Privacy Policy

Last Updated: February 18, 2026

1. Introduction

Welcome to ClearSkin AI ("we," "our," or "us"). We are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application (the "App"). ClearSkin AI is operated by Teddy-Michael Sannan and is based in Ontario, Canada.

By using the App, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use the App.

2. Information We Collect

LEGAL NOTICE: By using this App, you acknowledge that all data collection is for informational and educational purposes only. We do not provide medical advice and are not responsible for any health outcomes.

2.1 Personal Information

When you create an account, we collect:

  • Email address
  • Password (encrypted)

2.2 Demographic Information

To provide personalized skin analysis and accurate skin age estimation, we collect:

  • Date of birth (used to calculate your age)
  • Gender (male, female, other, or prefer not to say)

This information is required for new users during account setup and is used to personalize your AI skin analysis. We use this data solely to improve the accuracy of your skin age estimation and to provide gender-appropriate skincare recommendations, as male and female skin have different characteristics.

2.3 Skin Analysis Data

When you use our skin analysis features, we collect:

  • Photographs of your skin taken through the App (front, left, and right views)
  • Optional user-provided skin concerns text (up to 500 characters)
  • Analysis results including skin scores, condition assessments, and recommendations
  • Estimated skin age and skin age comparison to your actual age
  • Heatmap overlay data (breakouts, oiliness, dryness, redness)
  • Historical scan data and progress tracking
  • Free scan usage tracking

2.4 Payment Information

When you subscribe to premium features, payment processing is handled by Stripe. We do not store your full credit card details. Stripe collects and processes:

  • Payment card information
  • Billing address
  • Transaction history

2.5 Contact and Communication Data

When you contact us through the App's contact form, we collect:

  • Your contact messages and inquiries
  • Subject lines and message content
  • Your email address for response purposes
  • Timestamp of your communication

2.6 Notification Data

When you enable notifications in the App, we collect:

  • Push notification tokens (Expo push tokens) used to deliver notifications to your device
  • Notification preferences, including scan reminder day and time, and AM/PM skincare routine reminder times

2.7 Automatically Collected Information

When you use the App, we may automatically collect:

  • Device information (model, operating system, unique device identifiers)
  • App usage data (features accessed, time spent in app)
  • Camera permissions (only when you actively use the scan feature)
  • Error logs and crash reports (via Sentry; see Section 7 for details)
  • Authentication session tokens, stored locally on your device using AsyncStorage to maintain your signed-in session. These tokens are not transmitted to third parties and are removed when you sign out.

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process your personal data under the following legal bases:

  • Account data (email, name, password, date of birth, gender): Contract performance (Article 6(1)(b)) — necessary to provide the ClearSkinAI service.
  • Face photos and skin analysis results (skin scores, conditions, skin age, heatmaps, routines, product recommendations): Explicit consent (Article 6(1)(a) and Article 9(2)(a)) — you provide explicit consent during onboarding before your first scan. You may withdraw this consent at any time from Settings.
  • Payment and subscription data: Contract performance (Article 6(1)(b)) — necessary to process your subscription. Payment data is handled entirely by Stripe and never touches our servers.
  • Crash reports and error logs (Sentry): Legitimate interest (Article 6(1)(f)) — necessary to maintain app stability and fix technical issues. Sentry is configured with PII collection disabled.
  • Push notification tokens and preferences: Consent (Article 6(1)(a)) — collected only when you enable notifications.
  • Contact form messages: Contract performance (Article 6(1)(b)) — necessary to respond to your support request.

4. International Data Transfers

ClearSkinAI is operated from Canada. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to and processed in countries outside your jurisdiction, including Canada and the United States. We ensure appropriate safeguards are in place for these transfers through the following mechanisms:

  • OpenAI (AI skin analysis): We have a Data Processing Agreement (DPA) with OpenAI that includes Standard Contractual Clauses (SCCs) approved by the European Commission for the transfer of personal data to third countries.
  • Supabase (database and authentication): We have executed a Data Processing Agreement with Supabase that includes Standard Contractual Clauses and allows selection of data center regions.
  • Resend (transactional email): We have a Data Processing Agreement with Resend that includes Standard Contractual Clauses for international data transfers.
  • Stripe (payment processing): Stripe maintains its own GDPR compliance program with Standard Contractual Clauses for international transfers.
  • Sentry (crash reporting): Sentry is configured with PII collection disabled. Crash reports contain only technical data.
  • PostHog (product analytics): PostHog processes anonymized usage data. No personally identifiable information is transmitted.

Canada has received an adequacy decision from the European Commission under PIPEDA, meaning transfers of personal data from the EEA to Canada are permitted without additional safeguards.

For more information about these safeguards or to obtain a copy of the relevant agreements, please contact us at [email protected].

5. Sub-Processors

We use the following sub-processors to help deliver the ClearSkinAI service:

  • OpenAI (San Francisco, USA) — AI-powered skin analysis. Processes face photos, date of birth, gender, age, and user-provided context to generate skin health assessments. Data Processing Agreement with SCCs in place.
  • Supabase (San Francisco, USA) — Database, authentication, and file storage. Stores account data, scan results, and photos. Data Processing Agreement with SCCs in place.
  • Stripe (San Francisco, USA) — Payment processing. Handles subscription billing and payment method management. No raw payment data touches our servers.
  • Resend (San Francisco, USA) — Transactional email delivery. Sends account verification, password reset, data export, and contact form emails. Data Processing Agreement with SCCs in place.
  • Sentry (San Francisco, USA) — Crash reporting and error tracking. Receives anonymized crash reports with PII collection disabled.
  • PostHog (San Francisco, USA) — Product analytics and event tracking. Collects anonymized usage events (screen views, feature interactions) with no personally identifiable information. PostHog generates its own anonymous identifiers.

We will notify users of any changes to this list by updating this Privacy Policy.

6. How We Use Your Information

We use the information we collect to:

  • Provide and maintain the App's skin analysis features
  • Process your AI-powered skin assessments using OpenAI's API
  • Estimate your skin age and compare it to your actual age
  • Provide gender-appropriate skincare analysis and recommendations
  • Generate personalized AM/PM skincare routines and product suggestions
  • Track your skin health progress over time
  • Manage your free trial scans (3 free scans per account for non-subscribers)
  • Process subscription payments and manage your account
  • Send you important updates about your account or the App
  • Respond to your inquiries and provide customer support through our contact form
  • Improve our App's features and user experience
  • Detect, prevent, and address technical issues or fraudulent activity
  • Comply with legal obligations

7. Third-Party Services

We use the following third-party services that may collect and process your information:

7.1 Supabase (Database & Authentication)

We use Supabase to store your account information, scan data, and manage authentication. Supabase is hosted on secure servers and complies with industry-standard security practices. All user data tables are protected with Row-Level Security (RLS) policies ensuring users can only access their own data.

7.2 OpenAI (AI Processing)

Your skin photos, along with your date of birth, gender, and age, are sent to OpenAI's GPT-5-mini vision API to provide AI-powered analysis and recommendations. This demographic data is included to enable accurate skin age estimation and gender-appropriate analysis. OpenAI processes this data in accordance with their privacy policy and data processing agreements. Images and demographic data are processed for analysis purposes only and are not used to train OpenAI's models.

7.3 Stripe (Payment Processing)

All payment transactions are processed by Stripe, including Apple Pay and Google Pay. We do not store your full payment card details. Stripe's use of your personal information is governed by their privacy policy.

7.4 Resend (Email Services)

We use Resend to send emails, including contact form responses and GDPR data export emails. Your email address and message content are processed by Resend in accordance with their privacy policy.

7.5 Sentry (Crash Reporting)

We use Sentry to collect error logs and crash reports to help us identify and fix technical issues in the App. Sentry is configured with personally identifiable information (PII) collection disabled, meaning your IP address and other personal data are not sent to Sentry. Only technical error data and device metadata (such as device model and operating system version) are collected.

8. Data Retention

We retain your personal information and skin analysis data until you delete your account. When you delete your account:

  • All your personal information is permanently deleted
  • All your scan photos and analysis results are permanently deleted
  • Your subscription is cancelled (if active)
  • Your contact form submissions and communication history are permanently deleted
  • Some financial records may be retained as required by law for tax and accounting purposes

9. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Encryption of data in transit and at rest
  • Secure authentication protocols with JWT token expiry and refresh token rotation
  • Row-Level Security (RLS) policies on all database tables
  • Compound rate limiting (IP + user-based) on all API endpoints
  • OWASP Top 10:2025 compliant security measures
  • Input validation, sanitization, and path traversal prevention
  • Security event logging with automatic sensitive data redaction
  • Limited access to personal data by authorized personnel only

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

10. Your Privacy Rights

10.1 General Rights

You have the right to:

  • Access your personal information
  • Correct inaccurate or incomplete information
  • Delete your account and all associated data
  • Withdraw consent for data processing
  • Export your data in a portable format (JSON export via email)

10.2 Canadian Residents (PIPEDA)

Under Canadian privacy law, you have the right to access your personal information and request corrections. You may also withdraw consent for certain data processing activities.

10.3 European Residents (GDPR)

If you are located in the European Economic Area, you have additional rights under GDPR, including:

  • Right to data portability
  • Right to restrict processing
  • Right to object to processing
  • Right to lodge a complaint with a supervisory authority

10.4 California Residents (CCPA)

California residents have the right to:

  • Know what personal information is collected, used, shared, or sold
  • Delete personal information held by businesses
  • Opt-out of the sale of personal information (Note: We do not sell personal information)
  • Non-discrimination for exercising their privacy rights

11. Children's Privacy

Our App is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at [email protected], and we will delete such information from our systems.

For users aged 13–18, we recommend parental guidance when using the App and its skin analysis features.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy within the App and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes.

Your continued use of the App after any modifications to the Privacy Policy will constitute your acknowledgment of the modifications and your consent to abide by the modified Privacy Policy.

13. Legal Disclaimers and Limitations

CRITICAL LEGAL NOTICE: This Privacy Policy is subject to our Terms of Service, which contain comprehensive legal disclaimers and limitations of liability.

13.1 Medical and Health Disclaimers

You acknowledge and agree that:

  • All data collection and processing is for informational and educational purposes only
  • We do not provide medical advice, diagnosis, or treatment
  • We are not responsible for any health outcomes or medical decisions based on our analysis
  • You should consult with healthcare professionals for any medical concerns
  • We disclaim all liability for any adverse health effects or medical complications

13.2 Product Recommendation Disclaimers

You acknowledge and agree that:

  • Any product recommendations are generated by AI and may not be suitable for your specific needs
  • We are not responsible for any adverse reactions to recommended products
  • You are solely responsible for researching and testing any recommended products
  • We disclaim all liability for product-related injuries or damages
  • You assume all risks associated with using recommended products

13.3 Data Accuracy and Reliability

You acknowledge and agree that:

  • All AI-generated analysis and recommendations may contain errors or inaccuracies
  • We do not guarantee the accuracy, reliability, or completeness of any analysis results
  • You should not rely solely on our analysis for important health or skincare decisions
  • We are not liable for any decisions made based on our analysis or recommendations

13.4 International Data Protection

ClearSkin AI is operated from Ontario, Canada, and complies with Canadian privacy laws (PIPEDA) as its primary legal framework. If you are located in the European Economic Area, United Kingdom, or California, you may have additional rights under applicable data protection laws as described in Section 10 of this Privacy Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: [email protected]

Name: ClearSkin AI (Operated by Teddy-Michael Sannan)

Location: Ontario, Canada

We will respond to your inquiry within 30 days of receipt.