Privacy
policy
How we collect, use and protect your personal data when you use HairDoneAI. Written in compliance with GDPR.
Last updated: May 18, 2026 · Version 1.0
1 · Data controller
The data controller is [COMPANY NAME], registered office at [ADDRESS], VAT [NUMBER]. Email: privacy@hairdoneai.com
2 · Data we collect
Provided by you
- Email (signup)
- Name (optional)
- 3 hair photos per analysis
- Text description of desired change
- Hair type, preferences, salon (optional)
Collected automatically
- User ID, session data
- Usage statistics, app language
- iPhone model, iOS version, error logs
- Purchase history (via Apple, we don't receive payment data)
3 · Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| AI service delivery | Art. 6.1.b — contract |
| Account management | Art. 6.1.b |
| Security and fraud prevention | Art. 6.1.f — legitimate interest |
| Marketing (opt-in) | Art. 6.1.a — consent |
4 · Retention
- Photos: configurable by you (7, 30, 90, 365 days — default 30)
- Text briefs: until account deletion
- Account: until you delete it
- Billing: 10 years (Italian tax obligation)
- Technical logs: 12 months then anonymized
5 · Where the data sits
EU servers: Hostinger International (Lithuania/Germany). AI processing transits through providers in the USA via API on a transient basis, under Standard Contractual Clauses approved by the European Commission.
Mobile platforms: Apple (iOS payments via App Store, push via APNs) and Google (Android payments via Play Billing, push via FCM).
6 · Sub-processors
We don't sell, rent, or share your data with advertisers. The providers below process data on our behalf under a DPA:
| Provider | Service | Location |
|---|---|---|
| Hostinger International | Backend hosting, database, photo storage | EU (Lithuania/Germany) |
| Anthropic PBC / OpenAI Inc. / OpenRouter | AI processing: hair analysis, brief generation, new-look preview | USA (SCC) |
| Deepgram Inc. | Voice transcription (only if you use the microphone to dictate) | USA (SCC) |
| Apple Inc. | iOS payments (App Store), push notifications (APNs), Apple Sign-In | USA/EEA |
| Google LLC | Android payments (Play Billing), push notifications (FCM), Google Sign-In | USA/EEA |
| Meta Platforms (Facebook) | Facebook/Instagram login (optional) | USA (SCC) |
7 · Your rights
You have the right to: access, rectification, deletion, restriction, portability, objection, withdrawal of consent, complaint to the Italian DPA. Exercise these rights from the app (Profile → Privacy) or write to privacy@hairdoneai.com. Response within 30 days.
8 · Minors
The app is intended for users aged ≥ 14. We don't knowingly collect data of minors. AI is instructed to refuse photos of minors.
9 · Security
HTTPS/TLS 1.3, encryption at rest, JWT authentication, Row Level Security at database level, temporary signed URLs for photos, encrypted backups.
10 · Changes
Updates notified by email or in-app at least 15 days before they take effect.
11 · Contacts
Privacy: privacy@hairdoneai.com
Support: hello@hairdoneai.com