Privacy Policy

1. Introduction

Welcome to Makeup DNA ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you visit our website at makeupdna.ai, use the Makeup DNA mobile applications on iOS and Android, and use our related services (collectively, the "Service").

Please read this Privacy Policy carefully. By using the Service, you consent to the collection, use, and disclosure of your information as described in this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

We collect different types of information depending on how you interact with our Service:

2.1 Personal Information You Provide

• Email address: When you create an account or complete our quiz
• Payment information: Credit card details and billing information are processed and stored directly by our payment processors, Stripe and Revolut. We do not store your full card number on our servers.
• Photos and selfies: Images you capture or upload for generating personalized makeup looks

2.2 Quiz Response Data

When you complete our personalized beauty quiz, we collect your responses including:

• Age range
• Skin tone and skin concerns
• Eye color
• Makeup skill level and experience
• Makeup routine and products currently owned
• Makeup challenges and goals
• Preferred makeup occasions and look styles
• Tutorial viewing experience and preferences
• Personal comfort level and aspirations related to makeup

2.3 Automatically Collected Information

• IP address: Collected when you submit the quiz or interact with our Service
• User agent: Browser type, version, and operating system information
• Device information: Type of device, screen resolution, and browser capabilities
• Usage data: Pages visited, features used, time spent on pages, click patterns, and interaction data
• Referral data: How you arrived at our website, including referring URLs and advertising campaign identifiers

2.4 Cookies and Tracking Identifiers

• Authentication cookies: Used to manage your login session
• Advertising cookies: Set by advertising partners to identify your browser and attribute ad clicks
• Temporary cookies: Used for account registration flow (e.g., linking your quiz results to your account)

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery

• Generate personalized makeup looks using AI based on your selfie and quiz responses
• Provide tailored makeup tutorials, tips, and product recommendations
• Perform on-device face detection during selfie capture to help you frame the shot. This detection is transient and never leaves your device (see Section 4).
• Create and manage your user account
• Process subscription payments and manage billing

3.2 Communication

• Send you verification codes for account authentication
• Send transaction confirmations and billing receipts
• Respond to your support inquiries and customer service requests
• Send you important updates about the Service, including changes to our terms or policies

3.3 Analytics and Improvement

• Monitor and analyze usage trends and patterns to improve the Service
• Measure the effectiveness of our features and user experience
• Detect, investigate, and prevent fraudulent transactions or unauthorized access

3.4 Advertising and Marketing

• Track advertising conversions to measure the effectiveness of our marketing campaigns
• Send hashed (anonymized) email addresses to Meta for ad optimization and conversion tracking
• Attribute subscriptions and purchases to specific advertising campaigns

4. Photo and Face Data

Photos and any data derived from your face are a sensitive category of personal information, and we treat them with extra care. This section explains exactly what is collected, how it is used, who it is shared with, and how long it is kept.

4.1 What Face Data We Collect

• Selfie photographs: A single still photograph that you choose to capture with your device's camera or upload from your device. You may also select a pre-provided example image instead of using your own face. We do not record video and we do not capture continuous streams of imagery.
• No faceprints, biometric templates, or face geometry: We do not generate, derive, collect, or store any faceprint, face mesh, face embedding, face geometry, biometric identifier, or other unique data computed from your face. We do not use your face for identification, authentication, recognition, age estimation, ethnicity inference, emotion analysis, or any similar purpose.
• Real-time face detection (transient, on-device only): During selfie capture the Service may run on-device face detection to help you frame the shot. For example, it can display a face outline guide or confirm that a face is in view. This detection runs entirely on your device (in your browser on the web, or on the operating system on mobile), produces no persistent data, is never written to disk, and is never transmitted to our servers or to any third party. The transient detection data is discarded the moment the capture screen is dismissed.

4.2 How Photos Are Captured

• Camera capture: You may use your device's camera to take a selfie directly in the Service. Camera access is requested through your operating system's or browser's standard permission prompt and can be revoked at any time through your device or browser settings.
• File upload: Alternatively, you may upload an existing photo from your device's photo library.
• Example images: If you prefer not to use your own photo, you may select a pre-provided example image and skip capture entirely.

4.3 How Photos Are Processed

• On-device face detection: As described in 4.1, on-device face detection during capture is transient and never leaves your device.
• AI makeup generation: Once you submit a selfie, the photograph is sent over an encrypted connection to our AI image-generation provider, Google Gemini API (operated by Google LLC, USA). The provider processes the image solely to return personalized makeup looks and tutorial feedback. Per Google's API terms, content submitted to the Gemini API is not used to train Google's models.
• Storage: Your original selfie and the AI-generated images are stored in our cloud storage infrastructure (Supabase Storage, hosted in AWS) using industry-standard encryption in transit (TLS) and at rest.

4.4 What We Will Never Do With Your Face Data

• We do not sell, rent, license, or trade your photos or any face-related data.
• We do not share your photos with advertisers, advertising networks, analytics providers, or data brokers.
• We do not use your photos to train artificial intelligence models, neither our own nor those of any third party.
• We do not use your face for identification, authentication, recognition, surveillance, or profiling.
• We do not extract or store biometric templates, faceprints, face geometry, or face embeddings.
• We do not make your photos publicly accessible. They are not viewable by other users and are not indexable by search engines.

4.5 Retention and Deletion

• Retention period: Your selfies and the AI-generated images derived from them are retained for the duration of your account so that you can revisit your saved looks. They are deleted when you delete your account or specifically request photo deletion.
• On-device data: Real-time face detection data is not persisted at all and exists only for the duration of the capture interaction.
• How to delete: You can delete all of your photos at any time by deleting your account from within the app or website (Profile → Delete account), or by emailing us at support@makeupdna.ai. Deletion requests are processed promptly.

4.6 Security Measures

• Photos are transmitted to our servers and to the AI provider over TLS-encrypted connections.
• Photos are stored encrypted at rest by our storage provider.
• Access to photos is restricted to authenticated requests scoped to your account. Photos are not publicly indexable and cannot be retrieved without valid credentials.

5. Third-Party Services and Data Sharing

We share your information with the following third-party services that are necessary to operate the Service:

5.1 Payment Processing

• Providers: Stripe (Stripe, Inc., USA) and Revolut (Revolut Payments UAB, Lithuania). On mobile, in-app purchases are processed by Apple App Store, Google Play, and RevenueCat.
• Data shared: Email address, payment method details, billing address, transaction amounts
• Purpose: Process subscription payments and manage recurring billing
• Security: Both Stripe and Revolut are PCI-DSS Level 1 certified, the highest level of payment security compliance.

5.2 Cloud Infrastructure

• Providers: Supabase (Supabase Inc., USA — database, authentication, and file storage) and Vercel (Vercel Inc., USA — application hosting and serverless functions).
• Data shared: All account data, quiz responses, photos, and authentication data
• Purpose: Database hosting, user authentication, and secure file storage

5.3 AI Processing

• Provider: Google Gemini API (Google LLC, USA), used to generate personalized makeup looks and tutorial feedback.
• Data shared: Your selfie photo, AI-generated images, and quiz responses needed to generate the look.
• Purpose: Generate AI-powered personalized makeup looks based on your photo. Per Google's API terms, content submitted to the Gemini API is not used to train Google's models.
• Note: Face detection during selfie capture runs entirely on-device and does not send any data to external servers. We do not generate or store faceprints or biometric templates.

5.4 Advertising and Analytics

• Providers: Meta Pixel and Meta Conversions API (Meta Platforms Ireland Ltd.) for conversion tracking and ad optimization; Vercel Analytics (Vercel Inc., USA) for aggregated, privacy-friendly traffic analytics; and PostHog (PostHog, Inc., USA) for in-app product analytics and performance monitoring. We do not use TikTok, Google Ads, or Google Analytics pixels.
• Data shared: Hashed email address, IP address, user agent, advertising cookie identifiers, purchase amounts, and conversion events. For PostHog product analytics, we transmit anonymized user identifiers (a randomly assigned internal ID, never your email address or any directly identifying information), in-app interaction events, screen views, and performance metrics.
• Purpose: Measure advertising effectiveness, track conversions, optimize ad delivery, and monitor application performance and feature usage to improve the Service
• Events tracked: Page views, quiz completion, content views, payment initiation, subscription completion, purchases, and in-app feature interactions
• PostHog data handling: All data transmitted to PostHog is anonymized prior to transmission. No personally identifiable information (such as your name, email address, or photo) is ever sent to PostHog. Data is processed solely to help us understand how the application is used, identify and resolve technical issues, and improve the overall user experience. PostHog operates in accordance with GDPR and applicable data protection regulations.

5.5 Other Disclosures

We may also disclose your information:

• Legal requirements: If required by law, regulation, legal process, or governmental request
• Rights protection: To enforce our Terms of Service or protect the rights, property, or safety of Makeup DNA, our users, or others
• Business transfers: In connection with any merger, acquisition, sale of assets, or bankruptcy proceeding, in which case you will be notified

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and track information about your use of our Service. The following table summarizes the cookies and tracking technologies we use:

You can control cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or be notified when a cookie is set. Please note that disabling essential cookies may prevent you from using certain features of the Service, such as staying logged in.

7. Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy. Specifically:

• Account data and quiz responses: Retained for the duration of your account. Deleted upon account deletion request.
• Photos: Retained for the duration of your account or until you request deletion, whichever comes first.
• Payment records: Retained as required by applicable tax and accounting regulations (typically up to 7 years).
• Server logs and analytics data: Retained for up to 12 months for analysis and security purposes.

When data is no longer needed, it is securely deleted or anonymized so that it can no longer be associated with you.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption of data in transit using TLS/SSL (HTTPS)
• Encryption of stored data using industry-standard methods
• Secure authentication with support for Google sign-in and email verification codes
• Payment processing through PCI-DSS Level 1 compliant infrastructure
• Access control policies on our database to prevent unauthorized data access
• Server-side validation and authorization for all sensitive operations
• Email addresses are hashed before being shared with advertising partners

However, no method of electronic transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. You are responsible for maintaining the security of your account credentials.

9. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent legislation:

• Right of access: You have the right to request a copy of the personal data we hold about you.
• Right to rectification: You have the right to request correction of inaccurate or incomplete personal data.
• Right to erasure: You have the right to request deletion of your personal data ("right to be forgotten"), subject to certain legal exceptions.
• Right to restriction of processing: You have the right to request that we limit the processing of your personal data in certain circumstances.
• Right to data portability: You have the right to receive your personal data in a structured, commonly-used, machine-readable format and transmit it to another controller.
• Right to object: You have the right to object to processing of your personal data for direct marketing purposes or processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence.

To exercise any of these rights, please contact us at support@makeupdna.ai. We will respond to your request within 30 days.

10. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide you with the Service, including account creation, quiz processing, AI image generation, and subscription management.
• Consent: Where you have given explicit consent, such as uploading your photo for AI processing or opting in to marketing communications.
• Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Service, preventing fraud, and ensuring security, provided these interests do not override your fundamental rights.
• Legal obligation: Processing necessary to comply with applicable laws, such as tax record-keeping and responding to legal requests.

11. International Data Transfers

Because we rely on US-based service providers, your personal data is transferred to and processed outside the European Economic Area. Specifically:

• United States: Stripe, Supabase, Vercel, and Google (Gemini API) process data on US infrastructure.
• European Union (Lithuania / Ireland): Revolut and Meta process data primarily within the EU.
• Customer support and operations: We are established in Lithuania and access data from there.

When we transfer data outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) with each provider, supplemented by the EU-U.S. Data Privacy Framework where the recipient is certified. You may request a copy of the safeguards in place by contacting us.

12. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at support@makeupdna.ai. If we discover that we have collected personal information from a child under 18, we will promptly delete that information.

13. Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. There is currently no universally accepted standard for how to respond to DNT signals. At this time, we do not respond to DNT signals, but we will continue to monitor developments in this area.

14. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy policies of any third-party sites you visit.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated Privacy Policy on this page with a new "Last updated" date
• Sending you an email notification for significant changes (if we have your email address)

Your continued use of the Service after any changes become effective constitutes your acceptance of the revised Privacy Policy.