Privacy Policy
How HairCheck collects, uses, and protects your information.
1. Who we are
HairCheck (the "App") is provided by:
- Operator (Data Controller under Art. 4(7) GDPR)
- Emil Arnold (sole proprietor)
Igoumenitsas 5
6037 Larnaca
Cyprus
Email: emilio.arnold99@gmail.com
We are responsible for the processing of personal data described in this Privacy Policy. References to "we", "us" or "our" mean the operator above.
2. What information we collect
We collect only the data necessary to provide the App's features. We do not require you to create an account, and we do not collect your name, address, phone number, or other contact details unless you choose to email us.
2.1 Photos you capture or upload
When you use a scan, before/after, or analysis feature, you capture or select a photo using your device. That photo may show your face, forehead, hairline, temples, scalp, crown, and hair. The photo is transmitted to our backend and to our AI processing provider (see Section 5) to generate scores, projections, and recommendations.
2.2 Face data / photos containing your face and hairline
Some scan photos may include your face, forehead, hairline, temples, scalp, and other visible facial or head features ("face data"). We do not collect face geometry, face maps, biometric templates, Face ID data, facial recognition identifiers, or data used to identify or authenticate you. We do not use face data for facial recognition, identity verification, advertising, or profiling across apps or websites.
We use photos that may contain face data only to provide the App's requested features: hairline and scalp analysis, scan scores, before/after visual projections, scan history, and personalised informational routine recommendations.
2.3 Hair and scalp profile data
Information you enter such as age range, gender, hair type, perceived concerns, and routine answers. This data informs analysis and recommendations.
2.4 Generated analysis results
AI‑generated scores (e.g., density, recession, overall hair score), AI‑generated before/after images, and recommended routines that are produced from your inputs.
2.5 Device and technical information
An anonymous device identifier (generated locally by the App), device model, iOS version, App version, language/region, crash and error logs, and basic request metadata (timestamps, IP address as received by our hosting provider).
2.6 Subscription and purchase information
If you purchase a subscription, our payments partner RevenueCat (see Section 5) receives a pseudonymous identifier and your Apple transaction receipt in order to verify your subscription status. We do not receive your credit card details, your Apple ID, your name, or your billing address — these remain with Apple.
2.7 Information you provide directly
If you email us for support, we receive the contents of your message and your email address.
2.8 What we do not collect
- We do not collect biometric face templates, face geometry, Face ID data, or facial recognition identifiers.
- We do not use third‑party advertising or tracking SDKs.
- We do not sell your personal data.
- We do not share data across apps or websites for advertising purposes.
- We do not access your contacts, calendar, location, microphone, or health records.
- We do not use the Apple Advertising Identifier (IDFA).
3. How we use your information
| Purpose | Data used |
|---|---|
| Generate hair analysis scores | Photos, including photos that may contain face data, profile data |
| Generate AI before/after projections | Photos, including photos that may contain face data, profile data |
| Provide personalised routine recommendations | Profile data, analysis results |
| Save your scan history and progress over time | Analysis results, anonymous device ID |
| Manage and validate your subscription | Anonymous purchase token (via RevenueCat) |
| Diagnose crashes and improve reliability | Error logs, device/OS info |
| Respond to your support requests | Email content, email address |
| Comply with legal obligations | As required by applicable law |
4. Legal basis for processing (GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases under Art. 6 GDPR:
- Performance of a contract (Art. 6(1)(b)) — to provide the App's features that you have requested, including subscription management.
- Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, crash diagnostics, and to operate and improve the App. We balance these interests against your privacy rights.
- Consent (Art. 6(1)(a)) — for camera and photo library access, which you grant via iOS system permissions and can revoke at any time in iOS Settings.
- Legal obligation (Art. 6(1)(c)) — where we must retain or disclose data to comply with law.
5. Service providers & subprocessors
To operate the App we rely on a small number of third‑party processors. They process data on our behalf and only for the purposes described below.
| Provider | Purpose | Data processed | Region |
|---|---|---|---|
| OpenAI, L.L.C. (USA) | AI vision analysis (GPT‑4o) and AI image generation (GPT Image) | Photos you submit, including photos that may contain face data, hair profile inputs | USA |
| Railway Corporation (USA) | Backend application hosting and request processing | Photos, including photos that may contain face data, requests, error logs | USA / Singapore |
| RevenueCat, Inc. (USA) | Subscription validation and management (App Store receipt verification) | Pseudonymous subscription identifier, Apple receipt | USA |
| Apple Inc. (USA) | App distribution, in‑app purchases, crash reporting (if enabled by you) | Per Apple's privacy policy | USA / EU |
According to OpenAI's enterprise data policy, data submitted via its API is not used to train OpenAI's models. We do not enable any opt‑in data sharing features.
6. Data retention
We retain your data only for as long as necessary to provide the App's features:
- Photos you upload, including photos that may contain face data: retained on our backend for as long as your subscription is active, plus up to 90 days after cancellation, so that features such as scan history and before/after comparison work across sessions. After this period, photos are deleted from our systems and from caches held by our subprocessors in the ordinary course.
- Analysis results (scores, generated images, routines): retained for the same period as the underlying photo so that your history remains accessible to you.
- Anonymous device identifier and subscription token: retained for the duration of your subscription and up to 24 months thereafter for fraud prevention and accounting purposes.
- Support correspondence: retained for up to 24 months after the last interaction.
- Server logs: retained for up to 30 days for security and debugging.
You may request earlier deletion at any time (see Section 9).
7. International data transfers
Because our subprocessors (OpenAI, Railway, RevenueCat, Apple) are based in the United States and may process data in the United States, Singapore, or other regions, your personal data may be transferred outside the European Economic Area.
Where required, we rely on the European Commission's Standard Contractual Clauses (SCCs) and on data protection frameworks adopted by the relevant providers (e.g. the EU‑U.S. Data Privacy Framework) as the legal basis for such transfers.
8. Data security
We use industry‑standard technical and organisational measures to protect your data, including HTTPS/TLS encryption for all data in transit, access controls on our backend, and minimum‑privilege credentials for subprocessor access. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.
9. Your rights
If you are in the EEA, UK, or Switzerland, you have the following rights under the GDPR:
- Right of access (Art. 15) — request a copy of your personal data.
- Right to rectification (Art. 16) — correct inaccurate data.
- Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data.
- Right to restriction (Art. 18) — limit how we process your data.
- Right to data portability (Art. 20) — receive your data in a machine‑readable format.
- Right to object (Art. 21) — object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)) — at any time, e.g. by revoking iOS permissions or uninstalling the App.
- Right to lodge a complaint with a supervisory authority. The competent authority for the operator is the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus, Iasonos 1, 1082 Nicosia, Cyprus — dataprotection.gov.cy. You may also lodge a complaint with the supervisory authority of your habitual residence or place of work in the EEA.
If you are in California, you have similar rights under the California Consumer Privacy Act (CCPA), including the right to know, the right to delete, and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross‑context behavioural advertising.
10. Children's privacy
HairCheck is not directed to children. You must be at least 13 years old (or 16 years old in the EEA) to use the App. We do not knowingly collect personal data from children below these ages. If you believe a child has provided us with personal data, please contact us so we can delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be highlighted in the App and/or on this page. Your continued use of the App after changes take effect constitutes acceptance of the updated policy.
12. Contact
- Privacy & Data Protection
- emilio.arnold99@gmail.com
- Operator
- Emil Arnold, Igoumenitsas 5, 6037 Larnaca, Cyprus