Privacy Policy

1. Who we are

DermaLens AI ("we", "us", "our") is an AI-powered skincare analysis service operated by two partners based in the United Kingdom and the United States of America. We can be contacted at: support@dermalensai.com

We are the data controller for personal data processed through this website.

2. What data we collect

Account data

• Email address and name (when you create an account)
• Password (stored as an encrypted hash — we never see your password in plain text)
• Subscription plan status (Free or Pro)
• Account creation date

Skin analysis data

• Quiz answers: skin type, concerns, age range, lifestyle factors, budget
• Skin score and analysis results
• Product routine recommendations
• Date and time of each scan
• Whether a photo was used (yes/no flag only — the photo itself is never stored)

Photos and face scan data

If you choose to upload a selfie (Pro feature), your photo is processed as follows:

• The image is compressed in your browser and sent directly to Anthropic's API (our AI provider) over an encrypted connection
• The photo is analysed to assess visible skin characteristics
• The photo is immediately discarded after analysis — it is never stored on our servers or database
• We do not perform facial recognition or biometric identification
• No personally identifiable details (name, email) are included in the data sent to Anthropic

Payment data

Payment processing is handled entirely by Stripe. We do not store credit card numbers, CVV codes, or full payment details. Stripe may share subscription status information with us (e.g. whether your payment succeeded) but no raw card data.

Technical data

• IP address (used for approximate location to show localised prices and product availability)
• Browser type and device type
• Pages visited and time spent (for service improvement)

3. Why we process your data (lawful basis)

• Contract performance — to provide the skin analysis and routine service you signed up for
• Legitimate interests — to improve our service, prevent fraud, and maintain security
• Consent — for optional features such as photo analysis (you may skip this at any time)
• Legal obligation — to comply with UK GDPR, tax law, and other applicable regulations

4. How we use your data

• To generate your personalised skin score, findings, and AM/PM product routine
• To save your scan history to your dashboard so you can track progress over time
• To process and manage your Pro subscription via Stripe
• To send transactional emails (account confirmation, password reset) — we do not send marketing emails
• To detect and prevent fraud or abuse
• To improve the accuracy and quality of our AI analysis

5. Who we share data with

We do not sell, rent, or trade your personal data. We share data only with the following third-party service providers, and only to the extent necessary to provide our service:

• Anthropic (USA) — AI analysis provider. Receives your quiz answers and (optionally) your compressed photo to generate your skin report. No name or email is included. Anthropic's privacy policy: anthropic.com/privacy
• Supabase (USA/EU) — Database and authentication provider. Stores your account details and scan history. Data may be processed in the United States. Supabase's privacy policy: supabase.com/privacy
• Stripe (USA) — Payment processor for Pro subscriptions. Handles all card processing. Stripe's privacy policy: stripe.com/gb/privacy
• Netlify (USA) — Website hosting provider. Serves our website and processes server-side functions. Netlify's privacy policy: netlify.com/privacy
• Amazon Associates — Affiliate programme. Product links on our site may include affiliate tracking codes. Amazon's privacy policy: amazon.co.uk/privacy

6. International data transfers

Some of our service providers are based in the United States. When we transfer data outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or reliance on the UK's adequacy decisions where applicable.

7. How long we keep your data

• Account data — retained for as long as your account is active, plus 30 days after deletion
• Scan history — retained while your account is active; deleted immediately upon request
• Photos — never stored; discarded immediately after AI analysis
• Payment records — retained for 7 years as required by UK tax law

8. Your rights under UK GDPR

You have the following rights regarding your personal data:

• Right to access — request a copy of the personal data we hold about you
• Right to rectification — ask us to correct inaccurate data
• Right to erasure — request deletion of your account and all associated data
• Right to restrict processing — ask us to limit how we use your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent (e.g. photo analysis), you can withdraw at any time

To exercise any of these rights, email us at support@dermalensai.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

You can also delete your scan history directly from your dashboard at any time under Settings → Privacy settings.

9. Cookies

We use only essential cookies necessary to operate the service (authentication session tokens). We do not use advertising cookies or cross-site tracking cookies. No cookie consent banner is required for strictly necessary cookies under UK PECR.

10. Children

DermaLens AI is intended for users aged 18 and over only, in line with our Terms of Service. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Security

We implement the following security measures to protect your data:

• All data is transmitted over HTTPS (TLS encryption)
• Passwords are hashed using industry-standard algorithms — we never store plain-text passwords
• Database access is restricted using row-level security (users can only access their own data)
• API keys and secrets are stored as encrypted environment variables, not in code
• Photos are never written to any database or file storage

12. Changes to this policy

We may update this privacy policy from time to time. We will notify you of material changes by posting a notice on our website and updating the "Last updated" date at the top of this page. Continued use of the service after changes are posted constitutes acceptance of the updated policy.

13. Contact us

For any privacy-related questions, data subject requests, or complaints:

Email: support@dermalensai.com
Website: dermalensai.com