SkinSense Diary

Privacy Policy

Last Updated: March 2026

Elovar Technology Ltd · Website: skinsensediary.com

Data Protection Officer (DPO): [email protected]

1. Introduction

SkinSense Diary is a skincare diary application (the “App”) developed by Elovar Technology Ltd (the “Company”, “we”, “us”, or “our”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App, including what choices you have with respect to your information.

We are committed to protecting your privacy and ensuring you have a positive experience on our App. This policy describes our privacy practices and your rights under applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) as retained by the European Union (Withdrawal) Act 2018, the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations 2003 (PECR).

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Display name
  • Language preference
  • Single Sign-On (SSO) identifiers from Apple ID or Google Account (used for authentication only)

2.2 Profile Information

You may voluntarily provide profile information to personalize your experience:

  • Birth year
  • Gender
  • Skin type
  • Skin concerns
  • Personal notes

2.3 Family Member Information

If you add family members or sub-accounts to track their skincare, we collect:

  • Display name
  • Relationship to account holder
  • Birth year
  • Gender
  • Skin type
  • Skin concerns

2.4 Diary Entry Data

When you log skincare activities, we collect:

  • Entry date and time
  • Routine type (morning or evening)
  • Product information and identifiers
  • Body areas where products were applied
  • User notes and observations

2.5 Health and Reaction Data (Special Category)

Under GDPR Article 9, the following constitutes special category data requiring explicit consent:

  • Skin reactions: date, severity (1-5 scale), symptoms, affected body area, and notes
  • Suspected trigger ingredients with suspicion scores
  • Reaction photographs
  • Menstrual period tracking: start date, end date, and notes

2.6 Inventory and Product Information

We collect data about products in your inventory:

  • Products owned
  • Product status (active, backup, wishlist, or finished)
  • Date product was opened
  • Ingredient blacklist (ingredients you wish to avoid)
  • Price watch baseline prices
  • Inventory presets (named product combinations for routines)

2.7 AI Analysis Data

To provide personalised skin analysis, we process the following data through our AI service providers (including but not limited to OpenRouter, OpenAI, Anthropic, and Google):

  • Skin type
  • Skin concerns
  • Gender
  • Approximate age (derived from birth year)
  • Suspected allergens and reactions

The AI-generated analysis is stored in your account for future reference. Further details on third-party processing are provided in Section 5.

2.8 Calendar and Event Data

You may create custom calendar events and reminders within the App:

  • Event title, description, and date
  • Event type classification

2.9 Notification and Consent Records

We maintain records of:

  • Push notifications sent to your device (type, title, body, and read status)
  • Your consent preferences across three categories: core (required), research (optional), and commercial (optional)
  • Consent version, timestamp, IP address hash, and user agent hash for audit purposes

3. How We Use Your Information

We process your information for the following lawful bases under GDPR Article 6:

3.1 Performance of a Contract (Article 6(1)(b))

  • Creating and maintaining your account
  • Providing App functionality: storing diary entries, tracking products, and managing inventory
  • Delivering customer support
  • Processing data exports and account deletion requests

3.2 Legitimate Interests (Article 6(1)(f))

  • Preventing fraud and unauthorized access
  • Improving the App (analyzing usage patterns, identifying bugs, optimizing features)
  • Maintaining App security and stability
  • Complying with legal obligations

3.3 Explicit Consent (Article 6(1)(a) and Article 9)

  • Processing health-related data (reactions, menstrual cycles) — requires explicit opt-in
  • Research purposes — requires separate opt-in consent
  • Commercial communications — requires separate opt-in consent
  • AI analysis using your health data — requires explicit consent before processing

You may withdraw consent at any time via the App settings. Withdrawal does not affect the lawfulness of processing before withdrawal.

4. Data Retention

We retain your information for as long as necessary to provide the App and meet our legal obligations:

  • Diary entries, skin reactions, menstrual cycle data, AI analysis results, and location/weather data: Retained for the duration of your active account. Upon account deletion, all associated data is permanently and immediately deleted. If your account becomes inactive (see below), this data is retained for 3 years from the date inactivity is detected, then permanently deleted.
  • Consent records: Retained for the duration of your active account. Upon account deletion or inactivity detection, consent records are retained for 6 years to demonstrate compliance with data protection legislation (UK GDPR, Limitation Act 1980), then permanently deleted.
  • IP address hashes and user agent hashes: Retained for 12 months for security audit purposes, then removed from consent records.
  • Inactive accounts: An account is considered inactive after 12 consecutive months with no usage. We may send a reminder before applying inactivity retention periods. Diary data is deleted 3 years after inactivity detection; consent records are deleted 6 years after inactivity detection. If you return and use the App at any time before deletion, your account is reactivated and all retention timers are reset.
  • Account data and user profile: Retained until you delete your account or until the applicable inactivity retention period expires.

5. Sharing Your Information

5.1 Third-Party Service Providers

We share certain data with trusted third-party service providers under data processing agreements (Data Processing Addendums):

AI Service Providers (AI Analysis)

For skin analysis features, we transmit the following data to our AI service providers (including but not limited to OpenRouter, OpenAI, Anthropic, and Google):

  • Skin type, concerns, gender, and approximate age
  • Suspected allergens and reaction history

Our AI service providers’ servers may be located internationally. We have implemented Standard Contractual Clauses (SCCs) as required by GDPR for international transfers. The AI analysis response is stored in your account; our AI service providers do not retain the raw data after processing.

Apple ID and Google Sign-In (Authentication)

If you use SSO, we authenticate through Apple or Google but do not share your account data with them beyond the SSO identifiers.

5.2 No Analytics or Advertising

We do not use third-party analytics SDKs (such as Google Analytics, Amplitude, or Firebase) or advertising SDKs. We do not share your data with advertisers or advertising networks.

5.3 Legal Obligations and Law Enforcement

We may disclose your information if required by law (e.g., court order, subpoena) or to protect the safety and rights of the Company, our users, or the public. We will provide notice to you of such disclosure unless legally prohibited.

5.4 Anonymised Data and Commercial Use

We do not sell, trade, or rent your identifiable personal information to third parties. However, where you have provided explicit “Commercial” consent via the App’s Consent Manager, we may create and licence anonymised, aggregated datasets derived from user data for research, analytics, or commercial purposes. These datasets are fully de-identified in accordance with the ICO’s Anonymisation Code of Practice and cannot reasonably be used to re-identify any individual.

You may withdraw your Commercial consent at any time via the App settings. Withdrawal will prevent your data from being included in future anonymised datasets but will not affect datasets already created prior to withdrawal.

5.5 AI and Machine Learning Use

The Company may use anonymised and aggregated user data for machine learning model training, algorithm improvement, and product development. Where you have provided “Research” consent, your de-identified data may also be used for academic or scientific research purposes. No AI model training uses identifiable personal data without your explicit consent. Our third-party AI service providers (including but not limited to OpenRouter, OpenAI, Anthropic, and Google) do not retain your raw personal data after processing your requests.

6. Your Rights

Under the UK GDPR and DPA 2018, you have the following rights. To exercise these rights, contact us at [email protected]:

6.1 Right to Access (Article 15)

You have the right to access your personal data. You can export all your data as a JSON file directly from the App settings at any time.

6.2 Right to Rectification (Article 16)

You may correct inaccurate or incomplete information by editing your account profile and diary entries directly in the App.

6.3 Right to Erasure (Article 17 — Right to Be Forgotten)

You have the right to request deletion of your account and all associated data. You may delete your account at any time via App settings. Upon deletion, all personal data is permanently erased (cascade delete), with the exception of backup copies (which are deleted within 30 days). Consent records may be retained for up to 3 years for audit purposes.

6.4 Right to Restrict Processing (Article 18)

You may request that we limit the use of your data. Contact our DPO to discuss restrictions. Note: Some restrictions may prevent us from providing App functionality.

6.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON). The App provides a data export feature in Settings that allows you to download all your data.

6.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests. Additionally, you can manage your consent preferences (research, commercial) via App settings and withdraw consent at any time.

6.7 Right to Withdraw Consent

You may withdraw consent for health data processing, research use, and commercial communications at any time via the App Consent Manager. Withdrawal is effective immediately and does not affect prior processing.

6.8 Right to Lodge a Complaint

If you believe we have violated your rights, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection. You can contact the ICO at: ico.org.uk, telephone 0303 123 1113, or write to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. If you are located in the EU/EEA, you may also contact your local data protection authority.

7. Children’s Privacy

The App is not intended for children under 13 years of age. Under the UK GDPR and DPA 2018, the age of digital consent in the UK is 13. We do not knowingly collect personal information from children under 13. If you are under 13, please do not create an account or use the App. Users aged 13–17 should obtain parental or guardian consent before using the App.

If we become aware that we have collected personal information from a child under 13 without parental consent, we will delete such information promptly. We comply with the ICO’s Age Appropriate Design Code (Children’s Code) where applicable.

8. Security

We implement technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/SSL)
  • Secure authentication mechanisms
  • Regular security audits and vulnerability testing
  • Access controls and role-based permissions
  • IP address and user agent hashing for audit trails

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

9. International Data Transfers

As we are based in the United Kingdom, your data is primarily stored and processed within the UK. However, your data may be transferred to our AI service providers (including but not limited to OpenRouter, OpenAI, Anthropic, and Google), which may have servers located outside the UK and EEA. We ensure such transfers comply with UK GDPR through:

  • Standard Contractual Clauses (SCCs) for international data transfers
  • Adequacy decisions (where applicable)
  • Supplementary safeguards and Technical Protective Measures (TPMs)

By using the App, you consent to the transfer of your data outside the EU/EEA/UK as described in this policy.

10. Contact Us

If you have questions, concerns, or wish to exercise your rights, please contact us:

Company: Elovar Technology Ltd (registered in England and Wales)

ICO Registration Number: [To be inserted upon registration]

Data Protection Officer (DPO): [email protected]

Website: skinsensediary.com

We will respond to requests within 30 days or as required by applicable law.

11. Cookies and Tracking Technologies

The App itself does not use cookies. However, if we operate a website (e.g., skinsensediary.com), it may use strictly necessary cookies for functionality and optional analytics cookies subject to your consent. A separate Cookie Policy will be published on our website detailing the specific cookies used, their purposes, and how to manage your preferences. We comply with the Privacy and Electronic Communications Regulations 2003 (PECR) regarding cookie consent.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users without undue delay, as required by Article 34. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach.

13. Data Protection Impact Assessments

Given that the App processes special category health data (skin conditions, allergies, menstrual tracking, skin reactions), we conduct Data Protection Impact Assessments (DPIAs) as required by Article 35 of the UK GDPR. DPIAs are performed before introducing new features or processing activities that may result in high risk to individuals. We review and update our DPIAs regularly to ensure ongoing compliance.

14. Product and Health Disclaimer

The App is a wellness and skincare tracking tool and is not a medical device, nor does it provide medical advice, diagnosis, or treatment. The App does not recommend or endorse any specific skincare product, ingredient, or brand. Any AI-generated analysis is for informational purposes only and should not be relied upon as a substitute for professional medical or dermatological advice. Users should consult a qualified healthcare professional before making decisions based on information provided by the App. The Company accepts no liability for any adverse reactions, health outcomes, or product choices made in reliance on the App’s features or analysis.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified to you via the App with a new “Last Updated” date. Your continued use of the App after changes constitutes your acceptance of the updated policy.

16. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data (collection, use, storage, disclosure, deletion, etc.).
  • Controller: The entity (Elovar Technology Ltd) that determines the purposes and means of personal data processing.
  • Processor: A third party (e.g., our AI service providers) that processes data on behalf of the controller.
  • Lawful Basis: The legal ground under GDPR Article 6 that permits data processing.
  • Special Category Data: Sensitive personal data (health, biometric, genetic, etc.) requiring heightened protection under GDPR Article 9.