Privacy Policy

Effective Date: 20 April 2026 | Last Updated: 20 April 2026 | Version 2.0

This Privacy Policy describes how The Skin Agent Pte. Ltd. ("The Skin Agent", "we", "us", or "our"), incorporated in Singapore (UEN: 202609661M), collects, uses, stores, and shares your personal data when you use The Skin Agent mobile application (the "App").

We are committed to handling your personal data responsibly and in compliance with applicable privacy laws across all markets in which we operate, including Singapore, Japan, South Korea, Thailand, Indonesia, Vietnam, the Philippines, and Malaysia.

By downloading and using the App, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the App.

IMPORTANT: The Skin Agent processes sensitive personal data including derived face scan results and heritage data. We obtain separate, explicit consent before processing either category. You may use the App without providing either type of sensitive data.

1. Who We Are

Data Controller:

The Skin Agent Pte. Ltd.

Registered in Singapore

UEN: 202609661M

Address: 2 VENTURE DRIVE #19-21 VISION EXCHANGE SINGAPORE 608526

Privacy contact: privacy@theskinagent.ai

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our compliance with applicable data protection laws, including Singapore's PDPA. The DPO can be contacted at privacy@theskinagent.ai.

Japan:We process your personal data in accordance with Japan's Act on the Protection of Personal Information (APPI). Contact us at privacy@theskinagent.ai for APPI-related requests.

South Korea:We designate a local representative for PIPA compliance. Details are available in the Korean-language supplement accessible in Settings > Legal within the App.

2. What Data We Collect and Why

The table below summarises all categories of personal data we collect. Rows marked Sensitive require your explicit consent before we process them.

CategoryWhat We CollectWhy We Collect It
Identity and AccountName, email address, password (hashed and salted)Account creation and authentication
Skin Profile DataSPEC profile (OD, SR, PN, WT axes), skin quiz responses, skin type, concerns, product sensitivitiesPersonalised skincare intelligence and product recommendations
Derived Face Scan Results (Sensitive)SPEC skin zone scores, skin health metrics, and zone analysis outputs derived on-device. Raw face images and facial landmark coordinates are NEVER transmitted.SPEC scan feature and longitudinal skin tracking. Explicit consent required before first scan.
Heritage Response Data (Sensitive)Self-reported ethnic heritage and genetic skin characteristics for Heritage Response (HR) axis calibrationHR axis calibration only. Entirely voluntary. Skipping this has no impact on other features.
Coarse LocationCity-level location derived from your stated city or region. Precise GPS coordinates are never requested or stored.Climate Response (CR) axis recalculation using local weather conditions
Chat and Conversation DataFree-form chat messages sent to the Derma AI assistantPersonalised AI responses. Messages processed via third-party LLM API with your explicit prior consent.
Usage and Product DataProducts scanned, ingredients checked, dupes searched, routines built, saved product shelf, scan historyProduct recommendations, anonymised B2B cohort analytics, affiliate revenue attribution
Device and Technical DataDevice type, OS version, app version, crash logs, session durationApp stability, fraud prevention, and performance improvement
Subscription StatusActive or inactive Pro subscription status and tier only. No card numbers or payment details.Pro entitlement verification. Payment processing handled entirely by Apple App Store or Google Play.

Data we do NOT collect:

  • Precise GPS coordinates. We use city-level location only.
  • Raw face images or facial landmark coordinates. All face processing is on-device only.
  • Credit card or bank account numbers. These are handled entirely by Apple and Google.
  • Medical diagnoses or clinical health records.
  • Data from users under 18 years of age.

3. Legal Basis for Processing

Processing ActivityLegal BasisNotes
Account creation and authenticationContract performanceNecessary to provide the service
SPEC profile and recommendationsContract performanceCore product functionality
Derived face scan resultsExplicit consentSeparate consent screen before first scan. Withdrawable at any time.
Heritage Response (HR) dataExplicit consentVoluntary. May be skipped entirely.
LLM AI chatbot processingExplicit consentSeparate consent screen before first chat session. Withdrawable at any time.
Anonymised B2B cohort analyticsLegitimate interestAggregated data only. Minimum cohort of 50 users enforced. No individual is identifiable.
Push notificationsConsentRequested at account creation. Opt-out available in device settings at any time.

4. How We Use Your Data

4.1 To Provide the App

  • Generate and maintain your SPEC skin profile (OD, SR, PN, WT, CR, HR axes)
  • Power the Derma AI chatbot with personalised, context-aware responses
  • Run the on-device SPEC face scan and produce skin zone analysis results
  • Build and analyse your AM/PM skincare routine
  • Match products to your SPEC profile via the Dupe Finder
  • Provide Travel Lens: real-time product scanning with SPEC-calibrated verdicts on J-beauty, K-beauty, and duty-free products

4.2 To Improve the Platform

  • Analyse aggregated, anonymised usage patterns to improve AI accuracy
  • Create anonymised B2B cohort reports for beauty brand clients. Minimum cohort of 50 users enforced.
  • Train and refine our proprietary SPEC classification models using anonymised skin outcome data

4.3 Affiliate Commerce

  • When you tap an outbound product link in the App, we record the click event for commission tracking only
  • No personal identifying information is transmitted to affiliate retailers

4.4 Clinic Discovery Referrals

  • The App surfaces nearby verified skin and aesthetic clinics based on your city and stated concern
  • We do not transmit your SPEC profile, scan results, or personal information to any clinic without your explicit consent
  • We are not a medical service provider and do not give medical advice. Clinic referrals are a discovery and routing function only.

5. Face Scan Technology and Sensitive Data

5.1 How the Face Scan Works

The SPEC face scan is built on a fully on-device processing pipeline. No raw face data of any kind is ever transmitted to our servers or to any third party.

Step 1: Face Detection and Mesh Generation via MediaPipe Face Mesh. The App uses MediaPipe Face Mesh to detect the face and generate a 3D mesh of 468 facial landmark coordinates entirely on your device. The landmark coordinates and the camera image never leave your device.

Step 2: Skin Region Extraction. From the MediaPipe mesh, the App identifies skin zones corresponding to the six SPEC axes. These zones are cropped from the camera frame in memory on your device.

Step 3: On-Device Skin Classification via EfficientNet and ONNX Runtime. The cropped skin zone images are passed to a lightweight EfficientNet model, which runs on-device via ONNX Runtime without any server calls.

Step 4: SPEC Score Transmission. Only the final SPEC axis scores (six numerical values) leave your device. These are transmitted over TLS 1.2 or higher encryption.

What stays on your device:

  • Camera frames and face images
  • MediaPipe Face Mesh landmark coordinates
  • Cropped skin zone image regions
  • EfficientNet intermediate outputs

What leaves your device:

  • Final SPEC axis scores only (six numerical values)
  • Scan timestamp and app version number

5.5 Third-Party AI Disclosure

The Derma AI chatbot processes your natural language messages using a third-party large language model (LLM) provider. We obtain your explicit consent before your first chat session. Chat messages sent to the LLM contain your text input only. Your SPEC profile, face scan results, email address, and account identifiers are never included in LLM API calls. The LLM provider does not train on your messages.

6. Account Deletion

You may initiate deletion of your account and all associated personal data directly within the App. No external steps or emails are required.

To delete your account:

  • Open the App and go to Settings > Data and Privacy > Delete My Account
  • Confirm deletion. Your account is deactivated immediately.
  • All personal data is permanently deleted within 30 days.
  • Backup copies are purged within 90 days, subject to technical backup rotation cycles.

You may also request deletion by emailing privacy@theskinagent.ai with the subject line "Account Deletion Request".

7. Data Sharing and Third Parties

We do not sell your personal data to any third party. We do not use your data for advertising.

We share data only with service providers necessary for app functionality: Apple App Store/Google Play for subscription processing, RevenueCat for in-app purchase management, cloud infrastructure providers (AWS or GCP), and weather API providers for CR axis recalculation.

B2B data sharing: Beauty brand clients receive anonymised, aggregated cohort reports only. These reports contain no names, email addresses, device identifiers, or any other data capable of identifying an individual user. A minimum cohort threshold of 50 users is enforced.

8. Data Retention

We retain your personal data for as long as your account is active. When you delete your account:

  • Account data (name, email): deleted within 30 days
  • SPEC profile and skin quiz responses: deleted within 30 days
  • Derived face scan results and skin health scores: deleted within 30 days
  • Chat history: deleted within 30 days
  • Anonymised, aggregated B2B cohort data: not deleted, as it contains no personal data
  • Backup copies: purged within 90 days of account deletion

9. Data Security

  • On-device face processing: The full face scan pipeline runs entirely on your device. No raw face data is ever transmitted.
  • Encryption in transit: TLS 1.2 or higher for all data transmitted between the App and our servers
  • Encryption at rest: AES-256 encryption for all stored personal data
  • Access controls: Role-based access control. Only authorised personnel may access personal data.
  • K-anonymity: Minimum cohort of 50 users enforced before any dataset is used in B2B reports
  • No advertising SDKs embedded in the App

10. International Data Transfers

The Skin Agent is headquartered in Singapore. Your data may be processed in Singapore and in other countries where our cloud infrastructure providers operate, primarily in Asia Pacific regions.

Where we transfer personal data outside your country of residence, we ensure appropriate safeguards are in place including standard contractual clauses and data processing agreements with all sub-processors.

11. Your Rights

You have rights over your personal data under applicable law, including: access, correction, deletion, withdrawal of consent, and data portability where required by law.

How to Exercise Your Rights:

  • Use in-app controls in Settings > Data and Privacy for common requests: download your data, delete face scan results, clear chat history, delete account
  • Email privacy@theskinagent.ai. We will respond within 30 days.

12. Cookies and Tracking

The App does not use advertising tracking identifiers (IDFA on iOS, GAID on Android). We do not track users for advertising purposes. No third-party advertising SDKs are embedded in the App.

13. Children's Privacy

The Skin Agent is not directed at persons under the age of 18. We do not knowingly collect personal data from anyone under 18 years of age. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@theskinagent.ai.

14. Apple App Store Privacy Details

Our App Store privacy nutrition labels accurately reflect the data practices described in this policy. Health and Fitness data, Sensitive Info (derived face scan results, Heritage Response data), User Content (chat messages), and Usage Data are linked to your identity for App Functionality purposes.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or applicable law. When we make material changes, we will update the Effective Date and notify you via in-app notification. For changes involving sensitive data processing or new third-party AI providers, we will request fresh explicit consent.

16. Contact Us

For any questions, to exercise your rights, or to make a complaint:

Email: privacy@theskinagent.ai

Address: 2 VENTURE DRIVE #19-21 VISION EXCHANGE SINGAPORE 608526

Response time: Within 30 calendar days of receipt

If you are not satisfied with our response, you may lodge a complaint with your local data protection authority (PDPC in Singapore, PPC in Japan, PIPC in South Korea, or the relevant authority in your market).

The Skin Agent Pte. Ltd. | Singapore | Version 2.0 | 20 April 2026