Privacy Policy

Last updated: April 23, 2026
Version: 2.1
Data Controller: Skintuit Limited (registered in England and Wales)

1. Who We Are

Skintuit Limited ("Skintuit", "we", "our", "us") is a UK company that provides an AI-powered skincare app on iOS and Android. We are the data controller responsible for your personal data.

Registered office: 24 Epworth Street, London, EC2A 4DL, United Kingdom
Privacy contact: privacy@skintuit.co.uk
Companies House registration: 17145574
ICO registration: Not currently required — Skintuit Limited is pre-trading and exempt under the UK Data Protection (Charges and Information) Regulations 2018. We will register with the UK Information Commissioner's Office before commencing commercial trading and update this policy with our registration number at that time.

2. Summary at a Glance

We collect what we need to give you a personalised skincare experience and nothing more.
Sensitive features (selfie skin analysis, menstrual cycle integration) are opt-in, gated to users 18 and over, and process data on your device wherever possible.
Your data is stored in the EU (Frankfurt). AI processing happens in the United States under Standard Contractual Clauses.
You can export or delete all your data at any time from inside the app.
We do not sell your data, and we do not use it to train AI models.

3. Age Requirements

Core app features: users must be at least 13 years old (16 in some EU countries, in line with local law).
Sensitive features (skin photo analysis, cycle-based recommendations): users must be at least 18 years old. These features are off by default and require separate consent.
We do not knowingly collect data from children under 13. If we learn we have, we delete it.

4. Information We Collect

4.1 Account Information

Email address (sign-in via Google OAuth or email magic link)
Display name (optional)
Account creation timestamp

4.2 Skin Profile (Health-Adjacent)

Skin type, skin concerns, climate, age range, gender
Fitzpatrick skin type (I–VI), if you choose to provide it — used to adjust sun-protection and active-ingredient recommendations
Treated as special category data under UK GDPR — processed only with your explicit consent

4.3 Health Information (Optional, Opt-In)

If you grant explicit consent on the safety screen in onboarding or from your profile, we also collect:

Pregnancy status — none, trying, pregnant, or breastfeeding
Skin conditions — e.g., rosacea, eczema, psoriasis, melasma, seborrheic dermatitis
Known allergies — free-text list of ingredients you react to
Ingredients to avoid — categories of actives you want excluded (e.g., retinoids, AHAs, fragrance)

Under UK/EU GDPR, pregnancy status and skin conditions are special-category health data (Article 9). We treat known allergies and ingredient exclusions with the same protections because they are safety-sensitive. Sharing this information is entirely optional — the app works without it, with reduced personalization. We log the exact timestamp of your consent (health_data_consent_granted_at) as the audit trail. You can clear all of this data at any time from Profile > Delete my health data without deleting your account.

Legal basis: Article 9(2)(a) — your explicit consent.

4.4 Product Data

Photos of skincare products you take or upload
AI-derived product information (name, brand, category, ingredients)
Routine changes and product addition/removal history

4.5 Routine and Usage Data

AI-generated morning, evening, and weekly routines
Routine completion logs (when you mark steps done)
Streak data and habit metrics

4.6 Skin Photos and Skin Analysis Data (Optional, 18+ only)

Selfie photos taken for progress tracking, with clear capture guidance
Numerical skin attribute scores (hydration, redness, pore visibility, pigmentation evenness, fine line presence, oiliness, tone uniformity)
Time series of these scores so you can see progress over time
These features require separate explicit consent at the point of opt-in

4.7 Menstrual Cycle Data (Optional, 18+ only)

Cycle phase data, either entered manually or imported from Apple HealthKit / Google Fit
Treated as special category health data under UK GDPR
Used solely to adapt your skincare recommendations by cycle phase
Requires separate explicit consent at the point of opt-in

4.8 Outcome Attribution Data (Derived)

Statistical correlations between routine changes and skin scores
AI-generated insight text explaining likely cause-and-effect of product changes
Your feedback (helpful / not helpful) on each insight

4.9 Technical Data

Device type, operating system, app version, language settings
Crash reports and performance diagnostics

4.10 Analytics (Optional, separate opt-in)

Feature usage events, screen views, engagement metrics
Off by default; you control this from Settings

What We Do NOT Collect

Payment or financial information (handled directly by Apple and Google)
Precise geolocation
Contacts, call logs, messages, or other on-device personal content
Biometric identifiers used for unique identification of you as an individual

5. How We Use Your Information

Purpose	Data Used	Legal Basis (UK GDPR)
Account creation and login	Email, account info	Contract (Art. 6(1)(b))
Personalised skincare routines	Skin profile, products	Explicit consent (Art. 9(2)(a))
Product identification	Product photos	Contract (Art. 6(1)(b))
Skin progress tracking (18+)	Selfie photos, derived scores	Explicit consent (Art. 9(2)(a))
Cycle-based routines (18+)	Cycle phase data	Explicit consent (Art. 9(2)(a))
Outcome attribution insights	Routine + skin score history	Explicit consent (Art. 9(2)(a))
Streaks and habit tracking	Routine completion logs	Contract (Art. 6(1)(b))
App stability and bug fixes	Technical and crash data	Legitimate interest (Art. 6(1)(f))
Product improvement analytics	Usage events	Consent (Art. 6(1)(a)) — opt-in

6. Skin Photos — How We Handle Them

This is one of our most sensitive features, so we want to be especially clear:

Skin photo analysis is opt-in. You can use Skintuit fully without ever enabling it.
You must be 18 or older to use this feature.
Photo processing runs on your device wherever possible, using Apple's Vision framework or Google's ML Kit. The raw photo never leaves your device unless you choose to back it up.
We store the numerical skin scores (e.g. "hydration 72") rather than the raw photos by default.
Cloud backup of raw photos is off by default. If you turn it on, photos are encrypted at rest in our EU-hosted storage and only you can access them.
We never use your skin photos to train AI models.
We never share your skin photos with other users or any third party, except the on-device ML processing libraries which run locally and do not transmit data.
You can delete all skin tracking history with one tap from Settings.
These photos are not used for facial recognition or biometric identification. We analyse skin attributes, not identity.

Why this is not "biometric data" under UK GDPR

We process skin photos to derive skin attribute scores (hydration, redness, etc.). We do not process them to uniquely identify you as a person — we already know who you are because you logged in. This means the photos are personal data (which we protect carefully) but not "biometric data" under Article 9 of the UK GDPR.

If our AI ever detects something that could be a health condition (for example, persistent breakouts that may indicate acne), we treat that as health data and apply the explicit consent and safeguards required for special category data.

7. Menstrual Cycle Data

If you choose to enable cycle-based recommendations:

You must be 18 or older.
Cycle data is health data under UK GDPR Article 9 — we process it only with your explicit consent.
Where possible, we read cycle data from Apple HealthKit or Google Fit so it stays under your control on your device.
We use cycle phase only to adapt your skincare recommendations.
We do not share cycle data with any third party.
You can disconnect cycle integration and delete all cycle data from Settings at any time.

8. Third-Party Services

Service	Purpose	Data shared	Location
Supabase	Database, authentication, file storage	Email, profile, products, routines, skin scores	EU — Frankfurt
Anthropic (Claude API)	AI product identification, routine and insight generation	Product photos, profile, derived skin scores	United States (SCCs)
Google OAuth	Sign-in	Email, name	Global
Apple HealthKit / Google Fit	Optional cycle data import	Read-only access to cycle data	On-device
Apple App Store / Google Play	Subscription billing	Payment data (handled by Apple/Google)	Global

9. International Data Transfers

Your data is stored in the EU (Frankfurt, Germany).
Some processing happens in the United States (Anthropic, for AI features).
We rely on Standard Contractual Clauses approved by the European Commission and the UK ICO for these transfers.
Anthropic does not store your data beyond the processing window and does not use it to train models.
We have completed a Transfer Impact Assessment for these transfers and keep it on file.

10. Your Rights

You have the right to:

Access your data (use Export My Data in Settings)
Correct inaccurate data (edit your profile and inputs)
Delete your data (use Delete Account in Settings)
Restrict or object to certain processing (contact us)
Withdraw consent at any time (Settings or by contacting us)
Data portability — download a copy of your data as JSON
Lodge a complaint with your local data protection authority (UK ICO at ico.org.uk)

To exercise any right, use the in-app controls or email privacy@skintuit.co.uk. We respond within 30 days.

11. Data Retention

Data type	Retention	Trigger for deletion
Account data	Until you delete your account	User-initiated
Skin profile	Until you delete your account	User-initiated
Product data and photos	Until you remove the product or account	User-initiated
Routine data	Until regenerated or account deleted	Routine refresh or user-initiated
Skin photos (if cloud backup enabled)	Until you turn off backup or delete the photo	User-initiated
Skin score time series	Until you delete skin tracking history or account	User-initiated
Cycle data	Until you disconnect cycle integration or account	User-initiated
Outcome attribution insights	Until you delete or account is deleted	User-initiated
Crash and technical data	90 days	Automatic
Usage analytics (opt-in)	12 months, then aggregated	Automatic
Consent records	Account lifetime + 3 years	Regulatory requirement

When you delete your account, all personal data is permanently erased within 30 days. Anonymised aggregated data that cannot identify you may be retained.

12. Security

All data is encrypted in transit (TLS) and at rest (AES-256).
Strict per-user data isolation enforced at the database level (Row Level Security).
Skin photos in cloud backup are encrypted and accessible only via short-lived signed URLs.
AI API calls are routed through our backend so API keys are never exposed in the app.
We strip EXIF metadata (including any location information) from photos before processing.
No sensitive data is logged in production.
A locally-cached copy of your profile (including any health information) is also held on your device in standard app storage so the app works offline. This on-device cache relies on your device's built-in security — we recommend you keep your device's screen lock and device-level encryption enabled.

13. Disclaimer — Not Medical Advice

Skintuit provides skincare guidance based on general dermatological principles and AI analysis. It is not a medical device and does not provide medical advice, diagnosis, or treatment. If you have a skin condition or concern, please consult a qualified dermatologist.

Skin photo analysis estimates cosmetic attributes only. It does not detect or diagnose skin diseases including but not limited to skin cancer, eczema, or autoimmune conditions.

14. AI Transparency

We use AI (Anthropic's Claude) for product identification, routine generation, and insight creation.
AI processing occurs on US servers under Standard Contractual Clauses.
No automated decisions are made about you that have legal or similarly significant effects.
AI outputs are recommendations, not instructions. You always remain in control of your routine.

15. Changes to This Policy

We may update this policy. When we do:

We update the "Last updated" date and version above.
For material changes (new data categories, new sharing, new sensitive features), we notify you in-app and ask for fresh consent before continuing.
The full version history is available on request.

16. Contact

Skintuit Limited
24 Epworth Street, London, EC2A 4DL, United Kingdom
Email: privacy@skintuit.co.uk

For UK regulatory matters, our supervisory authority is the UK Information Commissioner's Office (ICO): ico.org.uk