Privacy Policy

Last updated: November 2025

SkinSlay (“SkinSlay”, “we”, “us”) helps you build healthy skincare routines while protecting your personal data. This policy explains what we collect, why we collect it, how we use and store it, and the choices you have. SkinSlay provides cosmetic wellness guidance only and is operated by Scalista (see Imprint for company details).

1. Data controller & contact

Scalista – SkinSlay Team
Email: info@scalista.eu
Phone: +49 179 531 6650

2. Information we collect

We only collect data you choose to share or that is required to run the app. The table below summarises each category.

Account & profile data: Optional name, region, time budget, pregnancy status, allergies, and skincare concerns supplied during the onboarding quiz.
Analysis data: Facial photos you capture, derived findings (redness, texture, oiliness, barrier stress, etc.), and plan assignments from the Plan Engine.
Routine & progress data: Step completions, streaks, achievements, weekly digest summaries, and ingredient preferences.
Diagnostic & usage analytics: Event logs that include the event name, timestamp, pseudonymous device identifier, session ID, and app version. No advertising identifiers are collected.
Purchase data: Subscription status, product identifiers, and transaction receipts handled through Apple’s App Store and RevenueCat.
Support data: Messages you send to our support inbox, including contact details you provide and diagnostic logs you choose to share.

We do not collect precise location, contact lists, advertising identifiers, or health data unrelated to skincare routines. Your analysis photos are encrypted in transit and deleted from our servers once findings are generated.

3. How we use your data

Deliver core functionality such as the onboarding quiz, photo analysis, plan generation, and daily routine tracking.
Provide ingredient education, compatibility checks, and barrier-safety warnings based on your skin profile.
Maintain engagement features like streaks, achievements, weekly digests, and challenge weeks.
Process in-app purchases and manage subscriptions through Apple and RevenueCat.
Diagnose crashes, improve performance, and protect against abuse with pseudonymous analytics.
Respond to support requests and fulfill data access or deletion requests.
Measure opt-in marketing performance (e.g., TikTok Business SDK) without sharing personally identifiable information.

4. Legal bases for processing (GDPR)

Consent: Camera access, analysis photo uploads, and optional data such as allergies or pregnancy status.
Contract: Providing the app’s functionality once you install SkinSlay and agree to our Terms of Service.
Legitimate interests: Securing our services, preventing misuse, performing aggregated analytics, and improving the experience.
Legal obligation: Retaining tax-relevant billing information and responding to lawful requests.

5. Data sharing & processors

We do not sell or broker your personal data. We work with a small set of processors to run SkinSlay:

Supabase (EU/US): Hosts our secure edge functions for analysis and analytics ingestion.
RevenueCat (US/EU): Manages subscription entitlements using transaction data from Apple. No card numbers are stored by us.
Apple (global): Processes App Store purchases and handles payment information.
TikTok Business SDK (optional): Activated only when campaign measurement is necessary. We transmit event names, hashed device identifiers, and app version—no photos or quiz data. You can opt out by contacting support.
Email & productivity tools: Used to handle customer support and legal requests.

6. Data retention

Account, quiz, and plan data remain while your account is active. When you request deletion, we remove them within 30 days unless law requires longer retention.
Analysis photos are deleted from our servers immediately after findings are produced. Processed findings (the skin scores and trends derived from those photos) are retained for 24 months to power long-term progress insights and are automatically purged within 30 days after that window or sooner when you delete them or close your account.
Analytics logs rotate after 18 months.
Billing records may be retained for up to 10 years to comply with accounting obligations.

7. Your rights

Depending on your location, you may have the right to:

Access the personal data we hold about you.
Rectify inaccurate or incomplete data.
Delete your account and data (“right to be forgotten”).
Export your data in a machine-readable format.
Object to certain processing or revoke consent.
Lodge a complaint with your local supervisory authority.

To exercise any of these rights, email info@scalista.eu. We verify identity before fulfilling requests and reply within 30 days.

8. Security

We apply industry-standard protections: HTTPS for all network calls, scoped API tokens, role-based access controls, and server-side validation. Analytics and routine data use pseudonymous identifiers. Despite these measures, no method is 100% secure, so we monitor for suspicious activity and notify you of any data incident as required by law.

9. Children

SkinSlay is designed for individuals aged 16 and older. We do not knowingly collect personal information from children under 16. If you believe a minor has provided data, please contact us so we can delete it promptly.

10. International transfers

SkinSlay may process data on servers located in the EU and the United States. When data leaves the EU/EEA we rely on Standard Contractual Clauses or other appropriate safeguards to protect it.

11. Changes to this policy

We may update this policy as SkinSlay evolves. When significant changes occur we will notify you inside the app or by email. The “Last updated” date above reflects the most recent revision.

12. Contact

Email: info@scalista.eu
Phone: +49 179 531 6650
If you are in the EU, you can also raise concerns with your local supervisory authority.