MyShade API — Privacy Policy

1. Overview

This Privacy Policy explains how our Beauty Advisor app (the "App") collects, uses, discloses, and otherwise processes personal information, including biometric data collected through camera-based features.

2. Information We Collect

2.1 Camera-Based Face Data

When you use the camera shade matching feature, we collect:

• Face Image: A temporary base64-encoded photograph of your face captured via your device's camera
• Extracted Skin Color: A hex color value (#RRGGBB format) representing the dominant skin tone detected from your cheek area
• Face Detection Metadata: Facial detection coordinates used to identify the cheek region for color extraction (bounding box coordinates)

Important: The original face image is NOT retained on our servers. It is processed in real-time and immediately discarded after the skin color is extracted.

2.2 Device Information

When using the shade matching feature, we may also receive:

• Device type and operating system
• App version
• API key usage and request metadata (for service optimization)

2.3 Product and Search Data

When you search for or view product recommendations, we collect:

• Product search queries
• Product categories and names you interact with
• Foundation shade names and brands you view

3. How We Use Your Information

3.1 Primary Purposes

We use the face data and skin color information for the following purposes:

1. Skin Tone Classification: To classify your skin tone into categories of depth (fair, light, medium, deep, rich) and undertone (warm, cool, neutral, olive)
2. Foundation Shade Matching: To recommend foundation shades from our database that match your skin tone
3. Cross-Brand Matching: To provide equivalent foundation shade recommendations across multiple beauty brands using Delta E color matching algorithms
4. Service Improvement: To improve the accuracy of our shade matching algorithm and product recommendations

3.2 Secondary Purposes

• Analytics and Debugging: To troubleshoot technical issues with the face detection feature
• API Monitoring: To track API key usage and ensure service reliability
• Fraud Prevention: To prevent unauthorized access and ensure service integrity

4. How We Process Face Data

4.1 Real-Time Processing

Face data is processed in real-time for your immediate results:

1. Image is transmitted to our secure servers
2. Face detection is performed via a third-party API service
3. Dominant skin color is extracted from the detected cheek area
4. The extracted color is compared against our foundation database
5. Foundation shade recommendations are returned to your device
6. Original image and all temporary processing data are immediately deleted

No Long-Term Storage: The original face image is never stored on our servers or databases.

4.2 Image Quality Requirements

To protect your privacy and ensure efficient processing, we enforce reasonable image size and quality limits for processing. Images that do not meet our requirements will be rejected.

5. Third-Party Data Sharing

5.1 Google Cloud Vision API

Processor: Google LLC

What data is shared:

• Base64-encoded face image
• Image dimensions and metadata

Purpose:

• Face detection to identify facial landmarks and bounding box coordinates

Data Retention:

• Google's privacy policy governs how Google processes this data
• Images are processed for real-time API calls and not stored long-term by Google (refer to Google Cloud Vision API Privacy)

Your Rights:

• You can review Google's data processing practices at Google Cloud Terms of Service

5.2 Supabase (Product Catalog Storage)

Processor: Supabase (Supabase Inc.)

What data is stored:

• Product catalog information (brand names, product names, shade names, descriptions)
• Product embeddings (vector representations for semantic search)
• API key metadata (not face or skin tone data)

What is NOT stored:

• Your face images
• Your extracted skin color/hex values
• Your personal skin tone classification
• Your device information

Purpose:

• Product catalog management and semantic search for beauty recommendations

6. Data Retention

6.1 Face Image Data

• Retention Period: Not retained
• Deletion: Immediately after skin color extraction
• Processing Time: Less than 2 seconds from upload to deletion

6.2 Extracted Skin Color (Hex Value)

• Retention Period: Not retained beyond the current API request
• Storage: Only held in memory during processing; not written to database
• Deletion: Immediately after foundation shade matches are returned to your device

6.3 Face Detection Metadata

• Retention Period: Not retained
• Deletion: Immediately after cheek region color extraction

6.4 Product Interaction Data

• Retention Period: Stored in application logs according to standard retention practices
• Deletion: Logs are rotated according to our standard data retention policies

6.5 API Key Usage Data

• Retention Period: API key usage metadata is retained for service management
• Purpose: API key management and service analytics
• Deletion: Retained according to business record retention policies

7. Data Security

7.1 Transmission Security

• All data transmitted between your device and our servers is encrypted using industry-standard encryption protocols
• API requests require authentication via secure, encrypted headers

7.2 Processing Security

• Image data is processed securely and immediately discarded after use
• No face images are retained, cached, or logged

7.3 Rate Limiting & Access Control

• API keys are validated against a secure database
• Rate limiting is enforced to protect service availability
• Invalid or revoked API keys are rejected promptly upon revocation

7.4 Limitations

While we employ industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

8. Your Privacy Rights

8.1 Access & Transparency

Since we do not retain your face data or skin tone information, there are no personal records to access. However, you have the right to:

• Understand what data we collect (explained in this policy)
• Know how we use that data (explained in Section 3)
• Request confirmation that your data is not retained

8.2 Data Deletion

Because we do not store face data or extracted skin tones, there is no data to delete. However:

• If you wish to cease using the face scanning feature, you may disable camera permissions in your device settings
• You can delete the app to prevent future data collection

8.3 Opt-Out

• Face Scanning: You can choose not to use the face scanning feature and instead manually enter your foundation shade information
• Camera Permissions: You can deny camera access in your device's privacy settings, and the app will not be able to use face scanning

8.4 Regional Privacy Rights

Depending on your location, you may have additional rights:

GDPR (European Union / EEA residents):

• Right to access personal data
• Right to deletion ("right to be forgotten")
• Right to data portability
• Right to object to processing

CCPA (California residents):

• Right to know what personal information is collected
• Right to know whether personal information is sold or disclosed
• Right to delete personal information
• Right to opt-out of the sale of personal information

Contact us (see Section 10) to exercise these rights.

9. Children's Privacy

Our App is not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information and terminate that child's use of the App.

If you believe we have collected information from a child under 13, please contact us immediately (see Section 10).

10. Contact Us

If you have any questions about this Privacy Policy, our privacy practices, or your privacy rights, please contact us at:

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

1. Posting the updated Privacy Policy in the App
2. Updating the "Last Updated" date at the top of this policy
3. Requesting your consent if required by applicable law

Your continued use of the App following the posting of revised Privacy Policy terms means you accept and agree to the changes.

12. Data Processing Addendum (for B2B / Enterprise Users)

If you are using this App on behalf of an organization or enterprise, additional data processing terms may apply. Contact us for a Data Processing Addendum (DPA) if your organization requires GDPR-compliant data processing documentation.

13. Compliance & Legal Basis

13.1 Lawful Basis for Processing (GDPR)

We process face data under the following lawful basis:

• Performance of Contract: Processing is necessary to provide the shade matching service you requested
• Legitimate Interests: Processing is necessary to provide, improve, and maintain our service

13.2 Data Processing Locations

• Primary Processing: Servers located in secure data centers
• Third-Party Processors: May process data across their global infrastructure
• Product Catalog: Stored on secure servers operated by our service providers

13.3 International Data Transfers

If you are located in the European Union or other jurisdictions with strict data protection laws, your data may be transferred to the United States for processing. By using our App, you consent to such transfers.

14. Third-Party Links & Services

Our App may contain links to third-party websites and services (e.g., beauty brand websites, Sephora, Ulta). This Privacy Policy does not apply to third-party services. We encourage you to review their privacy policies before providing any personal information.

15. California Privacy Rights (CCPA / CPRA)

California Residents: Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), you have the following rights:

15.1 Right to Know

You have the right to request what categories of personal information we collect, use, and disclose.

15.2 Right to Delete

You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.

15.3 Right to Opt-Out

You have the right to opt-out of the sale or sharing of your personal information for cross-context behavioral advertising.

15.4 Right to Correct

You have the right to request that we correct inaccurate personal information.

15.5 Right to Limit Use

You have the right to limit use of your personal information to the purposes necessary to provide the service.

Note: Because we do not retain face data or skin tone information, most CCPA requests will result in confirmation that no personal data is retained.

To exercise your rights, contact us at: support@my-shade.com

16. EU/EEA Residents — GDPR Rights

If you are a resident of the European Union, European Economic Area, or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

16.1 Right of Access

You have the right to obtain confirmation as to whether we are processing your personal data and to request access to that data.

16.2 Right to Rectification

You have the right to request that we correct inaccurate personal data.

16.3 Right to Erasure

You have the right to request that we delete your personal data, subject to certain legal exceptions.

16.4 Right to Restrict Processing

You have the right to request that we limit how we use your personal data.

16.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another organization.

16.6 Right to Object

You have the right to object to our processing of your personal data.

16.7 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority.

EU Data Protection Authority Contact: If you believe we have violated your GDPR rights, you may file a complaint with your national data protection authority. A list of authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

17. Apple App Store Privacy Requirements

This section addresses Apple's specific privacy data disclosure requirements for App Store submission:

17.1 Category: Photos and Videos

17.2 Category: User ID / Device ID

17.3 Category: Search History

17.4 Category: Product Interaction Data

18. Frequently Asked Questions (FAQs)

19. Definitions

• Personal Data: Any information relating to an identified or identifiable person.
• Biometric Data: Information derived from face images (includes facial features, geometry, iris patterns). Per GDPR, this is a special category of personal data requiring higher protection.
• Processing: Any operation performed on personal data, including collection, storage, use, and deletion.
• Processor: A party that processes personal data on behalf of a controller (e.g., Google Cloud Vision API, Supabase).
• Controller: The party that determines the purposes and means of personal data processing (us).
• Data Subject: The person to whom personal data relates (you).

20. Acknowledgment & Consent

By using our Beauty Advisor app, you acknowledge that:

1. You have read and understand this Privacy Policy
2. You consent to the collection and processing of face images as described herein
3. You consent to the sharing of face images with Google Cloud Vision API for the purposes described
4. You understand that your face image is not retained on our servers
5. You consent to the extraction and use of skin color information for shade matching
6. You understand your privacy rights and how to exercise them

If you do not consent to these terms, please do not use the face scanning feature of the App.