Privacy Policy

1. Interpretation and Definitions

Capitalized terms used in this Policy have the meanings assigned below. These definitions apply regardless of whether the terms appear in singular or plural form.

• Account means the unique profile created for You to access the Service.
• Applicationmeans the mobile application titled “Dermafy AI.”
• Company, We, Us, or Our means EVRG sp. z o.o., a limited liability company organized under the laws of Poland, Tax ID (NIP): 9522279307, with registered address at ul. Skwierzynska 2, 04-853 Warsaw, Poland.
• Device means any device used to access the Service, including smartphones, tablets, and computers.
• Personal Datameans any information that identifies or can reasonably be linked to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
• Skin Profile Data means information You provide relating to Your skin profile preferences, allergies, intolerances, skincare goals, or skincare needs.
• Scan Data means information generated when You use the Service to scan cosmetic products, including barcode data, ingredient label text, product identifiers, and AI-generated analysis results.
• Usage Data means data collected automatically through use of the Service, including device information, activity logs, feature interactions, and analytics data.
• User Content means photos, images, text, product entries, metadata, or other inputs You upload or submit through the Service.
• Website means dermafyai.app and any associated subdomains.
• You means the individual using the Service or the legal entity on whose behalf the Service is used.

2. Data Controller

The data controller responsible for processing Your Personal Data is:

3. Types of Data We Collect

We collect the categories of data described below. Certain categories may qualify as special category data under Article 9 of the GDPR.

3.1 Personal Data You Provide

We may collect the following Personal Data when You create an Account or use the Service:

• Email address
• Name (if provided)
• Profile information You choose to enter

3.2 Scan Data and Product Analysis

To provide cosmetic scanning and analysis features, We collect:

• Barcode data from scanned products
• Ingredient label text extracted via optical character recognition
• AI-generated product analysis results (OK, Be Careful, Avoid)
• Scan history and product memory entries (if enabled)
• Product identifiers and metadata

We do not store photos from Your camera permanently. Only the extracted text, barcode data, and analysis results are processed and retained.

3.3 Skin Profile Data

If You choose to provide it, We may collect:

• Skin type (e.g., sensitive, oily, dry)
• Skin allergies and sensitivities
• Skincare goals and ingredient preferences

The core barcode scanning feature processes product ingredient data which, standing alone, does not constitute Skin Profile Data. Skin Profile Data processing only occurs when You voluntarily provide skin profile preferences, allergies, intolerances, or skincare goals, which enables personalized assessments. You may use the basic scanning feature without providing any Skin Profile Data.

3.4 Usage Data

We automatically collect:

• Device type, operating system, and app version
• IP address (anonymized where possible)
• Timestamps and activity logs
• Crash data and diagnostic information
• Feature usage analytics and performance data

3.5 Cookies and Tracking Technologies

The Website uses cookies and similar technologies for analytics, functionality, and security. For detailed information, please refer to Our Cookie Policy.

4. How We Use Your Data

4.1 To Provide and Improve the Service

• Cosmetic product identification and ingredient analysis
• Health assessment generation (Safe, Caution, Avoid't Eat)
• Maintaining Your scan history and product memory
• Personalized recommendations based on Your skin profile preferences
• Product monitoring and alerts
• Account management and customer support
• Service stability, debugging, and performance optimization

4.2 To Improve AI and Analysis Models

We may use anonymized or aggregated Scan Data to train and improve Our AI models, enhance the accuracy of ingredient analysis, and improve overall product performance. Such use is strictly anonymized and not linked to Your identity. We do not use Your personal health preferences or skin profile data for model training.

4.3 Communications

We may contact You regarding service-related notifications, updates, new features, security alerts, and customer support responses. Promotional communications are only sent with Your explicit consent and You may opt out at any time.

4.4 Legal and Compliance

We may use Your data to detect or prevent fraud, comply with legal obligations (including tax and accounting requirements under Polish law), enforce Our Terms of Service, and protect the rights, property, or safety of the Company, Our users, or the public.

4.5 Business Transfers

If We engage in a merger, acquisition, reorganization, or asset sale, Your information may be transferred as part of that transaction. We will notify You before Your Personal Data is transferred and becomes subject to a different privacy policy.

5. Legal Bases for Processing (GDPR)

Under the General Data Protection Regulation (EU) 2016/679, We process Your Personal Data based on the following legal grounds:

• Contract performance (Article 6(1)(b)) — processing necessary to provide the Service You requested, including cosmetic scanning, analysis, and account management.
• Consent (Article 6(1)(a)) — for processing Skin Profile Data (Article 9(2)(a)), marketing communications, and optional personalization features. Explicit consent for Skin Profile Data is collected separately through a dedicated in-app consent flow and is not bundled with general Terms acceptance. You may withdraw consent at any time, which will result in deletion of Your Skin Profile Data and cessation of personalized assessments.
• Legitimate interests (Article 6(1)(f)) — for service improvement, security, fraud prevention, and anonymous analytics, where such interests are not overridden by Your data protection rights.
• Legal obligations (Article 6(1)(c)) — for compliance with tax, accounting, and regulatory requirements under Polish and EU law.

6. How We Share Personal Data

We do not sell Your Personal Data. We may share Personal Data only in the following circumstances:

6.1 Service Providers

With third-party vendors who support the Service under strict data processing agreements (Article 28 GDPR), including cloud hosting providers, analytics services, and customer support tools. These providers process data only on Our instructions and are contractually bound to protect Your information.

6.2 Legal Compliance

With law enforcement, regulatory authorities, or courts when required by applicable law, legal process, or governmental request.

6.3 Business Transfers

As part of any merger, acquisition, sale of assets, or similar corporate transaction, subject to the protections described in this Policy.

6.4 Aggregated or Anonymized Data

We may share aggregated or non-identifiable data for analytics, research, or business purposes. Such data cannot be used to identify You.

7. User Content

User Content includes photos of cosmetic products uploaded for analysis, text entries, and scan logs. By submitting User Content, You grant the Company a worldwide, royalty-free license to use, store, process, and analyze Your User Content solely to operate, maintain, and improve the Service.

We may use anonymized cosmetic product images and ingredient data to improve Our AI models and analysis accuracy. We do not associate such data with Your identity when used for internal development. We do not publicly display Your content without Your express consent.

8. Automated Decision-Making and Profiling

The Service uses automated processing, including AI-powered algorithms, to generate cosmetic product assessments (Safe, Caution, Avoid). These assessments are produced solely by automated means based on ingredient analysis, additive classifications, safety classification data, and (where provided) Your skin profile preferences and health profile.

While these assessments may influence Your skincare choices, they do not produce legal effects and are intended as informational guidance only. They do not constitute medical advice, diagnosis, or professional health recommendations.

Under Article 22 of the GDPR, You have the right to:

• Request human review of any automated assessment
• Express Your point of view regarding an automated decision
• Contest an automated assessment
• Receive meaningful information about the logic involved in the assessment, including the key factors considered by the AI

To exercise these rights, contact Us at support@dermafyai.app. We will provide a human review of any contested assessment within 30 days.

9. Artificial Intelligence and Transparency

In compliance with the EU AI Act (Regulation 2024/1689), We inform You that:

• Product safety assessments (Safe, Caution, Avoid't Eat) are generated by AI algorithms, not by human reviewers
• The AI analyzes ingredient lists, safety classification data, additive classifications, and (where provided) Your skin profile
• AI assessments are probabilistic and may not reflect all factors relevant to Your individual health situation
• You may request human review of any AI-generated assessment by contacting Our support team

10. Data Retention

• Account Data — retained for as long as Your Account is active or as necessary to provide the Service.
• Scan Data and Product Memory — retained until You delete it or delete Your Account.
• Skin Profile Data — retained until You delete it or delete Your Account. Not retained after account deletion.
• Usage Data — retained for up to 26 months for analytics purposes, then anonymized or deleted.
• Transaction Data — retained for the period required by Polish tax law (currently 5 years from the end of the tax year).

We delete or anonymize Personal Data when it is no longer needed for the purposes described in this Policy, unless a longer retention period is required or permitted by law.

11. International Data Transfers

Your information is primarily stored on servers within the European Economic Area (EEA). Where data is transferred outside the EEA (e.g., to service providers in the United States), We implement appropriate safeguards as required by Chapter V of the GDPR, including Standard Contractual Clauses approved by the European Commission (Decision 2021/914) and, where applicable, supplementary measures in accordance with the CJEU's Schrems II ruling.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to Your rights and freedoms, We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to Your rights and freedoms, We will also notify You directly without undue delay (Article 34 GDPR).

13. Your Privacy Rights

Under the GDPR and applicable privacy laws, You have the following rights:

• Right of access (Article 15) — obtain confirmation of whether Your Personal Data is being processed and a copy of that data.
• Right to rectification (Article 16) — correct inaccurate or incomplete Personal Data.
• Right to erasure (Article 17) — request deletion of Your Personal Data (“right to be forgotten”).
• Right to restriction (Article 18) — request restriction of processing in certain circumstances.
• Right to data portability (Article 20) — receive Your Personal Data in a structured, commonly used, machine-readable format.
• Right to object (Article 21) — object to processing based on legitimate interests, including profiling.
• Right to withdraw consent — where processing is based on consent, You may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Right to meaningful information about automated processing (Articles 13(2)(f) and 15(1)(h)) — receive information about the logic involved in automated decision-making and the significance and envisaged consequences of such processing.
• Right to lodge a complaint — You may file a complaint with the President of the Personal Data Protection Office (Prezes Urzedu Ochrony Danych Osobowych, PUODO), ul. Stawki 2, 00-193 Warsaw, Poland, or with the supervisory authority of Your habitual residence.

To exercise any of these rights, contact Us at support@dermafyai.app. We will respond within 30 days as required by the GDPR (Article 12(3)).

14. Account and Data Deletion

You may request deletion of Your Account, scan history, product memory, and all associated Personal Data at any time by contacting Us at support@dermafyai.app with the subject “Account Deletion Request.”

We will process Your request within 30 days. Some data may be retained where legally required (e.g., transaction records for tax compliance under Polish law). Anonymized data that can no longer be linked to You is not subject to deletion requests.

15. Security

We implement appropriate technical and organizational measures to protect Your Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS 1.3) and at rest, access controls, regular security assessments, and secure development practices. However, no method of electronic transmission or storage is completely secure, and We cannot guarantee absolute security.

16. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect Personal Data from children under 16. If We become aware that We have collected Personal Data from a child under 16, We will take steps to delete such information promptly.

In the United States, the Children's Online Privacy Protection Act (COPPA) applies to children under 13. Our global minimum age requirement of 16 exceeds COPPA requirements. If You believe a child has provided Us with Personal Data, please contact Us at support@dermafyai.app.

17. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services that are not operated by Us (such as app stores, payment processors, or analytics providers). We are not responsible for the privacy practices of such third parties. We encourage You to review the privacy policies of any third-party services You access through the Service.

18. Region-Specific Privacy Rights

18.1 California Residents (CCPA/CPRA)

If You are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”) provides You with additional rights regarding Your personal information.

Categories of Personal Information Collected: We collect identifiers (email address), internet activity information (usage data, scan history), and health-related information (skin profile preferences, allergies) as described in Section 3 of this Policy.

We Do Not Sell or Share Your Personal Information: We do not sell Your personal information as defined by the CCPA. We do not share Your personal information for cross-context behavioral advertising.

Your Rights Under the CCPA: You have the right to know what personal information We collect and how it is used; request deletion of Your personal information; opt out of the sale or sharing of personal information (not applicable as We do not sell or share); non-discrimination for exercising Your privacy rights; correct inaccurate personal information; and limit the use of sensitive personal information.

Sensitive Personal Information: Health-related preferences You provide are considered sensitive personal information under the CCPA. We only use this data to provide the Service and do not use it for purposes beyond what is necessary.

To exercise Your CCPA rights, contact Us at support@dermafyai.app. We will verify Your identity and respond within 45 days.

18.2 Brazil Residents (LGPD)

If You are located in Brazil, the Lei Geral de Protecao de Dados (LGPD) provides additional rights regarding Your personal data. You have the right to: confirmation of data processing; access to Your data; correction of incomplete, inaccurate, or outdated data; anonymization, blocking, or deletion of unnecessary data; data portability; information about third parties with whom data is shared; and revocation of consent. To exercise these rights, contact Us at support@dermafyai.app.

18.3 Japan Residents (APPI)

If You are located in Japan, We process Your personal information in accordance with the Act on the Protection of Personal Information (APPI). We use Your personal information only for the purposes stated in this Policy and will not provide it to third parties without Your consent except as permitted by law. You may request disclosure, correction, cessation of use, or deletion of Your personal information by contacting Us at support@dermafyai.app.

18.4 South Korea Residents (PIPA)

If You are located in South Korea, the Personal Information Protection Act (PIPA) provides additional protections. You have the right to access, correct, delete, and suspend processing of Your personal information. For cross-border data transfers, We rely on Your consent and implement appropriate safeguards. To exercise Your rights, contact Us at support@dermafyai.app.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in Our practices, technology, legal requirements, or other factors. Updates become effective when posted on this page with an updated “Last updated” date. For material changes, We will provide notice through the Application or by email at least 14 days before the changes take effect. Your continued use of the Service after such notice constitutes acceptance of the updated Policy.

20. Contact Us

If You have questions, concerns, or requests related to this Privacy Policy or Your Personal Data, You may contact Us: