Privacy Policy

Effective date: May 18, 2026

Aureli AI ("we", "us", "our") operates the Aureli AI mobile application ("App") and the website at getaureli.app. This Privacy Policy explains how we collect, use, disclose, and safeguard your information, and the rights you have over it. It should be read together with our Terms of Service .

Aureli is a cosmetic wellness app, not a medical device. It does not diagnose, treat, prevent, or cure any condition. Skin scores and AI observations are cosmetic estimates, not clinical measurements. For any medical concern — including persistent acne, rashes, moles, or other changes in your skin — please consult a qualified dermatologist or healthcare professional.

1. Who We Are (Data Controller)

The data controller responsible for processing your personal data under the EU General Data Protection Regulation (GDPR) and equivalent laws is:

Aureli AI
Contact: info@getaureli.app

2. Information We Collect

In short: we collect what you give us (account, profile, scan photos, lifestyle logs) and basic device data. Photos are sent to our AI providers for analysis. By default we do not store them on our servers; you can opt in to save your photos to your account in App settings.

Account Information

When you create an account, we collect your email address, age range, and gender (optional). If you sign in with Apple or Google, we receive only the information you authorize.

Skin Scan Data (Biometric Data — Special Category)

When you use the scan feature, the App captures a photo of your face on your device. Before any photo is transmitted, the App displays an in-app disclosure screen that names each third-party AI processor receiving the photo, itemizes the data sent, and requires your explicit consent. The photo is then transmitted to our third-party AI providers ( Google or OpenAI ) for skin analysis. The providers process the photo for the duration of the analysis only and do not retain it beyond the processing session.

By default, we do not store raw facial images on our servers — only the derived metric scores and textual observations are saved to your account. You can opt in to save your scan photos to your account from the App settings; if you do, the photos are stored in your private account and you can delete them at any time. Whether or not you save photos, we do not perform facial recognition or biometric identification; processing is limited to skin surface quality assessment.

Biometric data is "special category" personal data under Article 9 GDPR. We process it only with your explicit consent , which you can withdraw at any time (see "Your Rights").

At a glance:

• What we collect — a single photograph of the user's face per scan. No facial geometry, recognition templates, or other biometric identifiers.
• How it is used — cosmetic skin-appearance analysis only (skin score, per-metric observations, routine recommendations). Never for identification, authentication, advertising, profiling, or training third-party models.
• Who receives it — OpenAI, L.L.C. (United States) or Google LLC (United States), under contractual data-processing agreements requiring equivalent protections, prohibiting any training use, and requiring deletion after the processing session.
• Where it is stored — by default, nothing is stored. Raw photographs are processed in-memory by the AI provider and discarded with the API response. Only the derived scores and observations are saved to the user's account. Optional "Save Photos" stores them encrypted at rest in the user's private account.
• Retention — AI provider: duration of the API request (seconds). Our servers: not retained by default. If the user opts in to save photos, retained until the user deletes them or their account (purged within 30 days).

Health-Related Data (Special Category)

If you complete onboarding or use trigger tracking, you may provide information that qualifies as health-related under GDPR or as "consumer health data" under certain U.S. state laws (e.g. Washington's My Health My Data Act): skin conditions (such as rosacea, eczema, psoriasis, atopic dermatitis, seborrheic dermatitis, melasma, keratosis pilaris, or fungal acne), other health conditions, menstrual cycle phase, sleep, stress, diet, hydration, and exercise. We process this data only with your explicit consent and use it solely to personalize your skincare insights.

These entries are self-reported preferences, not medical diagnoses. We use them to tailor routines, flag potentially unsuitable ingredients, and contextualize cosmetic observations. We never tell you that you have a condition, never share this data with advertising or analytics partners, and never use it for targeted advertising.

Location (Optional)

If you grant location permission on your device, the App uses your approximate location to fetch local UV index, weather, and air-quality readings to enrich your daily skin log. Location is used only for these lookups, is not stored on our servers beyond the lookup, is never sold, and is never used for advertising. You can revoke access at any time in your device settings.

Profile & Preferences

During onboarding, we also collect your skin type, skin concerns, makeup preferences, and product values (e.g., vegan, fragrance-free). This data personalizes your routines and recommendations.

Product Data

When you scan a product label, we look up ingredient and product data from third-party databases. Your product usage history is stored in your account.

User-Generated Content

If you generate or share content (e.g., glow cards, weekly reports), we store that content in your account. Sharing externally is initiated solely by you.

Subscription & Purchase Data

Payments are processed by Apple App Store or Google Play. We receive subscription status (active, expired, trial) via a third-party subscription management platform but not your payment card or billing address.

Device & Usage Data

We collect technical and usage data necessary to operate and improve the App: device model, OS version, app version, language, anonymized identifiers, screens visited, feature usage, and crash reports.

3. How We Use Your Information

In short: to run the App, personalize your skincare, manage your account and subscription, keep things secure, and improve the product.

• Generate personalized skin analysis, scores, and observations
• Create tailored AM & PM skincare routines
• Provide AI-powered skin chat recommendations
• Generate daily cards, weekly reports, and monthly summaries
• Correlate triggers and lifestyle factors with skin changes
• Check product ingredient compatibility with your skin profile
• Manage your account, subscription, and customer support
• Send push notifications (scan reminders, streak alerts, milestone celebrations) if you opt in. You can disable them at any time in your device settings.
• Detect, prevent, and investigate fraud, abuse, and security incidents
• Improve our AI models and app experience using aggregated, non-identifying data
• Comply with legal obligations and enforce our Terms

4. Legal Basis for Processing (GDPR)

In short: we rely on your consent for biometric and health data, contract performance for core App features, legitimate interest for security and improvement, and legal obligation where required.

For users in the EEA, UK, and Switzerland, our legal basis for processing depends on the data and purpose:

• Performance of a contract (Art. 6(1)(b)) — delivering App features, account, subscription, and support.
• Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)) — processing biometric data (face scans) and health-related data (skin/health/cycle/lifestyle logs). You can withdraw consent at any time.
• Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, abuse detection, and improving the App with aggregated, non-identifying analytics, balanced against your rights.
• Legal obligation (Art. 6(1)(c)) — complying with tax, accounting, and consumer-law record-keeping requirements.

5. AI Providers & Automated Decision-Making

In short: we use Google or OpenAI to analyze your scans. Their results are cosmetic insights, not legal or medical decisions, and you can ask for human review at any time.

The App uses artificial intelligence from third-party providers:

• Google (operated by Google LLC, United States) — skin analysis from photos
• OpenAI (operated by OpenAI, L.L.C., United States) — skin analysis, chat responses, and content generation

These providers process your data under written data-processing agreements that require protections equivalent to those described in this Policy: they are prohibited from using your data to train their general-purpose models, from using it for any purpose other than returning results to us, and they are required to delete your data after the processing session. Before any photo is sent to these providers, the App displays an in-app disclosure naming each provider and requires your explicit consent (Apple App Store Review Guideline 5.1.1(i)).

The App generates personalized scores, routines, and recommendations using AI ("automated processing"). These outputs are cosmetic insights, not decisions with legal or similarly significant effects on you. You retain full control: you choose whether to follow any recommendation, and you can request human review of any AI output by contacting us.

6. Data Sharing & Subprocessors

In short: we never sell your data. We share it only with the service providers strictly needed to run the App, and only to provide the App.

We do not sell or rent your personal data, and we do not share it for cross-context behavioral advertising. We share data only with the following categories of recipients, strictly as needed to operate the App:

• Cloud infrastructure — a secure cloud database, storage, authentication, and serverless-functions provider (EU/US)
• AI processing — Google, OpenAI (skin analysis, content generation)
• Authentication — Sign in with Apple, Google Sign-In
• Subscription management — a third-party subscription management platform; Apple App Store and Google Play (payment processing)
• Product data lookup — third-party product and ingredient databases (anonymous queries only)
• Analytics & crash reporting — providers used for anonymized, aggregated usage data and crash diagnostics
• Legal & safety — if required by law, court order, or to protect the rights, property, or safety of Aureli AI, our users, or others
• Business transfers — in connection with a merger, acquisition, reorganization, or sale of assets, subject to equivalent privacy protection

A current list of subprocessors is available on request at info@getaureli.app .

7. International Data Transfers

In short: some of our providers are based in the U.S. We rely on Standard Contractual Clauses and recognized data-transfer frameworks to protect your data when it leaves the EEA.

Several of our subprocessors (notably Google, OpenAI, and certain cloud infrastructure providers) are based in or transfer data to countries outside the European Economic Area, primarily the United States. Where your data is transferred outside the EEA, UK, or Switzerland, we rely on appropriate safeguards under applicable data protection law, including:

• The European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, where applicable
• Provider participation in recognized frameworks (such as the EU–U.S. Data Privacy Framework) where applicable

You may request a copy of the relevant transfer safeguards by contacting us at info@getaureli.app .

8. Data Storage & Security

In short: your data is encrypted in transit and at rest, and access is tightly controlled. No system is perfectly secure.

Your data is stored on secure cloud infrastructure with row-level access controls. All data is encrypted in transit (TLS) and at rest. We follow industry-standard security practices, including least-privilege access, audit logging, and regular security reviews. No system is perfectly secure; we cannot guarantee absolute security.

9. Security Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay (and within 72 hours where feasible) and notify you directly when required by applicable law.

10. Data Retention

In short: we keep your data only as long as we need it. Most data is deleted within 30 days of account deletion; some records (like billing) are kept longer where required by law.

We retain personal data only for as long as necessary for the purposes described in this Policy. Specifically:

• Account, profile, scans, routines, logs, and reports — retained for as long as your account is active. Deleted within 30 days of account deletion.
• Raw facial photos — by default not retained on our servers; AI providers delete them immediately after the processing session in all cases. If you opt in to save photos to your account, they are stored until you delete them or your account, and removed within 30 days of account deletion.
• Subscription and billing records — retained as long as required by tax and accounting law (typically up to 7 years), even after account deletion.
• Crash reports and security logs — retained up to 90 days for diagnostics and abuse prevention.
• Aggregated, non-identifying analytics — may be retained indefinitely.
• Legal records — retained as required to defend legal claims or comply with legal obligations.

Where deletion is not technically feasible immediately (for example, in encrypted backups or audit logs), we securely isolate the data from any further processing and delete it on the next scheduled purge.

11. Your Rights

In short: you can access, correct, delete, export, restrict, or object to processing of your data, withdraw consent, and complain to your local data protection authority.

Subject to applicable law, you have the right to:

• Access your personal data — use "Export My Data" in Profile, or contact us
• Rectify inaccurate data — edit your Profile in the App
• Delete your data — use "Delete My Account" in Profile
• Restrict or object to certain processing
• Data portability — export your data in a structured, machine-readable format
• Withdraw consent — disable biometric processing or notifications. Withdrawal does not affect lawfulness of prior processing.
• Lodge a complaint with your local data protection supervisory authority. A directory of EU national authorities is available at edpb.europa.eu .

We do not charge for handling reasonable requests and will respond within one month, extendable by two months for complex requests as permitted by GDPR. To exercise these rights, use the in-app controls or email info@getaureli.app .

Identity Verification

To protect your data from impersonation, we may need to verify your identity before acting on a request. We will only use the information you provide for that verification and will avoid asking for more than necessary.

12. California Privacy Rights (CCPA / CPRA)

In short: California residents have rights to know, delete, correct, and limit the use of their personal information. We do not sell or share personal information.

If you are a California resident, you have the following rights under the California Consumer Privacy Act ("CCPA"), as amended by the CPRA:

• Right to know what personal information we collect, use, and share
• Right to delete personal information we hold about you
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information
• Right to limit the use of sensitive personal information (including biometric and health data)
• Right to non-discrimination for exercising your rights

We do not sell or share your personal information as those terms are defined under the CCPA, and we have not done so in the past 12 months. We use sensitive personal information (biometric and health data) solely to provide the service you have requested. To exercise California rights, contact us at info@getaureli.app .

Authorized Agent

You may designate an authorized agent to make a request on your behalf. We may require proof of authorization (such as a signed permission) and verification of your identity before acting on the request.

"Shine the Light" (Cal. Civ. Code §1798.83)

California residents may request, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for their direct marketing purposes in the prior calendar year. We do not disclose personal information for third-party direct marketing purposes.

Minors Under 18

Although the App is intended for users 18 and older, California Business and Professions Code §22581 also gives California residents under 18 the right to request removal of content they have posted. To make such a request, contact us at info@getaureli.app with a statement of California residency.

13. Washington Consumer Health Data

In short: Washington residents have specific rights over their consumer health data, including consent, access, deletion, and opt-out from sale. We do not sell consumer health data.

If you are a Washington resident, the My Health My Data Act provides additional rights regarding your "consumer health data" (which may include skin conditions, cycle phase, and lifestyle logs). We process such data only with your explicit consent, do not sell it, and you may withdraw consent and request deletion at any time through the in-app controls or by emailing info@getaureli.app . Equivalent rights apply to residents of other U.S. states with comparable consumer health data laws.

14. Children's Privacy

In short: the App is for adults 18 and older. We do not knowingly collect data from minors.

Aureli AI is intended for users 18 and older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

15. Cookies & Website Analytics

In short: the App does not use third-party cookies. Our website may use Google Analytics, but only after you give consent through the cookie banner.

The App itself does not use third-party cookies. Our website (getaureli.app) may use essential cookies to operate, and may use Google Analytics to understand how visitors use our site. Where required by law, we will request your consent before non-essential cookies are set. You can disable cookies in your browser at any time. We do not use cookies for cross-site advertising.

16. Do Not Track & Global Privacy Control

In short: we honor recognized browser-level opt-out signals such as Global Privacy Control (GPC) where required by law.

Most browsers offer a "Do Not Track" (DNT) setting, and some browsers and extensions transmit a "Global Privacy Control" (GPC) signal. There is currently no industry standard for DNT, so we do not respond to DNT signals. Where required by law (for example, under the California CCPA/CPRA), we treat a recognized GPC signal as a valid opt-out of the sale or sharing of your personal information for that browser. As stated above, we do not sell or share your personal information.

17. Third-Party Services

The App may link to or integrate with third-party services (Apple, Google, our infrastructure and subscription-management providers, and AI providers). Their privacy practices are governed by their own policies, which we encourage you to review. We are not responsible for the practices of third parties.

18. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you in advance through the App or by email. Continued use of the App after changes take effect constitutes acceptance of the updated Policy. The "Effective date" above always reflects the latest version.

19. Contact Us

If you have questions about this Privacy Policy or your data, contact us at:

info@getaureli.app