Skintrig
Join waitlist

Privacy Policy

Effective Date: February 12, 2026

1. Who We Are

This Privacy Policy applies to the mobile application Skintrig (the “App”) and our related services, including our beta program signup website (the “Services”).

The Services are provided by Michal Surynt (“we”, “us”, or “our”). For the purposes of applicable data protection laws (including the EU General Data Protection Regulation (“GDPR”) and UK GDPR), Michal Surynt is the data controller.

Contact (Privacy): hello@skintrig.com

2. Compliance

We aim to follow applicable privacy and data protection principles, including data minimization, purpose limitation, and security by design. Skintrig is built as a local-first product and does not require a user account.

3. Scope of This Privacy Policy

This Privacy Policy describes how we collect, use, store, and share information when you:

  • use the Skintrig mobile app, and/or
  • sign up for our beta program on our website.

This policy does not cover third-party websites, apps, or services that you may access via links from our Services.

4. Information We Collect

4.1 Information you provide

A) In-app content (stored locally on your device)
Skintrig lets you store skincare-related information such as:

  • products you add,
  • reactions you log (including optional notes),
  • insights and preferences.

Important: This information is stored on your device and is not uploaded to our servers.

B) Beta signup (website)
If you sign up for the beta program, we collect the information you submit in the form (typically your email address). We store form submissions in our website hosting provider’s dashboard (Netlify Forms). We may contact you manually about beta access.

4.2 Information collected from your device

A) Photos / camera access (for ingredient label scanning)
The App may request access to:

  • Camera (to take photos of ingredient labels),
  • Photo library/gallery (to select photos of ingredient labels).

The App is designed for scanning cosmetic ingredient labels (INCI). However, any photo may contain additional content in the background; please capture only what you intend to process.

4.3 Information processed for AI ingredient recognition (sent outside your device)

When you use ingredient recognition features, the App may transmit:

  • photos of ingredient labels (images),
  • extracted text (OCR output) and/or helper context used to improve parsing.

These requests are routed through our Supabase Edge Function acting as a proxy and then forwarded to OpenAI for processing. We do not attach your identity, name, email, or an account identifier to these requests.

4.4 Analytics (optional / opt-in)

We use Amplitude to understand app usage and improve the product. Analytics are:

  • opt-in (we collect analytics only if you enable it),
  • designed to be anonymous (no account, no email, no name),
  • limited to feature usage (e.g., whether a user used certain fields), not user content.

Example analytics event: a “reaction logged” event may include booleans such as whether you set an area or extra conditions, but not the content of your notes or the details of your reactions.

4.5 What we do NOT collect

We do not require accounts and do not collect:

  • your name, address, phone number (unless you voluntarily provide it outside the App, e.g., via email),
  • your reaction notes or reaction details on our servers,
  • your full photo library or unrelated photos,
  • precise location data.

5. How We Use Your Information

We use information only for the following purposes:

  1. Provide core functionality

    • scanning ingredient labels and returning results,
    • storing your products/reactions locally on your device.

  2. Improve the App (only with your consent)

    • understand feature adoption and basic usage flows via opt-in analytics.

  3. Operate the beta program

    • store beta signup submissions,
    • manually contact you with beta access details or updates.

  4. Security, debugging, and reliability

    • we may introduce crash/error reporting in the future (see Section 6.4). At the time of this policy, crash reporting is not active.

6. How We Share Information

We do not sell your personal data.

We share data only with service providers (“processors”) when necessary to deliver specific features.

6.1 OpenAI (ingredient recognition)

If you use the ingredient recognition features, images and/or OCR text are sent to OpenAI only for processing and returning results. We use OpenAI with Zero Data Retention (ZDR) enabled.

We do not include account identifiers, and the payload is intended to be limited to ingredient-label-related content.

6.2 Supabase (proxy)

We use Supabase Edge Functions strictly as a proxy layer for AI requests. We do not use Supabase for user accounts or user databases for the App at this time.

We do not intentionally log request bodies containing images or OCR text. Operational logs may contain metadata such as invocation timing and status codes.

6.3 Amplitude (opt-in analytics)

If you enable analytics, certain anonymous usage events are sent to Amplitude. We configure analytics to avoid collecting direct identifiers such as your email or name.

6.4 Netlify (beta signup forms)

Beta signup submissions are stored in Netlify Forms and visible in our Netlify dashboard. We use them solely for beta coordination and communications.

6.5 Future services (planned)

We may integrate additional services in the future, such as:

  • Bugsink (hosted) for crash/error reporting,
  • Adapty for subscriptions/payments.

If/when we enable these services, we will update this Privacy Policy and, where required, provide appropriate consent prompts.

7. International Data Transfers

Some of our service providers may process data outside your country or outside the European Economic Area (EEA). Where applicable, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms.

Because Skintrig is local-first, the main cross-border transfer relevant to users is the AI processing flow (ingredient recognition) and the beta signup form submissions.

8. Data Retention

8.1 In-app data (local)

Your products, reactions, notes, and insights are stored locally on your device until you:

  • delete them in the App, and/or
  • use in-app delete/reset features, and/or
  • uninstall the App (which typically removes app storage).

8.2 AI processing requests

We do not intend to retain ingredient-label images or OCR content on our servers. AI processing is performed on-demand, and results are returned to the App.

8.3 Analytics (if enabled)

Analytics data is retained according to Amplitude’s retention settings. Because analytics are anonymous and not linked to an account identity, we generally cannot locate or delete a specific individual’s analytics history upon request.

You can stop analytics collection at any time by disabling analytics in the App (and you can reset by reinstalling the App, depending on your device settings).

8.4 Beta signup submissions

We retain beta signup submissions for as long as needed to run the beta and communicate with participants, unless you request deletion earlier.

9. Your Privacy Rights

Depending on your location, you may have rights including:

  • access to your personal data,
  • correction,
  • deletion,
  • restriction or objection,
  • portability,
  • withdrawal of consent (where processing is based on consent).

Local data: You can delete your in-app data directly within the App or by uninstalling it.

Beta signup: You can request deletion of your beta signup submission by contacting us at hello@skintrig.com.

Analytics: If you enabled analytics, you can withdraw consent by disabling analytics in the App.

If you have concerns, you may also have the right to lodge a complaint with your local data protection authority.

10. Data Security

We take reasonable measures to protect data, including:

  • using secure network transport (HTTPS/TLS) for transmissions,
  • proxying AI requests through our backend to avoid embedding third-party API keys in the App,
  • minimizing the data sent for processing.

No method of transmission or storage is 100% secure, but we work to continuously improve our safeguards.

11. Children’s Privacy

Skintrig is not intended for children under the age of 13 (or a higher age where required by local law). We do not knowingly collect personal data from children.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date and, where appropriate, provide notice in the App or on our website.

Contact

For privacy questions or requests, contact: hello@skintrig.com