Privacy Policy — LUX AI

Effective date: May 12, 2026

Data Controller: LuxLab Apps

Contact: luxaiapp@gmail.com

This Privacy Policy describes how the LUX AI mobile application (the "Application", "we", "us" or "our"), developed by LuxLab Apps (the "Service Provider"), collects, uses, stores, shares and protects your information when you use the Application on iOS or Android devices. The Application is offered as a Freemium service. By downloading, installing or using the Application you accept the practices described below.

1. Information We Collect

We only collect data that is strictly necessary to operate the Application and provide its features. Depending on which features you use, we may process the following categories of information:

a) Photographs and facial images. When you use the Facial Analysis, Haircut Simulator, Colorimetry, Skincare Match or Food Analysis features, you can take a photo with the camera or select one from the gallery. These images are processed exclusively to generate the requested visual or aesthetic result. Before the first photo is ever transmitted, the Application displays an in-app consent screen that identifies Google's Gemini AI by name as the third-party processor, and requires you to explicitly accept.

b) Aesthetic analysis results. Numerical scores (symmetry, harmony, proportions), face shape, skin type, color palette, recommended haircuts and similar derived data generated by our AI from your photo. These results are stored locally on your device.

c) Information you provide voluntarily. Quiz answers, profile data (age range, gender, goals), food log entries, training and nutrition preferences, skincare profile information, and — only if you choose to use the Cycle tracking feature — menstrual cycle dates and symptoms. Cycle, food and training data are stored locally on your device and are not transmitted to our servers, except for the anonymized biometric quiz answers sent to Google's Gemini AI to generate your personalized training and nutrition protocol.

d) Account and authentication identifiers. The Application creates an anonymous account on Firebase Authentication so cloud features can function. This anonymous account is identified by a random user ID (UID) and is not linked to your name, email or phone number unless you provide them.

e) Device and technical information. Anonymous device identifier (generated by the Application), device model, operating system and version, language, time zone, application version, crash logs and basic usage events (e.g. which screen was opened) used to diagnose errors and improve stability.

f) Subscription and purchase information. When you subscribe to LUX AI Premium, the App Store / Google Play and our subscription provider (RevenueCat) process the transaction, the active entitlement and the renewal status. We never receive or store your full payment card details.

g) Local notifications. All reminders and engagement messages are scheduled locally on your device using the operating system's notification framework. We do not store any push notification token on our servers and do not send remote pushes. You can manage which reminders you receive from the in-app Notifications settings or revoke notifications entirely from your operating system settings.

h) Advertising identifiers. The Application uses Google AdMob to serve ads in the free version. On iOS, before any ad is shown we display Apple's App Tracking Transparency (ATT) prompt explaining that we may use the IDFA (Identifier for Advertisers) to measure ad performance and, only if you grant permission, to serve personalized ads. If you decline, AdMob will serve non-personalized ads only. You can change this choice at any time in Settings → Privacy → Tracking.

i) Friend referral data (Android only). The friend referral system is available exclusively on the Android version of the Application and is not offered on iOS. On Android, if you choose to share or redeem a referral code, we process a generated referral code, an anonymous device identifier and the timestamp of redemption to attribute the referral and prevent abuse. No referral data is collected, processed or stored on iOS.

We do NOT collect: your real name, email address, phone number, precise location, contacts list, biometric face templates suitable for identity recognition, government IDs, payment card numbers, health diagnostic data or any data from children under 16.

2. How We Use Your Information

We use the information described above only for the following purposes:

• Provide and operate the core features of the Application (facial analysis, haircut simulator, colorimetry, skincare match, food analysis, daily plan, wellness tools, training and nutrition protocol).

• Generate personalized recommendations based on your quiz answers and analysis results.

• Maintain your subscription status and unlock Premium content.

• Diagnose crashes, prevent abuse and improve performance.

• Comply with legal obligations and respond to lawful requests.

3. Photos and Facial Analysis

How are your photos processed?

When you take a selfie for Facial Analysis, Haircut Simulator, Colorimetry, Skincare Match or Food Analysis, the image is securely uploaded over an encrypted HTTPS/TLS connection to our backend (Firebase Cloud Functions, operated by Google LLC) and from there to Google's Gemini AI (Google LLC), which is our sole third-party AI processing provider for photo-based features. Gemini evaluates aesthetic visual characteristics (symmetry, proportions, skin tone, face shape, color undertone), generates a stylistic transformation or identifies food items, and returns the result to your device. Before the first photo is ever transmitted, the Application displays an in-app consent screen that identifies Google's Gemini AI by name and requires you to explicitly accept; if you decline, no photo is sent.

What we do NOT do with your photos:

• We do not permanently store the original photos on our servers. They are processed in memory or in a temporary buffer and are automatically and irreversibly deleted immediately after the result is generated.

• We do not use your photos to train AI models.

• We do not generate biometric face templates capable of identifying you across services or sessions, and we do not perform face recognition.

• We do not sell, rent or share your photos with advertisers, data brokers or any third party for marketing purposes.

• We do not associate your photos with your real identity.

Where the analysis results live.

Numerical scores, recommendations and analysis history derived from your photo are stored locally on your device. You can review, export or delete them at any time from the Profile screen.

4. AI Processing Provider — Google Gemini

We use Google's Gemini AI (Google LLC, USA) as our exclusive third-party AI provider, accessed through our backend (Firebase Cloud Functions). Gemini powers the photo-based features (Facial Analysis, Haircut Simulator, Colorimetry, Skincare Match, Food Analysis) and the personalized training and nutrition protocol generation from your quiz answers.

• What is sent for photo features: the selfie or food photo you provide, transmitted only after you accept the in-app consent screen that names Google's Gemini AI.

• What is sent for the training and nutrition protocol: only the anonymized biometric quiz answers you typed (age range, training experience, goals, dietary preferences). No photo, name, email or identifier is sent.

• Purpose: generate aesthetic analysis scores, stylistic transformations, food nutrition information and personalized training / nutrition recommendations.

• Data retention by Google: Google processes Gemini API requests under its Generative AI terms and does not use the content to train its public models. Data may be retained for a short period (typically up to 30 days) for abuse monitoring and then deleted. Google's privacy policy: https://policies.google.com/privacy

• User consent: the Application requests explicit in-app consent that identifies Google's Gemini AI by name before the first time any photo or quiz data is transmitted. You can withdraw consent at any time from Profile → Privacy.

5. Third-Party Service Providers

We rely on the following processors strictly for the purposes listed. Each provider is bound by its own privacy policy and applicable data processing agreements (including, where relevant, Standard Contractual Clauses for international data transfers from the EEA/UK to the United States).

• Google Firebase (Authentication, Cloud Functions, Cloud Storage, Cloud Messaging, Analytics, Crashlytics) — anonymous account, photo transit to Google Gemini, push notifications, crash and usage diagnostics. Provider: Google LLC (USA). Privacy policy: https://firebase.google.com/support/privacy

• Google Gemini AI (Generative Language API) — exclusive third-party AI provider for aesthetic photo analysis, haircut/style transformations, food image analysis and training & nutrition protocol generation from quiz answers. Provider: Google LLC (USA). Privacy policy: https://policies.google.com/privacy and Gemini API terms: https://ai.google.dev/terms

• Supabase — backend storage for challenge progress and for the friend referral system, which is available on Android only and is not offered on iOS. Provider: Supabase Inc. (USA). Privacy policy: https://supabase.com/privacy

• RevenueCat — subscription and entitlement management. Provider: RevenueCat, Inc. (USA). Privacy policy: https://www.revenuecat.com/privacy

• Google AdMob — advertising in the free version. Provider: Google LLC (USA). Privacy policy: https://policies.google.com/technologies/ads

• Apple App Store / Google Play — distribution and in-app purchase processing. Apple Inc. and Google LLC respectively.

6. Where Your Data Is Stored and For How Long

On your device: analysis history, quiz answers, profile, cycle and wellness logs, food and training data, language preference and subscription cache are stored locally. They remain on your device until you delete them or uninstall the Application.

On our backend (Firebase / Supabase):

• Original photos: processed in memory and deleted immediately after analysis — no persistent storage.

• Anonymous Firebase user ID: kept while your installation is active.

• Crash and diagnostic logs: up to 90 days.

• Referral codes (Supabase, Android only — not collected on iOS) and challenge progress: kept while the installation is active.

• Subscription records (RevenueCat): kept while the subscription is active and for the period required by tax and consumer protection laws (typically up to 7 years).

We delete or anonymize data once the purpose for which it was collected has been fulfilled, unless a longer retention period is required by law.

7. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, the United Kingdom or Switzerland, we rely on the following legal bases under the General Data Protection Regulation (GDPR):

• Performance of a contract (Art. 6.1.b): to deliver the features you request, including facial analysis and subscription management.

• Consent (Art. 6.1.a): for the use of the camera and gallery, transmission of your photo to Google Gemini AI, advertising tracking (ATT on iOS) and any optional health-related feature such as cycle tracking. You may withdraw your consent at any time.

• Legitimate interest (Art. 6.1.f): to secure the service, prevent fraud and abuse, monitor crashes and improve performance.

• Legal obligation (Art. 6.1.c): to keep accounting and tax records of subscriptions and to respond to lawful requests from authorities.

8. International Data Transfers

Our processors (Google Firebase, Google Gemini, Supabase, RevenueCat, AdMob, Apple) are based in the United States and may process your data outside your country of residence. When we transfer personal data from the EEA, the UK or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) and on the EU–U.S. Data Privacy Framework, where applicable, to ensure an adequate level of protection.

9. Your Rights

Depending on your country of residence, you have the following rights over your personal data:

• Right of access: request confirmation of whether we process your data and obtain a copy of it.

• Right of rectification: ask us to correct inaccurate or incomplete data.

• Right to erasure ("right to be forgotten"): request the deletion of your data.

• Right to restriction: ask us to limit the processing of your data.

• Right to data portability: receive your data in a structured, machine-readable format.

• Right to object: object to processing based on our legitimate interests.

• Right to withdraw consent at any time, without affecting the lawfulness of past processing.

• Right to lodge a complaint with your local data protection supervisory authority (in Spain: Agencia Española de Protección de Datos — www.aepd.es).

To exercise any of these rights, write to luxaiapp@gmail.com. We will respond within 30 days.

10. Notice for California Residents (CCPA / CPRA)

If you are a California resident, you have the right to know what categories of personal information we collect, the purposes for which we use them, the right to request deletion and the right to opt out of the sale or sharing of personal information. We do not sell your personal information and we do not share it for cross-context behavioral advertising. To exercise your rights, contact luxaiapp@gmail.com.

11. Account and Data Deletion

You can delete your account and all data associated with it directly from inside the Application:

Profile → Account → Delete Account

This action will:

• Immediately and irreversibly remove all locally stored data (analysis history, profile, quiz, wellness, cycle and food logs, preferences and cached entitlements).

• Trigger the deletion of your anonymous Firebase identifier and associated server-side records (challenge progress, and — on Android — referral codes) within 30 days.

• Photos are not affected because they are never permanently stored on our servers.

You may also request manual deletion at any time by writing to luxaiapp@gmail.com.

12. Device Permissions

The Application requests the following permissions, all of which are optional and only used for the stated purpose:

• Camera: to capture selfies for facial analysis, haircut simulator and food analysis.

• Photo Library (read): to let you upload an existing selfie for analysis or style transformation.

• Photo Library (save): to save your AI-generated transformations and analysis result cards to your gallery.

• Push Notifications: to deliver daily plan reminders and engagement messages.

• App Tracking Transparency (iOS only): to request permission to use your IDFA for personalized advertising via AdMob. Declining this prompt has no effect on the Application's core features.

• Internet: required for cloud features (analysis, subscription validation).

You can revoke any of these permissions at any time from your device's system settings.

13. Children's Privacy

The Application is not directed to children under 16 and we do not knowingly collect personal information from minors below that age. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at luxaiapp@gmail.com and we will delete the information promptly. In the United States we comply with the Children's Online Privacy Protection Act (COPPA): users under 13 may not use the Application.

14. Security

We implement administrative, technical and physical measures to protect your information, including: encrypted transport (HTTPS/TLS 1.2+), encryption at rest in our backend, access control to production systems, segregation of environments, automatic deletion of photos after processing and continuous monitoring. No method of transmission over the Internet is 100% secure; we cannot guarantee absolute security but we work to follow industry best practices.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational or regulatory reasons. When we make a material change we will update the "Effective date" at the top and, where appropriate, notify you inside the Application. Continued use of the Application after the changes take effect means you accept the updated policy.

16. Contact Us

If you have any questions, complaints or requests regarding this Privacy Policy or your personal data, please contact us at:

LuxLab Apps

Email: luxaiapp@gmail.com

© 2026 LuxLab Apps. All rights reserved.