Privacy Policy — SKINN AI LONDON™

Contents

Data Controller
What We Collect
How We Use Your Data
Legal Basis
Third Parties
Retention Periods
Your Rights
Security
Children
Policy Changes
Contact & Complaints

The short version: We collect your photo, email and age to run your skin analysis. Your photo is permanently deleted after processing — we never store it long-term, sell it, or use it to train AI models. We are a UK-based service and your data stays in Europe.

Data Controller

The data controller responsible for your personal data is:

Trading name: SKINN AI LONDON™
Legal name: Levent Ustun (Sole Trader)
Email: [email protected]
Website: https://skinnai.co.uk
ICO Registration: Pending (application submitted)

We are established in the United Kingdom and process data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

What We Collect

Depending on which service you use, we may collect:

Category	Data	Source	Required?
Biometric (special category)	Facial photograph submitted for analysis	You directly	Yes — for skin analysis
Contact	Email address	You directly	Yes — to deliver your report
Profile	Age (optional)	You directly	No — improves skin age accuracy
Transaction	Payment method, billing details	Stripe (we never see card numbers)	Yes — for paid analysis
Usage	Daily check-in history, streak count	Your device (localStorage)	No — opt-in feature
Technical	IP address, browser type, device type, pages visited, time of visit	Cloudflare / server logs	Automatic — security & diagnostics
Marketing	Email address (if subscribed to newsletter)	You directly	Opt-in only

We do not collect: sensitive data unrelated to skin analysis, racial or ethnic origin beyond what is visually apparent from your photo, political opinions, health diagnoses, or financial account information beyond what Stripe shares with us.

How We Use Your Data

Skin analysis: Your photo is transmitted (TLS 1.3) to Anthropic's Claude Vision API for processing. The API returns a structured skin report. The photo is then permanently deleted — typically within minutes, always within 24 hours.
Report delivery: Your email address is used to send your PDF skin report via Resend (our email provider).
Payment processing: Transaction data is processed by Stripe. We receive a payment confirmation and the amount only — we never see or store your full card details.
Service improvement: Aggregated, anonymised usage statistics (no personal data) help us improve the platform.
Marketing: If you opt in to our newsletter, we use your email to send skincare tips and product updates. You can unsubscribe at any time via the link in every email.
Legal compliance: We may retain minimal transaction records to meet UK tax and accounting obligations.
Security: Technical data is used to detect abuse, prevent fraud, and maintain service stability.

AI Training Disclosure: Your photos and personal data are never used to train AI models — neither by SKINN AI LONDON nor by Anthropic. We operate under Anthropic's API Terms of Service which expressly prohibit the use of customer inputs to train their models.

Legal Basis for Processing

Purpose	Legal Basis (UK GDPR)
Performing skin analysis and delivering report	Article 6(1)(b) — Performance of a contract
Processing biometric photograph	Article 9(2)(a) — Explicit consent (given at checkout)
Processing payment	Article 6(1)(b) — Performance of a contract
Sending transactional emails (report delivery)	Article 6(1)(b) — Performance of a contract
Sending marketing emails	Article 6(1)(a) — Consent
Fraud prevention and security	Article 6(1)(f) — Legitimate interests
Compliance with legal obligations (tax records)	Article 6(1)(c) — Legal obligation

Where we rely on consent as our legal basis, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Third-Party Processors

We use the following trusted third-party processors. Each is bound by a Data Processing Agreement (DPA) and handles your data only as instructed by us.

Processor	Role	Data Shared	Location
Anthropic (Claude Vision API)	AI skin analysis engine	Your photo, analysis prompt only	USA (Standard Contractual Clauses apply)
Stripe	Payment processing	Payment method, billing details	USA / EU (SCCs + UK addendum)
Resend	Transactional email delivery	Email address, report content	USA (SCCs)
Cloudflare	Hosting, CDN, DDoS protection	Technical data (IP, browser info)	EU edge nodes primarily

We do not sell your personal data to any third party. We do not share your data with beauty brands, advertisers, or data brokers — now or ever.

Where data is transferred outside the UK/EEA, we rely on Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA) as the transfer mechanism.

Retention Periods

Data Type	Retention Period
Facial photograph	Deleted within 24 hours of analysis (typically within minutes)
Email address (analysis delivery)	12 months, then deleted unless subscribed to marketing
Marketing email list	Until you unsubscribe
Payment transaction records	7 years (UK legal / HMRC requirement)
Server / access logs	30 days (Cloudflare default)
Daily check-in data	Stored locally on your device only — never on our servers

Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of access (Article 15): Request a copy of all personal data we hold about you.
Right to rectification (Article 16): Correct inaccurate or incomplete data.
Right to erasure (Article 17): Request deletion of your personal data ("right to be forgotten").
Right to restrict processing (Article 18): Ask us to pause processing while a dispute is resolved.
Right to data portability (Article 20): Receive your data in a machine-readable format.
Right to object (Article 21): Object to processing based on legitimate interests, including marketing.
Right to withdraw consent: Where processing is based on consent, withdraw it at any time.
Rights related to automated decision-making: We do not make solely automated decisions that have legal or similarly significant effects on you.

To exercise any of these rights, email [email protected] with your request. We will respond within 30 days. We may ask you to verify your identity before processing your request.

Security Measures

All data in transit is encrypted using TLS 1.3.
Photo uploads are transmitted directly to the analysis API — not stored on our web server.
Cloudflare WAF (Web Application Firewall) protects against injection, XSS, and DDoS attacks.
Stripe processes payments in an isolated PCI DSS-compliant environment — we never handle raw card data.
Administrative access to systems is protected by multi-factor authentication.

No method of transmission over the internet is 100% secure. If you believe your data has been compromised, contact us immediately at [email protected].

Children and Age Restrictions

Our service is intended for users aged 18 and over. We do not knowingly collect personal data from individuals under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it promptly.

Users aged 13–17 may only use the service with verified parental or guardian consent, which must be provided to us in writing before analysis.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email.

Your continued use of the service after any changes constitutes your acceptance of the updated policy.

Contact & Complaints

For any questions about this Privacy Policy or to exercise your rights:

Email: [email protected]
Response time: We aim to respond within 5 business days

If you are not satisfied with our response, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF