Privacy Policy

Account Information

When you sign in with Google or Apple, we receive your name, email address, and profile photo (if available) from the respective provider. Apple may provide a private relay email address if you choose to hide your email. We store only what is necessary to identify your account. You may also use HadaBuddy as a guest without creating an account; in guest mode, your data is stored only on your device.

Skin Profile

You may provide your skin type, skin concerns, age range, gender, and general location (city or region). This information is entirely optional and used only to personalise your skincare advice and routines.

Scanned Products & Photos

When you scan a skincare product, we capture a photo of the product label and send it to Google Gemini AI for analysis to identify the product name, brand, and ingredients. You may also photograph the back label (ingredient list) for more accurate results. Product photos are processed in real time and are not permanently stored on our servers. Identified product data is stored in your personal shelf on your device and in our cloud database.

Scan Feedback

You may provide thumbs-up or thumbs-down feedback on scan results, along with an optional short comment. This feedback is linked to an anonymous device identifier or, if you are signed in, your user account. Feedback is used solely to improve scan accuracy and product identification.

Community Data Contributions

When you scan a barcode, the product-barcode association may be stored in our shared database to improve product identification for all users. If you are a designated super admin, you may also update shared product information (such as corrected ingredient lists). These contributions are voluntary and help improve the service for the community.

Local Device Data

Your profile photo and display name (if you choose to customise them) are stored locally on your device and are not uploaded to our servers. This data is removed when you sign out or delete the app.

Email Subscribers

When you subscribe to our blog, newsletter, or ingredient-update list on the HadaBuddy website, we collect your email address, the page you subscribed from (source attribution), your approximate IP address at time of signup, and the timestamp. IP is retained for anti-abuse and rate-limiting purposes only. We do not share subscriber emails with third parties for marketing. You can unsubscribe from any email we send using the one-click link at the bottom; doing so marks your record as unsubscribed and prevents further sends.

Usage Data

We collect basic technical information such as device type, operating system version, and app crash reports (via Sentry) to improve stability and performance. Crash reports contain no personally identifiable information. Our website uses Vercel Analytics (privacy-friendly, cookieless, no cross-site tracking) to count pageviews and referrers in aggregate. We do not use advertising trackers and do not sell your data to third parties.

Personalised Routines

Your skin profile (skin type, concerns, age range), location, and scanned products (names, brands, and ingredients) are sent to Google Gemini AI to generate personalised morning and evening skincare routines. This processing happens in real time. We do not opt in to Google using your data to train their models.

Ingredient Analysis

When you scan a product, we look up its ingredients in our database of over 200,000 products and 40,000 rated ingredients. If the product is not in our database, we may use AI to identify and rate ingredients. Ingredient ratings and descriptions are provided for informational purposes only and are not medical advice.

Skin Advisor

When you ask the Skin Advisor a question, your query, skin profile (skin type, concerns, age range), and product shelf (product names, brands, and ingredients) are sent to Google Gemini AI to generate a response. Conversations are not stored on our servers.

Product Recommendations

We may suggest products available on Amazon based on your skin needs. These links may include an affiliate identifier, meaning HadaBuddy may earn a small commission at no extra cost to you.

Service Improvement

Aggregated, anonymised usage patterns, scan feedback, and community data contributions help us understand which features are most useful, improve product identification accuracy, and expand our ingredient database.

Google Sign-In

Authentication is handled by Google OAuth. By signing in with Google you agree to Google's Privacy Policy. We receive only the profile information you authorise.

Apple Sign-In

Authentication via Apple is handled by Apple's Sign in with Apple service. By signing in with Apple you agree to Apple's terms. Apple may provide your real or a private relay email address depending on your preference. We receive only the information Apple shares at sign-in.

RevenueCat

Subscription management and in-app purchases are processed by RevenueCat. RevenueCat receives your anonymous app user ID and purchase receipts to manage your subscription status. Payment is processed by Apple through the App Store; we never see or store your payment card details.

Supabase

Your account data, skin profile, scanned products, routines, and community contributions are stored in Supabase, a cloud database hosted on AWS infrastructure in the United States. Data is encrypted at rest and in transit using industry-standard TLS encryption.

Google Gemini AI

AI features (product identification, ingredient analysis, routine generation, and the Skin Advisor) are powered by Google Gemini. The following personal data may be sent to Google Gemini for processing: (1) product photos you take when scanning, (2) your skin profile including skin type, concerns, and age range, (3) product names, brands, and ingredient lists from your shelf, and (4) your location (city or region), if provided. The app requests your explicit consent before any data is sent to Google Gemini. You can revoke this consent at any time in the app's Privacy settings, which will disable AI-powered features until re-enabled. Google's data usage terms and privacy policy apply to this processing. We do not opt in to Google using your data to train their models.

Sentry

We use Sentry for crash reporting and performance monitoring. Sentry receives anonymous technical data about app crashes and errors, including device type, OS version, and stack traces. No personally identifiable information, product data, or skin profile information is sent to Sentry.

Resend (Email Delivery)

If you subscribe to our blog, newsletter, or ingredient updates, your email address is stored with Resend, our email service provider (US-based). When we send you an email, Resend records delivery status and engagement events (whether the email was delivered, opened, clicked, bounced, or marked as spam) so we can maintain list health and comply with anti-spam requirements. Resend does not use subscriber data for any purpose beyond delivering HadaBuddy emails. When you unsubscribe, we update your status with Resend so you stop receiving sends.

Vercel Analytics

Our website uses Vercel Analytics for basic aggregate traffic measurement (pageviews, country, referrer). Vercel Analytics is cookieless, privacy-friendly, and does not perform cross-site tracking or personal identification. No subscriber email, IP address, or individual user identifier is sent to Vercel for analytics purposes.

Amazon

Product recommendation links may direct you to Amazon. HadaBuddy participates in the Amazon Associates programme. Amazon's own privacy policy governs any data collected on their platform.

The HadaBuddy website uses only essential cookies required for admin session management. We do not use advertising cookies or cross-site tracking technologies. Our only analytics is Vercel Analytics (see Third-Party Services), which is cookieless and privacy-friendly. The mobile app does not use cookies.

Your Control

You can delete your account at any time from the Profile section of the app. Deleting your account removes your skin profile, scanned products, routines, and scan feedback from our systems within 30 days. Anonymous community contributions (such as barcode-product associations) may be retained in aggregated form as they are not linked to your identity after account deletion.

Data Retention Periods

Account data is retained for as long as your account is active. Scan feedback is retained for up to 2 years to improve service quality. Crash reports are retained by Sentry for 90 days. AI processing data (prompts and responses) is not retained by us; retention by Google is governed by their data usage terms.

Email Subscribers

When you unsubscribe from our emails, your record is marked as unsubscribed immediately and no further emails are sent. The record itself is retained for up to 2 years after unsubscribe so we can honour your opt-out and avoid accidentally re-adding you if you re-encounter a signup form. To request complete deletion instead, email us at hello@hadabuddy.com.

What You'll Receive

If you subscribe on our website, we send occasional educational emails (skincare tips, ingredient guides, product updates). Cadence is roughly once a week. We do not send advertising from third parties. We do not rent or sell our list.

How to Unsubscribe

Every marketing email includes a one-click unsubscribe link in the footer and a List-Unsubscribe header that most email clients (Gmail, Apple Mail, Outlook) render as a native "Unsubscribe" button at the top of the message. Either will stop further emails immediately.

Transactional Emails

Some emails are transactional (welcome email after signup, confirmation that you've unsubscribed). These are not marketing and continue even if you've opted out of marketing, since they are necessary to operate the Service. They are sent only in response to an action you take.

Legal Basis (EEA / UK)

We send marketing emails based on your consent, given when you voluntarily submit your email through a subscription form on our website. You may withdraw consent at any time via the unsubscribe link.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

Right to Know

You may request that we disclose what personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.

Right to Delete

You may request deletion of your personal information. You can do this directly in the app (Profile section) or by emailing us.

Right to Opt Out of Sale

We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioural advertising.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights.

How to Exercise Your Rights

To exercise any of the above rights, email us at hello@hadabuddy.com with the subject line "CCPA Request". We will verify your identity and respond within 45 days.

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with similar data protection laws, you have the following additional rights:

Your Rights

Right of access to your personal data; right to rectification of inaccurate data; right to erasure ("right to be forgotten"); right to restrict processing; right to data portability; right to object to processing based on legitimate interests; and the right to withdraw consent at any time.

Legal Basis for Processing

We process your data based on: (a) your consent when you create an account and provide skin profile information; (b) contractual necessity to provide the Service; and (c) our legitimate interest in improving the Service and maintaining security.

International Data Transfers

Your data is stored and processed in the United States (Supabase on AWS). Where required by law, we rely on standard contractual clauses or other approved transfer mechanisms to ensure adequate protection of your data.

How to Exercise Your Rights

To exercise any of the above rights, email us at hello@hadabuddy.com with the subject line "GDPR Request". We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (TLS), encryption at rest, access controls, and regular security reviews.

Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users within 72 hours of becoming aware of the breach via email and/or in-app notification. We will also notify the relevant supervisory authorities where required by law.

HadaBuddy is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children under these ages. If you believe a child has provided us with personal data, please contact us at hello@hadabuddy.com and we will delete it promptly.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will notify users via the app or email at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or how your data is handled, please email us at hello@hadabuddy.com. We aim to respond within 5 business days.

Data Controller: Novia Lim, California, United States.