Privacy Policy

1. Introduction

This Privacy Policy explains how the operator of the HairArchitect mobile application ("HairArchitect", "we", "us", or "our") collects, uses, discloses, and protects information when you use the HairArchitect app for iOS and Android (the "App") and our related services (including this website).

By using the App, you agree to this Privacy Policy. If you do not agree, please do not use the App.

For privacy questions or requests: support@hairarchitectai.app. For legal notices: legal@hairarchitectai.app.

2. Information we collect

We collect information needed to run the App, provide AI hairline simulation and related features, prevent abuse, and process subscriptions. We do not integrate third-party advertising SDKs, analytics SDKs (such as Firebase Analytics or Mixpanel), or App Tracking Transparency-based ad tracking in the App as shipped.

2.1 Account and authentication

• If you create an account, we process your email address and authentication credentials through our backend provider (Supabase Auth). Session tokens may be stored securely on your device.
• You may use limited functionality without a full account; we still associate activity with a guest profile tied to a device identifier (see below).

2.2 Device identifiers and device information

• A persistent random identifier stored in the device secure storage (app-specific) to recognize your device across sessions and sync credits or guest data.
• On iOS, Identifier for Vendor (IDFV) where available; on Android, Android ID where accessed via platform APIs, plus a hashed hardware fingerprint derived from non-sensitive device attributes (for abuse resistance).
• Device metadata: model, OS version, app version, language or locale, and whether the environment appears to be an emulator (for fraud prevention where enabled).

2.3 Photos, camera, and facial analysis

• Camera and photo library: with your permission, we access the camera and/or photos you select to perform hairline design, simulation, and clinical-style image analysis features in the App.
• On-device processing: some analysis (for example segmentation or geometry helpers) runs locally using on-device models. Raw outputs from these steps are not used to identify you in the real world and are not a substitute for government or banking biometric systems.
• When you use cloud AI features, images and derived URLs may be uploaded temporarily to our storage and sent to our AI processors as described in Section 5.

2.4 AI inputs and outputs

• Prompts and parameters you provide for AI workflows (for example hair style, density, or month simulation settings).
• Generated images and metadata needed to show history, deliver results, and enforce credits.

2.5 Post-operative tracking (local only)

If you use the post-operative timeline feature, your surgery date and technique selection are stored on your device (app documents storage). We do not transmit that health-related scheduling data to our servers for that feature.

2.6 Subscriptions and purchases

Subscription status, product identifiers, and related transaction metadata are processed by Apple App Store or Google Play and by Adapty (subscription management). We do not receive your full payment card number.

2.7 Technical and security logs

Our servers and edge functions may create limited logs (for example errors, request metadata, and IP address) for security, debugging, and abuse prevention. These logs are not used for cross-app advertising.

3. How we use your information

• Provide, operate, and improve the App's core features (simulation, analysis, gallery, credits).
• Authenticate users, sync entitlements, and prevent fraud or abuse.
• Route AI jobs, deliver results, and store content for the retention periods described in Section 6.
• Comply with law, enforce our Terms, and respond to valid requests.
• Communicate with you about support or important service changes when needed.

4. Legal bases (EEA, UK, Switzerland)

Where GDPR-style laws apply, we rely on: contract (providing the service you request); legitimate interests (security, anti-abuse, product improvement that does not override your rights); and consent where required (for example camera/photos or optional in-app consents you accept).

5. AI processing and cloud flow

Cloud AI features are invoked through our secure backend (Supabase Edge Functions) which proxies requests to AI providers so that API secrets are not embedded in the App binary.

• Images for cloud workflows are typically uploaded to Cloudflare R2 object storage (or similar configured storage) so that time-limited URLs can be passed to the AI provider for processing.
• Our primary model host is Fal.ai (including queued workflows and vision-capable endpoints used for image analysis). Fal processes inputs on its infrastructure according to its policies.
• Some requests may be routed through the same proxy layer to additional endpoints allowed by our server configuration (for example vision-language routes exposed via Fal). Review Fal's documentation and privacy policy for subprocessors they use.

We do not claim that third-party AI providers retain "zero" data; retention and subprocessors are governed by their policies. We configure our side for limited retention where technically implemented (see Section 6).

6. Third-party services

We share data with service providers that process it on our behalf. We do not sell your personal information.

• Supabase — authentication, database, file storage buckets, realtime channels, and edge functions. Supabase Privacy
• Cloudflare — R2 storage and CDN for media delivery. Cloudflare Privacy
• Fal.ai — AI inference for image generation and vision analysis. Fal.ai Privacy
• Adapty — subscription and paywall analytics tied to your app user or device identifier as configured. Adapty Privacy
• Apple & Google — payment processing and subscription management on device. Apple Privacy · Google Privacy

7. Retention

• Supabase Storage buckets used for scans and simulations: we run automated cleanup to delete objects older than approximately 7 days (scheduled maintenance job). Exact timing may vary slightly by environment.
• R2 and other processing uploads: treated as temporary inputs for AI delivery; lifecycle rules depend on bucket configuration and operational cleanup. Do not rely on cloud copies as long-term backup.
• Account and credits data in the database: retained while your account or guest profile exists or as needed for legal, security, or billing obligations.
• Local device data remains until you delete the App or clear app data.

8. Security

We use HTTPS/TLS for data in transit between the App and our services. We apply access controls and server-side validation (including protecting privileged keys on the server). No method of storage or transmission is 100% secure; use device passcodes and keep your OS updated.

9. International transfers

Our service providers may process data in the United States, European Union, and other countries. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) offered by providers or adequacy decisions.

10. Your rights

Depending on your region, you may have rights to access, rectify, delete, restrict, or port your personal data, and to object to certain processing. You may withdraw consent where processing is consent-based.

You can request deletion or exercise rights by emailing support@hairarchitectai.app. If you have registered an account, account deletion may also be available in the App where implemented.

California (CCPA/CPRA): we do not sell personal information. You may request disclosure or deletion subject to exceptions. You can use the same contact email.

11. Turkey – KVKK (Personal Data Protection Law)

If you are located in Turkey, Law No. 6698 on the Protection of Personal Data (KVKK) applies to our processing of your personal data. Depending on the circumstances, we act as data controller for data described in this Policy.

Under KVKK, you may have the right to: learn whether your data is processed; request information if it has been processed; learn the purpose of processing and whether it is used for that purpose; know third parties to whom data is transferred domestically or abroad; request correction of incomplete or inaccurate data; request deletion or destruction of data under conditions set out in the law; object to outcomes against you from exclusively automated analysis; request compensation for unlawful processing where you suffer damage; and in cases provided by law, request restriction of processing.

To exercise these rights, contact us at support@hairarchitectai.app. We will respond within the timeframe required by applicable law where KVKK applies.

You may also lodge a complaint with the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurulu — "KVKK Board") at kvkk.gov.tr. This does not limit your right to pursue other remedies where available.

12. Children

HairArchitect is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe we have, contact us and we will take steps to delete it.

13. Content safety

We use technical measures (including provider-side safety settings where available) to reduce harmful or disallowed outputs. You must not attempt to misuse the App to generate illegal or abusive content; see our Terms of Service.

14. Changes

We may update this Privacy Policy. We will revise the "Last updated" date and, where appropriate, provide additional notice (for example in the App).

15. Summary of data practices