Privacy Policy

1. Introduction

This Privacy Policy explains how the operator of the HairArchitect mobile application ("HairArchitect", "we", "us", or "our") collects, uses, discloses, and protects information when you use the HairArchitect app for iOS and Android (the "App") and our related services (including this website).

By using the App, you agree to this Privacy Policy. If you do not agree, please do not use the App.

Data controller: Caymaz TechHealth Yazılım Tic. Ltd. Şti.
MERSİS: 0203091510500001 · Tax office: Başakşehir · Tax no: 2030915105
Address: Istanbul, Turkey

For privacy, legal, and data-protection requests: legal@caymaztech.com.

Disputes arising from this Policy or the App are subject to the exclusive jurisdiction of the courts of Istanbul, Turkey, unless mandatory consumer protection law in your country requires otherwise.

2. Information we collect

We collect information needed to run the App, provide AI hairline simulation and related features, prevent abuse, and process subscriptions. We do not integrate third-party advertising SDKs or App Tracking Transparency-based ad tracking in the App. We use Firebase Crashlytics for crash and stability reporting (device/OS metadata and stack traces; no photos). We do not use third-party ad or cross-app tracking SDKs in the App as shipped.

2.1 Account and authentication

• If you create an account, we process your email address and authentication credentials through Firebase Authentication. Session tokens may be stored securely on your device.
• You may use limited functionality without a full account; we still associate activity with a guest profile tied to a device identifier (see below).

2.2 Device identifiers and device information

• A persistent random identifier stored in the device secure storage (app-specific) to recognize your device across sessions and sync credits or guest data.
• On iOS, Identifier for Vendor (IDFV) where available; on Android, Android ID where accessed via platform APIs, plus a hashed hardware fingerprint derived from non-sensitive device attributes (for abuse resistance).
• Device metadata: model, OS version, app version, language or locale, and whether the environment appears to be an emulator (for fraud prevention where enabled).

2.3 Photos, camera, and facial analysis

• Camera and photo library: with your permission, we access the camera and/or photos you select to perform hairline design, simulation, and clinical-style image analysis features in the App.
• On-device processing: some analysis (for example segmentation or geometry helpers) runs locally using on-device models. Raw outputs from these steps are not used to identify you in the real world and are not a substitute for government or banking biometric systems.
• When you use cloud AI features, images and derived URLs may be uploaded temporarily to our storage and sent to our AI processors as described in Section 6.

2.4 AI inputs and outputs

• Prompts and parameters you provide for AI workflows (for example hair style, density, or month simulation settings).
• Generated images and metadata needed to show history, deliver results, and enforce credits.

2.5 Post-operative tracking (local only)

If you use the post-operative timeline feature, your surgery date and technique selection are stored on your device (app documents storage). We do not transmit that health-related scheduling data to our servers for that feature.

2.6 Subscriptions and purchases

Subscription status, product identifiers, and related transaction metadata are processed by Apple App Store or Google Play and by Adapty (subscription management). We do not receive your full payment card number.

2.7 Technical and security logs

Our backend services may create limited logs (for example errors, request metadata, and IP address) for security, debugging, and abuse prevention. These logs are not used for cross-app advertising.

2.8 Sensitive and health-related information

Photos of your face and scalp are used for cosmetic simulation and planning only. HairArchitect is not a medical device and does not provide diagnosis or treatment. We do not use these images for government-style biometric identity verification. Where you enable cloud AI, images are processed as described in Sections 5–6. Post-operative scheduling data for the timeline feature stays on your device (see Section 2.5).

2.9 Crash reporting (App)

The App uses Firebase Crashlytics to collect crash and stability reports (device model, OS version, app version, and stack traces). This helps us diagnose failures and improve reliability. Crash reports do not include your photos. We do not sell your data and do not use ad-network tracking SDKs.

3. How we use your information

• Provide, operate, and improve the App's core features (simulation, analysis, gallery, credits).
• Authenticate users, sync entitlements, and prevent fraud or abuse.
• Route AI jobs, deliver results, and store content for the retention periods described in Section 8.
• Comply with law, enforce our Terms, and respond to valid requests.
• Communicate with you about support or important service changes when needed.

4. Legal bases (EEA, UK, Switzerland)

Where GDPR-style laws apply, we rely on: contract (providing the service you request); legitimate interests (security, anti-abuse, product improvement that does not override your rights); and consent where required (for example camera/photos, facial geometry, and the one-time consent flow described in Section 5).

5. Consent at first launch (mobile App)

Before you can use the App, you must complete a one-time setup: accept our Terms and Privacy Policy on the final onboarding screen, acknowledge the medical disclaimer, and confirm consent choices in our in-app consent screen (including explicit consent for cloud AI hair analysis and facial-region uploads, which is required to use cloud simulation features). See Section 2.3.1 for how face photos and geometry are used.

We record your choices (including policy version 2026-05-19) in our systems (for example consent logs and user consent preference records) for compliance and security.

Without cloud AI consent: cloud upload, simulation, and vision features are blocked (including server responses with an error when consent is missing). You may still use on-device features where available.

Withdrawing or changing consent: open Privacy & Legal → Manage cloud AI consent to turn off AI Hair Analysis (stops new cloud processing while keeping your account). To delete all server data and your account, use Profile → Data Management → Delete Account & Revoke Consent or contact us as set out in Section 12. Uninstalling the App removes device data but does not delete server-side account data by itself.

6. AI processing and cloud flow

Cloud AI features are invoked through our secure backend API, which proxies requests to AI providers so that API secrets are not embedded in the App binary.

Face photo flow (with your consent): App → our Backend API → Fal.ai temporary storage (governed by fal.ai's data policy) → Fal.ai model inference → result returned to the App. This is an international transfer when you are in Turkey, the EU, or elsewhere and storage or AI processing occurs outside your country.

• Step 1 — Fal.ai storage: face/scalp images are uploaded via our Backend API to Fal.ai temporary storage (governed by fal.ai's data policy; global infrastructure, commonly US-based), deleted per fal.ai's data retention policy.
• Step 2 — Fal.ai inference: our backend sends those Fal.ai storage URLs to Fal.ai (including queued workflows and vision endpoints). Fal runs models on its own infrastructure—commonly in the United States or other countries outside your residence—under Fal's privacy policy.
• Some requests may be routed through the same proxy layer to additional endpoints allowed by our server configuration (for example vision-language routes exposed via Fal). Review Fal's documentation and privacy policy for subprocessors they use.

We do not claim that third-party AI providers retain "zero" data; retention and subprocessors are governed by their policies. We configure our side for limited retention where technically implemented (see Section 8).

7. Third-party services (subprocessors)

We share data with service providers that process it on our behalf. We do not sell your personal information.

• Hetzner Online GmbH (EU hosting) — our Backend API and PostgreSQL database run on dedicated infrastructure hosted in the European Union (Germany). Other applications may share the same physical server; your data is isolated in a separate database container and network.
• Google Firebase Authentication & Crashlytics — account sign-in, token issuance, and crash reporting (device/OS metadata and stack traces; no photos). Firebase Privacy
• Fal.ai — temporary image storage (governed by fal.ai's data policy) and AI inference for image generation and vision analysis. Fal.ai Privacy
• Adapty — subscription and paywall analytics tied to your app user or device identifier as configured. Adapty Privacy
• Apple & Google — payment processing and subscription management on device. Apple Privacy · Google Privacy

8. Retention

• Fal.ai temporary storage — input uploads (face / scalp photos you submit for cloud AI): stored in Fal.ai's temporary storage, governed by fal.ai's data policy. Fal.ai auto-deletes within 7 days. These files are used only for AI inference.
• System Audit Logs: Access logs, security events, and administrative actions are stored in our secure database for 180 days to comply with security auditing requirements and legal defense, after which they are automatically purged.
• Fal.ai — AI inference: Fal.ai processes the image to run hair simulation models. Fal.ai's own data retention is governed by their Privacy Policy; we do not use Fal.ai as long-term storage.
• Account deletion: when you use "Delete Account & Revoke Consent", your database records (account, credits, consent history, support tickets) are deleted immediately from the live database. Face photos in Fal.ai temporary storage are deleted per fal.ai's data retention policy. If you require earlier deletion, contact us as set out in Section 1.
• Encrypted database backups: we take one weekly encrypted backup on our EU-hosted server (Hetzner). When a new backup is created, the previous backup file is deleted (single rotating copy). Backups are encrypted at rest (AES-256-GCM). After account deletion, your data may remain in the latest weekly backup for up to approximately seven days until that file is replaced; backups are not used for routine processing.
• Account and credits data in the database: retained while your account or guest profile is active, or as needed for legal, security, or billing obligations.
• Local device data remains until you delete the App or clear app data. Uninstalling does not trigger server-side deletion.

9. Security

We use HTTPS/TLS for data in transit between the App and our services. We apply access controls and server-side validation (including protecting privileged keys on the server). No method of storage or transmission is 100% secure; use device passcodes and keep your OS updated.

10. International transfers

When you enable cloud AI, face and scalp photos you submit are transferred outside your country as follows: via our Backend API to Fal.ai temporary storage (governed by fal.ai's data policy), then to Fal.ai for AI processing. Fal.ai may process data in the United States, the European Union, and other countries where they operate data centers.

Turkey (KVKK): this constitutes transfer of personal data abroad; we rely on your explicit consent for cloud processing and appropriate contractual/technical measures with providers where applicable. You may object or request deletion as described in Section 12.

EU/UK (GDPR): where required, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) offered by providers or adequacy decisions, in addition to your consent for cloud AI where applicable.

Brazil (LGPD): if you are in Brazil, this involves international transfer of personal data (including sensitive data when you enable cloud AI for face/scalp photos) to processors in the EU (Hetzner hosting), the United States (Fal.ai, Firebase), and other countries where payment providers operate. We rely on your explicit consent for cloud AI where required, plus contractual and technical safeguards with our processors. See Section 14 (LGPD) for your rights and the ANPD.

11. Cookies and similar technologies (website)

This section applies to hairarchitect.app (the website), not the mobile App store install flow. We use browser storage (including localStorage key ha_cookie_consent_v1) to remember your cookie choices.

• Essential: required for basic site operation and security (always active).
• Optional analytics: only if you accept them in our cookie banner or save preferences with analytics enabled.

You can Accept, Reject non-essential, or Manage choices when the banner appears, and reopen settings from the website footer ("Cookie Settings"). We may log your web cookie choice to our API for compliance records.

12. Your rights and how to exercise them

EU/EEA (GDPR): you may have rights of access, rectification, erasure, restriction, portability, and objection. We aim to respond within one month(extendable by up to two months where permitted).

Depending on your region, you may have rights to access, rectify, delete, restrict, or port your personal data, and to object to certain processing. Where processing is based on consent, you may withdraw it as described in Section 5 (including by deleting your account).

In the mobile App

• Change cloud AI consent: Privacy & Legal → Manage cloud AI consent (turn AI Hair Analysis off to block new cloud processing without deleting your account).
• Access / portability: Profile → Data Management → Download My Data (exports data associated with your account).
• Erasure and revoke consent: Profile → Data Management → Delete Account & Revoke Consent (deletes your account and associated server data where technically feasible).

You can also email legal@caymaztech.com. EU/UK users may lodge a complaint with your local supervisory authority. See Section 15 for KVKK complaints.

California (CCPA/CPRA): see Section 13 (Do Not Sell My Personal Information) and use the contact in Section 1 or the in-app tools above for disclosure or deletion requests. We aim to respond within 45 days where CCPA/CPRA applies (extendable as permitted).

13. Do Not Sell My Personal Information

We do not sell personal information. HairArchitect does not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration, as defined under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

We also do not share personal information for cross-context behavioral advertising. We do not use third-party advertising SDKs or sell face photos, derived facial geometry, or account data.

California residents may submit privacy requests (including access and deletion) using the contact in Section 1 or through the in-app tools described in Section 12.

14. Brazil – LGPD (Lei 13.709/2018)

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) applies. We act as controller for the processing described in this Policy.

Under the LGPD, you may have the right to: confirm that we process your data; access your data; correct incomplete or inaccurate data; anonymize, block, or delete unnecessary or unlawfully processed data; port your data; know which third parties we share data with; information about consent and the consequences of refusal; withdraw consent; and review automated decisions that affect your interests, where applicable.

Exercise your rights via the in-app tools in Section 12 or contact us as set out in Section 1. We aim to respond within 15 days where the LGPD applies (extensions permitted by law when justified).

You may lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd. This does not limit other remedies available to you.

15. Turkey – KVKK (Personal Data Protection Law)

If you are located in Turkey, Law No. 6698 on the Protection of Personal Data (KVKK) applies to our processing of your personal data. Depending on the circumstances, we act as data controller for data described in this Policy.

Under KVKK, you may have the right to: learn whether your data is processed; request information if it has been processed; learn the purpose of processing and whether it is used for that purpose; know third parties to whom data is transferred domestically or abroad; request correction of incomplete or inaccurate data; request deletion or destruction of data under conditions set out in the law; object to outcomes against you from exclusively automated analysis; request compensation for unlawful processing where you suffer damage; and in cases provided by law, request restriction of processing.

To exercise these rights, contact us as set out in Section 1. We will respond within the timeframe required by applicable law where KVKK applies.

You may also lodge a complaint with the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurulu — "KVKK Board") at kvkk.gov.tr. This does not limit your right to pursue other remedies where available.

16. Age requirement (18+)

HairArchitect is intended only for adults aged 18 and over. We do not knowingly collect personal information from anyone under 18. If you believe we have collected data from a minor, contact us as set out in Section 1 and we will delete it.

17. Content safety

We use technical measures (including provider-side safety settings where available) to reduce harmful or disallowed outputs. You must not attempt to misuse the App to generate illegal or abusive content; see our Terms of Service.

18. Data breach notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will take reasonable steps to investigate, mitigate harm, and notify you and/or regulators as required by applicable law (for example GDPR Article 33/34). Report concerns using the contact in Section 1.

19. Changes to this Policy

We may update this Privacy Policy. We will revise the "Last updated" date and policy version, and where changes are material we may provide additional notice (for example in the App or by email). Continued use after notice may require renewed consent where legally required.

20. Summary of data practices