Skip to main content

Privacy Policy

How we collect, use, and protect your personal information

Last Updated: May 25, 2026

Introduction

Cosmetic AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Cosmetic AI mobile application ("App"). By using our services, you consent to the practices described in this policy.

Important: Uploaded product images may be processed by third-party AI providers to generate ingredient analysis. When you use the scan feature, photos of your cosmetic product labels are uploaded to OpenAI (GPT-4o-mini) for analysis. These images are processed transiently and are not stored by us. We do not upload or store your personal health data, weight, height, skin type preferences, or scan history on our servers — all of that data stays locally on your device.

Information We Collect

Information You Provide

  • Profile Information: Weight, height, weight unit (KG/LBS), height unit (CM/FT), skin type preference (Normal, Dry, Oily/Acne-Prone, Sensitive, Mixed, or Custom), and custom skin description that you voluntarily provide during onboarding or in settings.
  • Product Scans: Photos of cosmetic product labels and ingredient lists that you capture using the App's camera or upload from your photo library.
  • Scan Logs: History of products you've scanned, including the analysis results and your log status (Scanned, Applied, or Avoided).
  • Contact Information: If you contact us via email, we collect your email address and any information included in your message.

Information Collected Automatically

  • Device Information: Device type, operating system version, and unique device identifiers for providing and optimizing our services.
  • App Usage Data: Feature interactions, session duration, crash reports, and performance metrics to improve the App's functionality.
  • Subscription Status: Purchase and subscription information processed through our payment providers (RevenueCat and Apple App Store).

How We Store Your Data

Local-First Architecture

Your personal data is stored primarily on your device using secure local storage (AsyncStorage). We do not store the following data on our servers:

  • Product scan photos and ingredient images
  • Weight, height, and body measurements
  • Skin type preferences and custom descriptions
  • Product history, scan logs, and analysis results
  • App settings and preferences

Third-Party Processing

We use the following third-party services to provide core functionality. Uploaded product images may be processed by third-party AI providers to generate ingredient analysis. Specifically, when you scan a product, the photo is sent to OpenAI's GPT-4o-mini Vision model for ingredient analysis. This processing is transient and images are not stored by us.

Service Purpose Data Shared
OpenAI (GPT-4o-mini) AI-powered ingredient analysis from product label photos Product photos (uploaded to OpenAI for analysis — processed transiently, not stored by us)
RevenueCat Subscription management, entitlements, and purchase verification Purchase receipts, subscription status, device identifiers
Apple App Store Payment processing and app distribution (iOS only) Transaction data (governed by Apple's privacy policy)
Vercel API proxy hosting for OpenAI requests Standard server logs, IP addresses (transient)
Expo (EAS) App build infrastructure and crash reporting Crash logs, basic analytics, device information

How We Use Your Information

All analysis results are AI-generated estimates intended for informational purposes only. The App uses computer vision and AI (OpenAI GPT-4o-mini) to analyze product label photos and generate ingredient breakdowns, safety scores, and skin type compatibility assessments. These results are not medical facts, diagnoses, or professional dermatological assessments. They may contain errors, inaccuracies, or omissions. Always consult a qualified healthcare provider for any skin-related concerns.

  • Provide Core Features: Analyze cosmetic product ingredients using AI, calculate safety scores (0-10), provide letter grades (A-F), track skincare history, and deliver personalized skin type compatibility insights.
  • Improve the App: Fix bugs, optimize performance, analyze usage patterns to develop new features and enhance user experience.
  • Process Subscriptions: Manage PRO subscriptions, verify entitlements, process payments, and handle purchase restoration via RevenueCat.
  • Send Notifications: Deliver daily reminders (morning scan reminder, afternoon check-in, evening summary) if you have enabled notification permissions (you can disable these at any time in Settings).
  • Customer Support: Respond to your inquiries, troubleshoot issues, and provide assistance when you contact us.
  • Legal Compliance: Comply with applicable legal obligations, resolve disputes, and enforce our agreements.

Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:

  • Consent: When you provide explicit consent for specific processing activities, such as camera access for product scanning and photo library access for uploading product images.
  • Contractual Necessity: Processing necessary to provide the services you have requested under our Terms of Service.
  • Legitimate Interests: Processing for improving our services, ensuring security, and preventing fraud, provided our interests do not override your fundamental rights.
  • Legal Obligation: Processing required to comply with applicable laws and regulations.

Data Security

We implement robust technical and organizational measures to protect your data:

  • All user data stored locally on your device using AsyncStorage with device-level encryption — we do not store your weight, height, skin type, scan history, or preferences on our servers
  • Secure API communications using HTTPS/TLS encryption for all network requests to OpenAI and RevenueCat
  • API key for OpenAI is routed through a Vercel proxy — the key never lives in the app binary
  • Rate limiting on API endpoints (max 20 requests per IP per minute) to prevent abuse
  • Product photos are uploaded to OpenAI for analysis — they are processed transiently and not stored by us
  • No personal health data, biometric data, or medical information is stored on our servers (local-first architecture)

Your Rights and Choices

Under GDPR (EEA Users)

If you are in the EEA, you have the following rights:

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your personal data where applicable.
  • Right to Restrict Processing: Request limitation of how we process your data.
  • Right to Data Portability: Request transfer of your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please contact us at avishka200411243@gmail.com. We will respond to your request within 30 days as required by applicable law. We may need to verify your identity before processing your request.

Data Retention

We retain your personal data only as long as necessary to fulfill the purposes described in this Privacy Policy:

  • Data on Your Device: Retained until you manually delete it using the "Clear history" button at the bottom of the scan history list on the home screen, or uninstall the App.
  • Subscription Data: Retained for the duration of your subscription plus any applicable legal retention periods for financial records.
  • Contact Inquiries: Retained for up to 2 years after the last communication, unless a longer retention period is required by law.

You can clear your scan history at any time — after your first scan, scroll to the bottom of the history list on the home screen and tap the "Clear history" button. This will remove all your product scans, analysis results, and log entries from the device.

Children's Privacy

Cosmetic AI is not intended for children under 13 years of age (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at avishka200411243@gmail.com so we can delete the information.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational reasons. We will notify you of material changes by posting the updated policy on this page with a revised "Last Updated" date. We encourage you to review this Privacy Policy periodically for any updates.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: avishka200411243@gmail.com
Founder: @avishka_nirmal_