Legal
Privacy Policy
Effective date: July 1, 2026. Last updated: July 1, 2026.
Clean Skin is a mobile application that helps you understand the composition of your skincare products by analysing their ingredients. This Privacy Policy describes how we collect, use, store, and share your personal data.
The controller of your personal data is the Clean Skin team (the "Service", "we", "us", "our"). For any privacy-related request contact us at sc.assistant.dev@icloud.com.
1. Personal data we collect
We collect only what the Service needs to work.
You provide to us:
- Email address, display name, and authentication identifiers from Google Sign-In or Sign in with Apple when you create an account;
- Skin profile data you choose to enter (skin type, concerns, preferences);
- Products and ingredients you mark as favourites, search for, or view;
- Messages you send to the in-app assistant.
Collected automatically by the Service:
- Authentication session data (JWT tokens, device fingerprints used to blacklist revoked sessions);
- Subscription status obtained from Apple (whether your Clean Skin Pro subscription is active).
Collected automatically by third-party SDKs used by the Service:
- Crash reports (device model, OS version, anonymous installation identifier, stack traces) via Firebase Crashlytics (provided by Google LLC);
- Push notification tokens issued by Apple Push Notification Service when you allow notifications.
2. Why we process your data
We process your data for the following purposes:
- Creating and operating your account — legal basis: contract and consent;
- Personalising scoring and recommendations — contract;
- Processing your Clean Skin Pro subscription — contract;
- Sending service-related push notifications — consent (revocable in iOS settings);
- Keeping the service stable (crash diagnostics) — legitimate interest;
- Complying with legal obligations — legal obligation.
Legal bases are determined under applicable data protection law and, where applicable, Article 6 of the EU GDPR.
3. Who we share data with
We share only what is necessary, and only with the following providers:
- Apple Inc. — authentication (Sign in with Apple), subscription billing, push notifications;
- Google LLC — authentication (Google Sign-In), crash reporting (Firebase Crashlytics);
- Competent authorities — only where we are legally required to respond to a lawful request.
4. International transfers
Data processed by Google and Apple, and by the Service's infrastructure, may be transferred to and stored on servers outside your country, including the United States and the European Union. Such transfers are governed by the privacy policies and data-protection frameworks of those providers.
5. Retention and deletion
- Account data is kept for as long as your account is active;
- When you delete your account, we block access immediately and erase your personal data irreversibly within 30 days, except where retention is required by law;
- Crash reports are retained according to Firebase's default retention (currently 90 days);
- Backups are rotated within 30 days.
To delete your account use the in-app option or email sc.assistant.dev@icloud.com.
6. Your rights
Subject to applicable law (including, where applicable, the EU GDPR), you have the right to:
- Access the personal data we hold about you;
- Correct inaccurate or incomplete data;
- Withdraw your consent at any time;
- Request erasure of your data;
- Obtain a copy of your data in a portable format;
- Object to or restrict certain processing activities;
- Lodge a complaint with the data-protection authority in your country of residence.
To exercise any right, email sc.assistant.dev@icloud.com. We will respond within a reasonable time, typically within 30 days.
7. Security
- All traffic between the app and our servers is encrypted (TLS 1.2+);
- Passwords are stored as hashes (bcrypt);
- Access to production data is restricted and logged;
- Authentication sessions can be revoked at any time by signing out.
No system is perfectly secure. If a breach affects you, we will notify you and, where required, the competent authority in accordance with applicable law.
8. Children
Clean Skin is not directed at children under 13 (or the minimum age of digital consent in your country — 16 in most EU jurisdictions). We do not knowingly collect personal data from children. If you believe a child has provided us with data, contact us and we will delete it.
9. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date reflects the latest change. Material changes will be announced inside the app at least 14 days before taking effect.
10. Contact
Clean Skin
Email: sc.assistant.dev@icloud.com