subscription_started”), together with basic app lifecycle events such as the app being opened or sent to the background. Automatic screen and tap capture (“autocapture”) is disabled. No personally identifiable information is transmitted, and PostHog uses its own anonymous device identifiers.

Canada has received an adequacy decision from the European Commission under PIPEDA, meaning transfers of personal data from the EEA to Canada are permitted without additional safeguards.

For more information about these safeguards or to obtain a copy of the relevant agreements, please contact us at [email protected].

5. Sub-Processors

We use the following sub-processors to help deliver the ClearSkinAI service:

  • OpenAI (San Francisco, USA) — AI-powered skin analysis. Processes face photos, date of birth, gender, age, and user-provided context to generate skin health assessments. Data Processing Agreement with SCCs in place.
  • Supabase (San Francisco, USA) — Database, authentication, and file storage. Stores account data, scan results, and photos. Data Processing Agreement with SCCs in place.
  • Apple Inc. (Cupertino, USA) — Payment processing for iOS via App Store In-App Purchase. Handles all subscription billing and payment method management for iOS users. No raw payment data touches our servers.
  • Google LLC (Mountain View, USA) — Payment processing for Android via Google Play Billing. Handles all subscription billing and payment method management for Android users. No raw payment data touches our servers.
  • RevenueCat, Inc. (San Francisco, USA) — Subscription status service. Receives signed receipts/purchase tokens from Apple and Google to confirm subscription state and notifies our backend of subscription events (purchase, renewal, cancellation, expiration). Does not receive payment card information. Data Processing Agreement with SCCs in place.
  • Resend (San Francisco, USA) — Transactional email delivery. Sends account verification, password reset, data export, and contact form emails. Data Processing Agreement with SCCs in place.
  • Sentry (San Francisco, USA) — Crash reporting and error tracking. Receives anonymized crash reports with PII collection disabled.
  • PostHog (San Francisco, USA) — Product analytics and event tracking. Collects the anonymized events we explicitly send (e.g. “scan_completed”, “subscription_started”), plus basic app lifecycle events such as the app being opened or sent to the background. Automatic screen and tap capture is disabled. No personally identifiable information is transmitted; PostHog uses its own anonymous identifiers.

We will notify users of any changes to this list by updating this Privacy Policy.

6. How We Use Your Information

We use the information we collect to:

  • Provide and maintain the App's skin analysis features
  • Process your AI-powered skin assessments using OpenAI's API
  • Estimate your skin age and compare it to your actual age
  • Provide gender-appropriate skincare analysis and recommendations
  • Track your skin health progress over time
  • Manage your subscription and any introductory free trial
  • Process subscription payments and manage your account
  • Send you important updates about your account or the App
  • Respond to your inquiries and provide customer support through our contact form
  • Process and respond to your contact form submissions
  • Improve our App's features and user experience
  • Detect, prevent, and address technical issues or fraudulent activity
  • Comply with legal obligations

7. Third-Party Services

We use the following third-party services that may collect and process your information:

7.1 Supabase (Database & Authentication)

We use Supabase to store your account information, scan data, and manage authentication. Supabase is hosted on secure servers and complies with industry-standard security practices.

7.2 OpenAI (AI Processing)

Your skin photos, along with your date of birth, gender, and age, are sent to OpenAI's API to provide AI-powered analysis and recommendations. This demographic data is included to enable accurate skin age estimation and gender-appropriate analysis. OpenAI processes this data in accordance with their privacy policy and data processing agreements. Images and demographic data are processed for analysis purposes only and are not used to train OpenAI's models.

7.3 Apple App Store, Google Play Store, and RevenueCat (Payment Processing)

All payment transactions are processed by Apple (on iOS) or Google (on Android) through their respective app stores. We do not store your payment card details. Apple's and Google's use of your personal information is governed by their respective privacy policies.

We use RevenueCat as a service layer to receive subscription status events from Apple and Google. RevenueCat receives signed receipts and purchase tokens to verify your subscription state and informs our backend when your subscription is purchased, renewed, cancelled, or expires. RevenueCat's use of your personal information is governed by their privacy policy.

7.4 Resend (Email Services)

We use Resend to send emails, including contact form responses and data export emails. Your email address and message content are processed by Resend in accordance with their privacy policy.

7.5 Sentry (Crash Reporting)

We use Sentry to collect error logs and crash reports to help us identify and fix technical issues in the App. Sentry is configured with personally identifiable information (PII) collection disabled, meaning your IP address and other personal data are not sent to Sentry. Only technical error data and device metadata (such as device model and operating system version) are collected.

8. Data Retention

We retain your personal information and skin analysis data until you delete your account. When you delete your account:

  • All your personal information is permanently deleted
  • All your scan photos and analysis results are permanently deleted
  • Your subscription is cancelled (if active)
  • Your contact form submissions and communication history are permanently deleted
  • Some financial records may be retained as required by law for tax and accounting purposes

9. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest (AES-256, applied by our hosting provider)
  • Secure authentication protocols, including token expiry and refresh-token rotation
  • Row-level security on our database and a private storage bucket, so one user cannot access another user's photos or data
  • Rate limiting, input validation, and security monitoring on our servers
  • Regular security assessments
  • Access to personal data limited to authorized personnel on a need-to-know basis

9.1 Operator Access to Your Photos and Scan Data

ClearSkin AI is not an end-to-end encrypted service. So that we can provide AI skin analysis, your face photos are processed in readable form on our servers and sent to our AI sub-processor (see Sections 4 and 7). This means that authorized personnel — currently the App's operator — have the technical ability to access stored photos and scan results. We access this data only when necessary to operate, support, secure, or debug the service, to comply with a legal obligation, or with your consent. We do not browse user photos out of curiosity, we do not sell or share them, and we do not use them to train any artificial intelligence models. If our team grows, access will remain restricted to personnel with a legitimate operational need.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

10. Your Privacy Rights

10.1 General Rights

You have the right to:

  • Access your personal information
  • Correct inaccurate or incomplete information
  • Delete your account and all associated data
  • Withdraw consent for data processing
  • Export your data in a portable format

10.2 Canadian Residents (PIPEDA)

Under Canadian privacy law, you have the right to access your personal information and request corrections. You may also withdraw consent for certain data processing activities.

10.3 European Residents (GDPR)

If you are located in the European Economic Area, you have additional rights under GDPR, including:

  • Right to data portability
  • Right to restrict processing
  • Right to object to processing
  • Right to lodge a complaint with a supervisory authority

10.4 California Residents (CCPA)

California residents have the right to:

  • Know what personal information is collected, used, shared, or sold
  • Delete personal information held by businesses
  • Opt-out of the sale of personal information (Note: We do not sell personal information)
  • Non-discrimination for exercising their privacy rights

11. Children's Privacy

Our App is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at [email protected], and we will delete such information from our systems.

For users aged 13–18, we recommend parental guidance when using the App and its skin analysis features.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy within the App and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes.

Your continued use of the App after any modifications to the Privacy Policy will constitute your acknowledgment of the modifications and your consent to abide by the modified Privacy Policy.

13. Legal Disclaimers and Limitations

CRITICAL LEGAL NOTICE: This Privacy Policy is subject to our Terms of Service, which contain comprehensive legal disclaimers and limitations of liability.

13.1 Medical and Health Disclaimers

You acknowledge and agree that:

  • All data collection and processing is for informational and educational purposes only
  • We do not provide medical advice, diagnosis, or treatment
  • We are not responsible for any health outcomes or medical decisions based on our analysis
  • You should consult with healthcare professionals for any medical concerns
  • We disclaim all liability for any adverse health effects or medical complications

13.2 Product Recommendation Disclaimers

You acknowledge and agree that:

  • Any product recommendations are generated by AI and may not be suitable for your specific needs
  • We are not responsible for any adverse reactions to recommended products
  • You are solely responsible for researching and testing any recommended products
  • We disclaim all liability for product-related injuries or damages
  • You assume all risks associated with using recommended products

13.3 Data Accuracy and Reliability

You acknowledge and agree that:

  • All AI-generated analysis and recommendations may contain errors or inaccuracies
  • We do not guarantee the accuracy, reliability, or completeness of any analysis results
  • You should not rely solely on our analysis for important health or skincare decisions
  • We are not liable for any decisions made based on our analysis or recommendations

13.4 International Data Protection

ClearSkin AI is operated from Ontario, Canada, and complies with Canadian privacy laws (PIPEDA) as its primary legal framework. If you are located in the European Economic Area, United Kingdom, or California, you may have additional rights under applicable data protection laws as described in Section 10 of this Privacy Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: [email protected]

Name: ClearSkin AI (Operated by Teddy-Michael Sannan)

Location: Ontario, Canada

We will respond to your inquiry within 30 days of receipt.