Privacy Policy
Version 2.0 · Updated: 2026-07-03
VitaSkan Privacy Policy
Version 2.0 — Updated July 3, 2026
We take your privacy seriously. Not because we have to. Because you're trusting us with your face.
This policy explains what we collect, why, and what you can do about it. Plain English. No tricks.
The Short Version
- We collect your email, your selfies, your scan results, and your check-ins.
- Stripe handles your payment. We never see your card number.
- Your photos are encrypted, stored in the EU, and never used to train AI models.
- You can delete your account any time. Everything goes.
- Anonymous scans auto-delete after 24 hours.
- We follow GDPR (Europe) and CCPA/CPRA (California).
Read on for the details.
1. What We Collect
When you sign up
- Email address — so you can log in and we can email you.
- Password — stored hashed. We never see the plain text.
When you scan
- Selfies — the photos you upload.
- Scan results — your Health Score (0 to 100) and the sub-scores (wrinkles, redness, pores, dark spots, hydration, and a few others).
- Device info — browser type, screen size. Helps us fix bugs.
When you check in
- Check-in data — how your skin feels, what products you used, notes you write.
- Photos — if you add them to a check-in.
When you pay
- Payment info — handled by Stripe. We see the last 4 digits of your card and the country. We never see the full number or the CVC.
- Subscription status — active, cancelled, refunded.
When you visit
- IP address — used for rate limiting and fraud prevention. Not tied to your profile long-term.
- Turnstile signal — Cloudflare Turnstile confirms you're human when you do an anonymous scan. It doesn't track you across the web.
2. Why We Collect It
| Data | Reason |
|---|---|
| Login, receipts, account emails | |
| Selfies | Run the scan, show your history |
| Scan results | Show your score and routine |
| Check-ins | Track what changes over time |
| Payment info | Charge you the right amount |
| IP address | Stop bots and fraud |
| Device info | Fix bugs, keep the app working |
We don't collect anything just because we can. If we don't need it, we don't want it.
3. Our Legal Basis (GDPR)
If you're in the EU or UK, here's the legal reason we can process your data under GDPR Article 6:
- Consent — for uploading and storing your selfies. You tell us it's okay by using the scan.
- Contract — for running your account and subscription. We can't give you Premium without processing your payment info.
- Legitimate interest — for fraud prevention, rate limiting, and debugging. We balance this against your privacy.
- Legal obligation — for tax records and responding to lawful requests.
You can withdraw consent any time. That may mean we can't keep giving you the service.
4. How We Handle Your Photos
Your selfies are the most sensitive thing we hold. Here's exactly what happens.
When you scan:
- Your photo is uploaded over HTTPS.
- It goes to Perfect Corp's API for skin analysis. Perfect Corp processes it and returns scores. They don't keep it longer than needed to process it (see their policy).
- We store it encrypted on our Supabase database in the EU.
- Only you can see it when you log in.
We do not:
- Sell your photos.
- Share them with advertisers.
- Use them to train AI models. Not ours, not anyone else's.
- Let staff browse them for fun. Access is logged and limited to fixing bugs when you ask for help.
Encryption: Photos are encrypted at rest. The database is encrypted. Backups are encrypted.
Deletion: When you delete your account or ask us to delete a specific photo, it's gone within 7 days. Backups roll over within 30 days.
5. How Long We Keep Things
| Data | How long |
|---|---|
| Account + scan history | Until you delete your account |
| Anonymous scans | 24 hours, auto-deleted |
| Payment records | 7 years (tax law) |
| Support emails | 2 years |
| IP logs | 30 days |
| Deleted account backups | 30 days, then gone |
When you hit Delete Account, there's a 7-day cooldown so you can change your mind. After that, we wipe your profile, photos, scans, and check-ins.
Some things we have to keep by law — like payment records for tax purposes. Those we keep, but only what the law requires.
6. Who Else Sees Your Data
We use a few trusted companies to run VitaSkan. They only see what they need to do their job.
| Partner | What they do | What they see |
|---|---|---|
| Supabase (EU) | Database and file storage | Everything, encrypted |
| Stripe | Payments | Card details, billing address |
| Perfect Corp | Skin analysis API | Your selfie, briefly |
| Vercel | App hosting | HTTP requests, IP for a few days |
| Resend | Sending emails | Your email address |
| Cloudflare | Bot protection (Turnstile) | Signals from your browser |
Each one has its own privacy policy. We picked them because they take security seriously.
We do not sell your data. Not to advertisers. Not to data brokers. Not to anyone.
We may share data if a court orders us to, or if we need to protect our rights or someone's safety. If that happens and the law lets us, we'll tell you.
7. Cookies and Tracking
We use the minimum cookies needed to run the app.
- Essential cookies: keep you logged in.
- Analytics: we may use privacy-friendly analytics (like Plausible) to count page views. No personal profile is built.
- No ad tracking. No Facebook pixel. No Google ad cookies.
You can block cookies in your browser. The app may not work right if you do.
8. Your Rights
You have real rights over your data. Here's how to use them.
Everyone
- Access — ask for a copy of what we have on you.
- Correction — fix anything that's wrong.
- Deletion — wipe your account and everything in it.
- Portability — download your scans and check-ins as a file.
- Object — tell us to stop using your data for something specific.
To use any of these, email hello@vitaskan.com. We reply within 30 days.
If you're in the EU or UK
You have the full set of GDPR rights above. You can also complain to your local data protection authority if you think we've messed up. We'd rather you email us first so we can fix it.
If you're in California
CCPA and CPRA give you:
- The right to know what we collect and why.
- The right to delete.
- The right to correct.
- The right to opt out of "sale" or "sharing." We don't sell or share your data for ads, so there's nothing to opt out of — but the right is there.
- The right not to be discriminated against for using these rights. We won't cancel your account for asking questions.
To make a California request, email hello@vitaskan.com with "California Privacy Request" in the subject.
9. Data Leaving Europe
Some partners (like Stripe and Vercel) process data in the United States. When your data moves from the EU to the US, we use Standard Contractual Clauses approved by the European Commission. These are legal contracts that require the receiving company to protect your data at EU-level standards.
We review these arrangements yearly.
10. Kids
VitaSkan is for people 13 and older.
We don't knowingly collect data from anyone under 13. If you're a parent and you think your kid signed up, email hello@vitaskan.com. We'll delete the account.
If you're between 13 and 18, please check with a parent or guardian before subscribing to Premium.
11. Security
We do the basics well:
- HTTPS everywhere.
- Passwords hashed with modern algorithms.
- Photos and scans encrypted at rest.
- Access to production data logged and limited to a few engineers.
- Third-party security audits.
No system is bulletproof. If we ever have a breach that affects you, we'll tell you within 72 hours — sooner if we can.
12. Changes to This Policy
We may update this policy. When we do:
- Small changes: we update the page and change the date at the top.
- Big changes (new data types, new partners, new rights): we email you at least 30 days before it kicks in.
The latest version is always at the same URL. If you're worried about missing an update, bookmark it.
13. How to Reach Us
Questions about your data? Want to see what we have? Want to delete something?
Email: hello@vitaskan.com Subject line for privacy issues: "Privacy Request"
Data Protection Officer: For GDPR-specific matters, email hello@vitaskan.com with "DPO" in the subject. It reaches the right person.
We read every message. We reply within 30 days — usually within 2 business days.
One Last Thing
VitaSkan is not a medical device and does not diagnose, treat, or cure any medical condition. AI skin scoring is informational only. Consult a licensed dermatologist for medical concerns. Illustrative testimonials on our website are composites and do not depict real users.
Thanks for trusting us with your face. We won't blow it.