Last updated: July 2026 - DSG / GDPR Compliant
Your data is stored securely. We never sell your personal information to third parties.
1. Data Controller
Vinh Tran
Zurich, Switzerland
Email: info@skinclar.com
2. Data We Collect
Account Data
- Email address (required for registration)
- First and last name (optional)
- Password (stored as encrypted hash - we never see your password)
- Account creation date
- Email verification code (stored as encrypted hash, automatically deleted after 15 minutes or once your email is verified)
Usage Data
- Products you scan and search for
- Your skin type and skin concerns (if you provide them)
- Your saved routines and product inventory
- App usage analytics (pages visited, features used, session duration)
- Device type and operating system
Photos & Images
We treat every image you provide with care. How an image is used depends entirely on where you add it:
- Product scans: When you scan a product, the photo of the packaging and ingredient list is analyzed to give you your result. We may keep these product photos and use them to build and improve the Skinclar product database (for example, adding new products and improving recognition) so results get better for everyone. Please photograph only the product - avoid including faces, people, or personal items. Product scan photos are never used for advertising and are never shown publicly together with your name.
- Progress photos: Progress photos (such as skin selfies) are private by default. They are stored securely, are visible only to you, and are never shared, published, or used to train AI models. They are only ever visible to others if you actively choose to publish them yourself. You can delete any progress photo at any time, which removes it from our servers.
- Direct message & group images: Images you send in direct messages or group chats are shared only with the recipients you choose and are not used for any other purpose. Do not send images of other people without their consent. Illegal or abusive content can be reported and will be removed.
- Your control: You can delete your images or your entire account at any time. Deleting your account removes your personal photos from our systems, in line with your rights under the Swiss DSG and the GDPR (see your rights below).
Push Notifications
If you turn on notifications, we store a push subscription token for your device. Notifications (for example new messages or bookings) are delivered through your device's push service (Apple, Google, or Mozilla, depending on your browser), which technically processes the message for delivery. Enabling notifications is voluntary (consent, GDPR Art. 6(1)(a)). You can turn them off at any time in your browser or system settings; the token is deleted when you unsubscribe or delete your account.
Community & Expert Consultations
Content you publish in the Community (posts, reviews, comments, and the skin type or concerns you attach to them) is visible to other users by design - share only what you are comfortable making public. Messages and images you send within a consultation are visible to you and the chosen expert only. If you offer consultations as an expert, Stripe collects the identity and banking details required for payouts (Stripe Connect); Skinclar never sees your banking details.
Subscription Data
If you subscribe to a paid plan, we store the following information related to your subscription:
- Your subscription tier (Free / Pro / Premium)
- Your subscription status (active, canceled, past_due)
- Stripe customer ID and Stripe subscription ID (references to Stripe - used to manage your subscription)
- Billing interval (monthly / yearly)
- Current billing period end date
We do not store your credit card details. All payment data is handled exclusively by Stripe (see Section 6).
Security & Anti-Abuse Data
To protect our service and users from abuse (spam registrations, brute-force attacks, automated bots), we temporarily process the following data:
- Your IP address (used for rate limiting and abuse prevention; stored in our cache for up to 1 hour)
- Login and registration timestamps
- Bot-verification data via Cloudflare Turnstile (browser fingerprint signals processed by Cloudflare; no cookies set by Turnstile)
Legal basis: Legitimate interests (GDPR Art. 6(1)(f)) - protecting our service and users from abuse, fraud, and unauthorized access.
Analytics Data (PostHog)
We use PostHog for anonymous usage analytics. PostHog is GDPR-compliant and data is stored in the EU. No personally identifiable information is shared with PostHog.
3. Why We Collect This Data
- Account management: To provide you access to the App
- Personalization: To match products to your specific skin profile
- Product improvement: To understand how users interact with the App
- Communication: To send you important updates about your account
- Security: To protect against unauthorized access and abuse
Legal basis (GDPR): Contract fulfillment (Art. 6(1)(b)), Legitimate interests (Art. 6(1)(f)), and Consent (Art. 6(1)(a)) where applicable.
4. Data Storage and Security
Your data is stored on Supabase (PostgreSQL), hosted in EU data centers (Frankfurt, Germany). Security measures include encrypted HTTPS connections, bcrypt password hashing, JWT token authentication, Row-Level Security in our database, mandatory email verification at registration, rate limiting against brute-force attacks, and bot protection via Cloudflare Turnstile.
5. Data Retention
We retain your account data for as long as your account is active. Unverified registrations (where the email verification step was not completed) are automatically deleted after 15 minutes. IP-based rate-limiting data is automatically deleted after 1 hour. You may request deletion of your data at any time. Anonymous analytics data may be retained for up to 2 years.
6. Third-Party Services
- Supabase - EU hosting, GDPR compliant
- PostHog - EU hosting, GDPR compliant, no personal data
- Resend - For transactional emails only
- Railway - App server and Redis cache hosting. Redis is used as a temporary in-memory store for rate-limiting counters (IP-based, kept for up to 1 hour) and does not store any personal user data.
- Cloudflare Turnstile - Bot detection on our registration and login pages. Cloudflare receives browser signals (such as IP address, user agent, and browser fingerprint) to determine whether a request is from a human. Turnstile does not set tracking cookies and is designed as a privacy-preserving CAPTCHA alternative. Data may be processed by Cloudflare outside the EU. See Cloudflare's Privacy Policy.
- Stripe Payments Europe Ltd. - Payment processing for paid subscriptions. When you subscribe, your payment details (card number, expiry, billing address) are sent directly to Stripe and are never seen or stored by Skinclar. Stripe is GDPR compliant and PCI DSS Level 1 certified. See Stripe's Privacy Policy.
- OpenAI - Used to extract product information from your scan photos. Photos are sent to OpenAI for processing and are not stored permanently. See OpenAI's Privacy Policy.
We do not sell your data. We do not share your data with advertisers.
7. Your Rights (GDPR)
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your data
- Portability: Receive your data in a machine-readable format
- Object: Object to processing based on legitimate interests
- Withdraw consent: At any time, where processing is based on consent
To exercise these rights, contact: info@skinclar.com - We will respond within 30 days.
Download a copy of everything Skinclar stores about you - your profile, routines, reviews and progress - anytime.
Provided under your right of access (GDPR Art. 15). The file is a private copy - only you can download it.
8. Cookies
Skinclar uses session tokens (JWT) stored in your browser's local storage for authentication. We do not use advertising or tracking cookies.
9. Children's Privacy
Our App is not directed at children under 16. We do not knowingly collect data from children under 16.
10. Changes to This Policy
We may update this Privacy Policy. We will notify you of significant changes via email or in-app notification.
11. Contact and Complaints
Privacy questions: info@skinclar.com
You also have the right to lodge a complaint with your local data protection authority.