Privacy Policy

Last Updated: April 6, 2026

Introduction

Welcome to Aureya (“we,” “our,” or “us”). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application.

By using Aureya, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Personal Information You Provide

Account Information: Email address, name (optional), date of birth (for age verification), password (encrypted).

Profile Information: Skin type, skin concerns, age group, gender (optional), ethnicity/skin tone (optional), chronic skin conditions, allergies, budget preferences, current skincare products.

Photos: Selfies for facial skin analysis; body area photos (neck, hands, arms, legs, feet); photos uploaded from your device; progress tracking photos.

Food Logs: Meal descriptions, food photos (optional), dietary information.

Health & Wellness Data (with your permission): Sleep duration and quality, heart rate variability (HRV) as a stress indicator, step count, water/hydration intake, and dietary caffeine intake — via Apple HealthKit (iOS) or Google Health Connect (Android). This data is collected only if you grant the relevant permissions. You can revoke access at any time in your device settings.

User Content: Notes and comments, product reviews, feedback you submit.

1.2 Information Collected Automatically

Device information (model, OS version, unique identifiers), usage data (features used, time in app, crash reports), and camera permission status.

1.3 Information from Third Parties

Firebase Services (authentication, analytics, cloud storage metadata) and payment processor transaction records.

2. How We Use Your Information

Analyze selfies and body area photos to assess skin conditions
Generate personalized skincare routine recommendations
Match products to your specific needs and track progress
Correlate lifestyle factors (sleep, stress, hydration) with skin condition trends
Improve our AI algorithms and fix technical issues
Send routine updates, reminders, and respond to support requests
Prevent fraud and comply with legal obligations

3. How Your Photos Are Processed

All photos are encrypted in transit (HTTPS/TLS) and stored in Firebase Cloud Storage with encryption at rest. Each photo is linked only to your user ID.

Face selfies are analyzed using Google Cloud Vision API (facial landmark detection) + Google Gemini AI (skin condition interpretation)
Body area photos are analyzed by Google Gemini AI only — no facial detection or biometric processing
We do NOT use your photos for facial recognition
We do NOT share your photos with third parties for marketing
You own your photos. You can delete them anytime. All photos deleted within 30 days of account deletion.

3A. Face Data Processing (Face Selfies Only)

This section applies specifically to face selfies. For body area photos, see Section 3B.

When you submit a selfie, Google Cloud Vision API detects facial landmarks (up to 33 anatomical points) solely to identify skin zones for analysis (T-zone, cheeks, forehead). We do NOT collect biometric identifiers, do NOT build a facial recognition profile, and do NOT use this data to identify you.

Face landmark data is processed in real-time and is not stored as a separate facial profile. Raw selfie photos are stored in Firebase Cloud Storage (encrypted at rest). You can delete any selfie at any time from within the app.

3B. Body Area Photo Processing

Body area photos (neck, hands, arms, legs, feet) are analyzed by Google Gemini AI only. No facial detection, facial landmarks, or biometric processing is performed. These photos do not involve biometric identifiers of any kind.

3C. Health & Wellness Data (Apple HealthKit / Google Health Connect)

If you choose to connect your health data, this section applies.

What we collect (opt-in only): Sleep duration and stages, heart rate variability (HRV), step count, water intake, and dietary caffeine — from the last 24 hours only.

How it’s used: Exclusively to correlate lifestyle factors with your skin condition trends and provide personalized insights (e.g., “poor sleep may be contributing to breakouts”). Health data is NOT used for advertising, marketing, or any unrelated purpose.

Storage & sharing: Health data is cached locally on your device for up to 30 minutes. It is NOT sent to Google Gemini AI or any external AI service. It is NOT shared with any third parties or sold. Aggregated, anonymized wellness trends may be stored in your profile to power insights.

Retention: Locally cached data clears after 30 minutes. Aggregated insights are retained until account deletion. Raw metrics are re-fetched each session and not stored long-term.

Your rights: You can revoke health data access at any time in your device Settings. Revoking access immediately stops all health data collection. All core Aureya features work without granting health data access.

Compliance: iOS — We comply with Apple HealthKit guidelines. Health data is not stored in iCloud and is not used for advertising. Android — We comply with Google Health Connect policies using the principle of least privilege.

4. How We Share Your Information

We do NOT sell your personal information. We share only with:

Firebase (Google) — Authentication, cloud storage, analytics, crash reporting
Google Cloud Vision API — Face landmark detection (face selfies and food photos only)
Google Gemini AI — Skin condition analysis, routine generation, ingredient analysis
RevenueCat, Inc. — Anonymous app user ID, purchase receipts, subscription status only. Does NOT receive photos, health data, or skin analysis results. RevenueCat Privacy Policy
Firebase Cloud Messaging (Google) — Push notification token only, for skincare reminders and app updates. Disable in device settings anytime.
Apple App Store / Google Play — In-app purchases. We do not receive or store your full payment details.
Legal requirements — If required by law, subpoena, or court order

Google processes data under their Privacy Policy: policies.google.com/privacy

5. Data Security

We implement end-to-end encryption for photos, secure HTTPS connections, Firebase security rules, and regular security audits. In the unlikely event of a data breach, we will notify you within 72 hours and inform relevant authorities as required.

6. Your Privacy Rights

Access & Portability — Request a copy of all your data within 30 days
Correction — Update your profile information anytime
Deletion — Delete your account and all associated data within 30 days
Opt-Out — Unsubscribe from marketing, disable analytics, revoke camera or health permissions
Object to Processing — Object to automated decision-making

How to Delete Your Account and Data

In-App: Profile (bottom tab) → Settings (gear icon) → scroll to “Delete Account” → confirm deletion.

By Email: Send a request to contact@aureyaskin.io with the subject “Delete My Account” and include the email address on your account.

What gets deleted: Account credentials, profile information, all face and body area photos, all skin analyses, food logs, journal entries, wishlist items, routine data, and health wellness insights. Your subscription is cancelled (refunds subject to Apple/Google policy). Health data permissions are revoked.

Timeline: All personal data permanently deleted within 30 days. Some anonymized, aggregated analytics may be retained as it cannot be linked back to you.

To exercise any rights: Email privacy@aureyaskin.io with subject “Privacy Rights Request.”

7. Children’s Privacy

Aureya is NOT intended for children under 13 (or 16 in the EU). We do not knowingly collect data from children. Parents can contact privacy@aureyaskin.io to request deletion.

8. International Data Transfers

Your data may be processed outside your country via Firebase (Google servers worldwide). EU users: Data transfers comply with GDPR (Standard Contractual Clauses).

9. Data Retention

Account info — Until account deletion
Photos (face and body area) — Until you delete them or account deletion
Skin analyses — Until account deletion
Food logs — Until account deletion
Health data (sleep, HRV, steps, hydration, caffeine) — Cached locally 30 minutes; aggregated insights until account deletion
Push notification tokens — Until account deletion or token refresh
Subscription records — Until account deletion (purchase receipts retained by Apple/Google)
Usage analytics — 26 months (anonymized)
Crash reports — 90 days
Support tickets — 3 years

10. California Privacy Rights (CCPA)

California residents may request details about data collected, correction or deletion of data, and opt-out of data sharing. We do NOT sell personal information. Email contact@aureyaskin.io with subject “CCPA Request.” We respond within 45 days.

11. European Privacy Rights (GDPR)

EU/EEA users have rights of access, rectification, erasure, restriction, portability, and the right to object. Legal basis for processing: consent, contract performance, legitimate interests, and legal obligations. Data Protection Officer: privacy@aureyaskin.io. You can file a complaint with your local data protection authority.

12. Medical Disclaimer

Aureya is a wellness and skincare information application. It is NOT a medical device, does NOT provide medical advice, diagnosis, or treatment, and is NOT a substitute for professional medical care. Always consult a licensed dermatologist or healthcare provider for any skin concerns.

13. Changes to This Policy

Changes will be posted with an updated “Last Updated” date. Significant changes will trigger an in-app notification. Continued use after changes means you accept the new policy.

v1.0 – Nov 13, 2025 · v2.0 – Feb 13, 2026 · v3.0 – Feb 28, 2026 · v4.0 – Apr 6, 2026 (Added Health Data section 3C, RevenueCat & FCM disclosures, expanded retention table, account deletion instructions)

14. Contact Us

Privacy requests: privacy@aureyaskin.io
General support: support@aureyaskin.io
Website: aureyaskin.io
Company: MoLabs LLC

We aim to respond within 48 hours.