Privacy Policy

This privacy notice for SkinMama (“Company,” “we,” “us,” or “our”) describes how and why we might collect, store, use, and/or share (“process”) your information when you use our services (“Services”), such as when you:

• Download and use our mobile application (SkinMama), or any other application of ours that links to this privacy notice

• Engage with us in other related ways, including any sales, marketing, or events

Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at neurawell.ai@gmail.com.

1. What Data We Collect and Why

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You

The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:

• Name

• Email

• Gender and sex

We do not process sensitive information.

Application Data

If you use our application(s), we may also collect the following information if you choose to provide us with access or permission:

• Mobile Device Access: We may request access or permission to certain features from your mobile device, including your device’s camera, contacts, and other features. If you wish to change our access or permissions, you may do so in your device’s settings.

• Push Notifications: We may request to send you push notifications regarding your account or certain features of the application(s). If you wish to opt out from receiving these types of communications, you may turn them off in your device’s settings.

• Photos and Camera Access: If you choose to provide us with photos of your skin, we will use these photos to analyze your skin and provide you with personalized skincare recommendations. This is a core functionality of our application. We will only use these photos for this purpose and will not share or use them for any other reason without your consent.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Information Automatically Collected

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (such as your name or contact information) but may include:

• IP address

• Browser and device characteristics

• Operating system

• Language preferences

• Referring URLs

• Device name

• Country and location

• Information about how and when you use our Services

• Other technical information

This information is primarily needed to maintain the security and operation of our Services, as well as for our internal analytics and reporting purposes. Specifically, we collect:

• Log and Usage Data: Service-related, diagnostic, usage, and performance information automatically collected when you access or use our Services. Depending on how you interact with us, this can include IP address, device information, browser type and settings, and information about your activity in the Services (such as date/time stamps, pages and files viewed, searches, features you use, device event information, etc.).

• Device Data: Information about your computer, phone, tablet, or other devices you use to access the Services. Depending on the device used, this data may include IP address, device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration information.

2. Facial Data Collection & Usage

How and Why We Collect Face Data

SkinMama collects facial images that users voluntarily provide within the app for the sole purpose of skin analysis. Each time a photo is required, the app explicitly requests access and consent. We do not capture any images without the user’s active participation.

The collected facial data is used to:

• Provide Personalized Recommendations: Analyze facial images to recommend skincare routines and products tailored to the user's unique skin profile. • Generate Skin Scores: Evaluate aspects such as hydration, acne severity, and skin texture to help users monitor changes over time.

These insights are non-medical and are not intended as a substitute for professional dermatological advice.

Face Data Storage and Retention

• Face data is stored temporarily and securely on servers hosted by Supabase (located in Singapore). • All images are encrypted during transmission and storage. • Face data is retained in the user's account unless manually deleted by the user. • Users can delete their face images at any time via the Settings page. • If a user deletes their account, all associated face data and personal information will be permanently deleted.

Third-Party Sharing

SkinMama may transmit user-provided images to a third-party AI service solely for the purpose of real-time skin analysis. The third party: • Processes data only for the specific request. • Does not retain, share, or use the data for model training or analytics.

Apart from this, we do not share, sell, or disclose facial data to any other third parties.

User Consent and Control

• Consent is obtained at each instance of image submission. • Users can withdraw consent at any time and request deletion of previously submitted data. • The app includes in-app tools to manage image storage and deletion.

3. How We Process Your Personal Information (EU/UK Users)

If you are located in the EU or UK, we rely on the following legal bases to process your personal information under the General Data Protection Regulation (GDPR) and UK GDPR:

• Consent: We process your information if you have given us permission (i.e., consent). You can withdraw your consent at any time.

• Performance of a Contract: We process your information if necessary to fulfill our contractual obligations to you or to take steps at your request before entering into a contract.

• Legal Obligations: We may process your information where we believe it is necessary for compliance with a legal obligation (e.g., cooperating with law enforcement, defending legal rights, or as evidence in litigation).

• Vital Interests: We may process your information where we believe it is necessary to protect your vital interests or those of a third party.

4. How We Process Your Personal Information (Canada)

If you are located in Canada:

• We may process your information if you have given us express consent for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent).

• You can withdraw your consent at any time by contacting us.

• In exceptional cases, we may be legally permitted under applicable law to process your information without your consent (e.g., if collection is in an individual’s interest and consent cannot be obtained in a timely way, for fraud detection/prevention, if required by law, etc.).

5. What Are Your Privacy Rights?

Depending on where you are located (e.g., EEA, UK, Canada), you may have certain rights under data protection laws. These can include:

1. Request access and obtain a copy of your personal information.

2. Request rectification or erasure.

3. Restrict the processing of your personal information.

4. If applicable, data portability.

5. Object to the processing of your personal information in certain circumstances.

If you are in the EEA or UK and believe we are unlawfully processing your personal information, you have the right to complain to your local data protection supervisory authority. For Switzerland, contact details of data protection authorities are available at https://www.edoeb.admin.ch/edoeb/en/home.html.

Withdrawing Your Consent

If we rely on your consent to process your personal information, you have the right to withdraw it at any time. To do so, contact us using the details provided at the end of this notice.

If you would like to review or change your account information or terminate your account, you can log in to your account settings or contact us. Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. We may retain certain information as needed to comply with applicable law, prevent fraud, enforce our legal terms, or troubleshoot issues.

6. Third-Party Websites

Our Services may link to third-party websites, services, or mobile applications (and/or contain advertisements from third parties). We do not endorse or guarantee these third parties, and we are not responsible for their privacy or security practices. Any data collected by third parties is not covered by this privacy notice. You should review the policies of such third parties and contact them directly with any questions.

7. Transfer of Data Internationally

Our servers are hosted with Supabase, which is located in Singapore. If you access the Services from outside Singapore, please be aware that your information may be transferred to, stored, and processed by us in Singapore or other countries where we or our service providers operate.

If you are a resident of the EEA or UK, these countries may not necessarily have data protection laws as comprehensive as those in your own country. However, we take all necessary measures to protect your personal information in accordance with this privacy notice and applicable law.

Where appropriate, we rely on the European Commission’s Standard Contractual Clauses for transfers of personal information between our group companies and our third-party providers, requiring all recipients to protect all personal information originating from the EEA or UK in accordance with European data protection laws. These clauses can be provided upon request. We have implemented similar safeguards with our third-party service providers and partners, and further details can be provided upon request.

8. How Long Do We Keep Your Information?

We only keep your personal information for as long as necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law. When we no longer have a legitimate business need for your personal information, we either delete or anonymize it. If that is not possible (e.g., because it’s stored in backup archives), we securely store it and isolate it from further processing until deletion is possible.

If you provide us with photos of your skin, we will delete those photos if you delete them from your account or if you delete your account entirely. We will not retain those photos beyond the period of time in which you have an active account with us.

9. How Do We Keep Your Information Safe?

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. We cannot promise that hackers or unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information.

You should only access our Services within a secure environment.

10. Do Not Track Feature

Most web browsers and some mobile operating systems include a Do-Not-Track (“DNT”) feature. Because there is no uniform standard for recognizing and implementing DNT signals, we do not currently respond to them. If a standard is established, we will inform you of our practice in a revised version of this privacy notice.

11. Privacy Rights for California Residents

If you are a California resident:

• Shine the Light Law (CA Civil Code Section 1798.83): You may request information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names/addresses of all third parties we shared personal information with in the previous year.

• Removal of Posted Data: If you are under 18 and have a registered account, you can request removal of data you publicly post on the Services.

CCPA Privacy Notice

Under the California Code of Regulations, a “resident” is defined as:

1. Every individual who is in California for other than a temporary or transitory purpose.

2. Every individual who is domiciled in California who is outside California for a temporary or transitory purpose.

If this definition applies to you, we must adhere to certain rights and obligations regarding your personal information.

We have collected the following categories of personal information in the past twelve (12) months: