← Back to Home

Privacy Policy

Last updated: 2025-11-01

This Privacy Policy explains how the Suitone mobile application ("Suitone", "we", "our", or "us") collects, uses, shares, and protects personal information when you interact with our app, website, and related services (collectively, the "Services"). By using the Services you agree to the practices described here. If you do not agree, please do not use the Services.

1. Who We Are and How to Contact Us

Suitone is the controller of the personal information processed through the app. You may contact us at:

  • Email:info@suitone.app
  • Postal Mail:Please include "Privacy Inquiry – Suitone" in any written correspondence.

2. Personal Data We Collect

We only collect the personal data needed to deliver personalized skincare insights and manage your account. Depending on how you use the app, this may include:

  • Account and Authentication Data: A Supabase-generated user ID, anonymous session tokens, and permissions such as whether you granted notification access. We currently do not require an email or password; authentication happens via anonymous sessions.
  • Onboarding Profile Data (optional): Name, age, self-identified skin type, and selected skin concerns. These details are temporarily cached in encrypted device storage (AsyncStorage) during onboarding and then stored in our Supabase database so that analyses and insights can be personalized. Consent status (e.g., whether you agreed to AI-powered analysis) is also recorded.
  • Skin Selfies and Analysis Results: Photos you capture or upload for analysis, signed URLs to those images stored in the Supabase "skin-selfies" bucket, AI-generated metrics (e.g., hydration, oil balance, redness), analysis summaries, confidence/quality scores, and timestamps. These contain biometric and skin-health information that you provide voluntarily.
  • Lifestyle and Journal Entries (optional): Daily logs you submit—hydration levels, sleep duration, sun exposure, nutrition quality, menstrual cycle day, and notes. This information can reveal sensitive health-related details and is only stored when you actively provide it.
  • Insights, Recommendations, and Correlations: AI-generated fusion insights that combine skin metrics with lifestyle data, personalized skincare tips, and correlation scores produced by our analytics routines.
  • Subscription and Purchase Data: Information returned by RevenueCat about in-app purchases (e.g., product identifier, platform, RevenueCat customer ID, entitlement status, renewal dates) and the number of analyses available to you.
  • Notifications and Preferences: Reminder settings, consent flags, and (when enabled) Expo push notification tokens used to send lifestyle or analysis reminders.
  • Support Interactions: When you email support through the in-app contact button, the draft includes your user ID, app version, device model, and OS version so we can troubleshoot effectively.
  • Usage and Device Data: Through Mixpanel analytics we capture app launch events, screen views, button taps, anonymized journey progress, and contextual properties (app version, device make/model, OS version, language, platform, country inferred from device settings). Some events carry high-level metrics (e.g., hydration score after an analysis) to help us understand feature performance.
  • Technical Logs: Supabase Edge Functions store operational logs (success/failure) to maintain service quality. We do not log raw images, but OpenAI and Supabase will record metadata necessary to process requests.

We do not intentionally collect or store any government identifiers, payment card numbers, or precise geolocation data. Manual location fields exist but are optional and off by default.

3. How We Use Personal Data (and Legal Bases)

PurposeLegal Basis (EU/UK)Details
Provide core services (authenticate you, retain analyses, display history)Contractual necessitySupabase manages authentication, persistence of analyses, insights, and recommendations so the app functions as expected.
Perform AI-based skin analyses and generate insights/recommendationsConsent & legitimate interestsWe rely on your explicit action (capturing a selfie or starting an analysis) as consent to process special-category data. We share the selfie and context with OpenAI to deliver summaries, insights, and recommendations.
Schedule reminders and notificationsConsentPush notifications are only sent after you grant OS-level permission. You can withdraw consent in OS settings or decline during onboarding.
Process purchases and manage subscriptionsContractual necessity & legal obligationsRevenueCat, Apple, and Google verify transactions; we store entitlement status to honor subscription benefits.
Improve the product, measure performance, and detect issuesLegitimate interestsMixpanel event data, supabase logs, and anonymous usage trends guide UX improvements while minimizing impact on privacy. You may opt out by contacting us.
Respond to support requestsLegitimate interestsInformation you include in support emails helps us troubleshoot.
Comply with law, enforce terms, protect rightsLegal obligations & legitimate interestsWe may process data to respond to lawful requests or defend our rights.

4. Sharing and Disclosure

We do not sell your personal information. We share it only with service providers and partners who support the Services:

  • Supabase (BaaS platform): Hosts authentication, PostgreSQL database, file storage, and Edge Functions. Data may be stored in the region configured for our Supabase project (EU data centers by default) and is protected by Supabase's security controls.
  • OpenAI (AI processing): Receives the selfie image (as base64), profile context, and lifestyle summaries to generate skin analyses, fusion insights, and recommendations via the OpenAI API (USA-based). OpenAI states that API data is not used for model training or shared outside the API workflow.
  • Mixpanel (Product analytics): Receives event data and device metadata. We route traffic to Mixpanel's EU API endpoint (https://api-eu.mixpanel.com).
  • RevenueCat (In-App purchase infrastructure): Receives our anonymous user ID, platform, product IDs, and transaction metadata to manage subscriptions. RevenueCat may transfer data to the United States.
  • Expo & Push Notification Providers: Expo obtains push tokens and delivers notifications through Apple Push Notification Service (APNs) or Firebase Cloud Messaging (FCM). Tokens are device-specific.
  • App Stores (Apple, Google): Handle billing and may share aggregated purchase status, but we never see your full payment card details.
  • Professional Advisors & Authorities: We may disclose data when required by law, regulation, or legal process.

All vendors are bound by agreements that limit use of the data to providing contracted services and require adequate security.

5. Data Retention

  • Analyses, insights, recommendations, lifestyle entries, and profile data are retained while your account remains active so you can review historical progress.
  • Signed URLs for selfies expire automatically after one year, but the underlying image remains in Supabase storage until you delete it or request removal.
  • Mixpanel retains analytics events according to its default retention period (currently up to 5 years). Aggregated statistics may persist longer but no longer identify individuals.
  • Support emails are kept as long as needed to resolve your ticket and maintain business records.
  • Cached onboarding data stored locally in AsyncStorage is cleared automatically once the onboarding flow completes or when data deletion is triggered.
  • We will remove or anonymize personal data when it is no longer needed for the purposes above, unless a longer retention period is required by law.

6. Data Deletion and Your Rights

  • In-App Deletion: You can erase all profile, analysis, lifestyle, and recommendation data at any time from Settings → Delete All Data. This triggers Supabase functions that remove your selfies, analyses, metrics, lifestyle entries, insights, recommendations, preferences, and entitlements, and clears cached data on your device. You may be asked to re-onboard if you return.
  • Account Closure: Because authentication uses anonymous Supabase sessions, deleting data does not automatically remove the Supabase-auth user. Contact us if you want the underlying account deleted.
  • Access, Rectification, Restriction, Portability: Email us to request a copy of your data, correct inaccurate records, limit processing, or obtain a machine-readable export.
  • Withdraw Consent: Disable notifications in your device settings, uninstall the app, or contact us to withdraw consent for AI analyses or analytics. Some features may no longer work without these services.
  • Object to Legitimate Interests: Let us know if you object to non-essential processing such as analytics; we will honor valid objections.
  • Right to Lodge a Complaint: EU/UK users may contact their local supervisory authority.

We will verify your identity before fulfilling rights requests and respond within one month (or the statutory timeframe in your jurisdiction).

7. International Data Transfers

Supabase, OpenAI, Mixpanel, RevenueCat, and Expo may process data in the United States or other countries outside your home jurisdiction. When we transfer data internationally, we rely on appropriate safeguards such as the EU Standard Contractual Clauses or equivalent contractual protections. By using the Services you acknowledge that your data may be processed abroad where privacy laws differ from yours.

8. Security Measures

We implement technical and organizational measures appropriate to the level of risk, including:

  • TLS encryption for all network communications between the app and Supabase/OpenAI/Mixpanel/RevenueCat.
  • Supabase authentication and row-level policies restricting access to your records.
  • Signed URLs and role-based access for Supabase storage buckets.
  • Minimal local caching and automatic cleanup of onboarding data.
  • Monitoring of access logs and dependency updates.

No system is foolproof. If we learn of a breach affecting your data, we will notify you and regulators when legally required.

9. Push Notifications, Analytics, and Tracking Choices

  • Push Notifications: You can grant or revoke permission within your device OS. Without permission, we do not schedule or send reminders.
  • Analytics: The app currently lacks an in-app toggle for Mixpanel tracking. Contact us to opt out; we can apply a server-side opt-out or reset your Mixpanel profile.
  • Cookies: The mobile app does not use cookies. If you visit our website, separate cookie notices may apply.

10. Children's Privacy

Suitone is designed for adults interested in skincare insights. We do not knowingly collect data from individuals under 16 years of age (or the age of digital consent in your jurisdiction). If you believe a child has provided us data, contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes to our practices or legal requirements. Material changes will be communicated in-app, via email, or through our website. The "Last updated" date at the top indicates when the latest version took effect. Continued use of the Services after revisions means you accept the updated policy.

12. Contact

For questions, privacy requests, or complaints, email info@suitone.app. We will respond as quickly as possible.

Thank you for trusting Suitone to support your skincare journey.