Privacy Policy

Last Updated: December 24, 2025

1. Introduction

ShadePreview ("we," "our," or "us") operated by SNN is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered virtual makeup try-on and cosmetic shade preview service (the "Service").

This policy is designed to comply with applicable data protection laws including the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Brazil's Lei Geral de Proteção de Dados (LGPD), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable privacy laws.

Please read this Privacy Policy carefully. By using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide Directly

Photographs: Images you upload for AI analysis and virtual makeup application
Cosmetic Selections: Product type/brand/product/shade choices you select in the Service
Payment Information: Processed by our payment provider Polar; we do not store full card details
Communications: Information you provide when contacting us for support

2.2 Information Collected Automatically

Device Information: Device type, operating system, browser type and version
Usage Data: Pages visited, features used, time spent on Service
IP Address: Your internet protocol address
Log Data: Server logs including access times and error reports
Cookies and Similar Technologies: As described in Section 11

2.3 Information from Third Parties

Payment Processor: Transaction confirmation and payment status from Polar
Analytics Providers: Aggregated usage statistics

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland, we process your personal data based on the following legal grounds:

Contract Performance: Processing necessary to provide the Service you requested
Legitimate Interests: For service improvement, security, and fraud prevention
Consent: Where you have given explicit consent (e.g., marketing communications)
Legal Obligation: Where required by applicable laws

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Service Delivery

Process your uploaded photos through AI analysis
Generate virtual makeup previews and shade recommendations
Deliver your generated results
Process payments and issue receipts

4.2 Service Improvement

Analyze usage patterns to improve our Service
Debug and fix technical issues
Develop new features and services

4.3 Security and Compliance

Detect and prevent fraud, abuse, and security incidents
Comply with legal obligations
Enforce our Terms of Service

4.4 Communications

Respond to your inquiries and support requests
Send transactional emails (receipts, confirmations)
Send marketing communications (only with your consent)

5. Photo and Biometric Data Handling

Important: Your uploaded photos are handled with the utmost care and security:

5.1 Photo Processing

Photos are transmitted using TLS/SSL encryption
Photos are processed for AI analysis and virtual try-on generation
We do NOT permanently store your photos on our servers unless explicitly stated for a feature you use
Photos may be processed in memory and discarded after analysis completes
Generated results may be temporarily cached for delivery (typically deleted within 24 hours)

5.2 Biometric Information Notice

Our AI analyzes facial regions and visual features from your photos to apply cosmetics virtually. Depending on your jurisdiction, this may be considered biometric data. By uploading photos, you consent to this analysis. We do NOT:

Create or store biometric identifiers or templates
Use photos for facial recognition or identification purposes
Share photos with third parties for their independent use
Use photos for any purpose other than providing the requested Service

5.3 Illinois BIPA Notice

For Illinois residents: We do not collect, capture, purchase, receive through trade, or otherwise obtain biometric identifiers or biometric information as defined under the Illinois Biometric Information Privacy Act. Our AI processing does not create biometric templates that could be used to identify you.

6. Information Sharing and Disclosure

We may share your information in the following circumstances:

6.1 Service Providers

Polar (Payment Processing): Processes payments securely. See: Polar Privacy Policy
OpenAI (AI Processing): Processes photos for AI analysis and/or image generation. See: OpenAI Privacy Policy
Cloudflare (Hosting/Security): Hosts and protects our Service. See: Cloudflare Privacy Policy

6.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

Court orders, subpoenas, or legal process
Government or regulatory requests
To protect our rights, property, or safety
To investigate potential violations of our Terms

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change and any choices you may have.

6.4 What We Do NOT Do

We do NOT sell your personal information
We do NOT share your photos with advertisers
We do NOT use your data for targeted advertising
We do NOT share data with data brokers

7. Data Retention

Photos: Not stored permanently; processed and discarded unless needed for delivery/caching
Analysis Results: May be stored only in your browser (e.g., local storage) and/or briefly cached for delivery
Payment Records: Retained by Polar as required for accounting and legal purposes
Analytics Data: Aggregated and anonymized data may be retained for service improvement
Support Communications: Retained for up to 3 years for quality and legal purposes

We retain personal data only as long as necessary for the purposes described in this policy, or as required by law.

8. Your Privacy Rights

8.1 Rights for All Users

Regardless of your location, you have the right to:

Access information about what data we hold about you
Request correction of inaccurate data
Request deletion of your data (subject to legal requirements)
Opt-out of marketing communications
Withdraw consent where processing is based on consent

8.2 European Economic Area (GDPR Rights)

If you are in the EEA, UK, or Switzerland, you have additional rights:

Right to Access: Obtain a copy of your personal data
Right to Rectification: Correct inaccurate personal data
Right to Erasure: Request deletion of your personal data
Right to Restriction: Restrict processing of your data
Right to Portability: Receive your data in a portable format
Right to Object: Object to processing based on legitimate interests
Right to Withdraw Consent: Withdraw consent at any time
Right to Lodge Complaint: File a complaint with your local data protection authority

8.3 California Residents (CCPA/CPRA Rights)

If you are a California resident, you have the following rights:

Right to Know: Request disclosure of personal information collected, used, and shared
Right to Delete: Request deletion of personal information
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out: Opt-out of sale or sharing of personal information (Note: We do NOT sell your data)
Right to Non-Discrimination: Not be discriminated against for exercising your rights
Right to Limit Use of Sensitive Personal Information: Limit use of sensitive data

California "Shine the Light" Law: California residents may request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information for such purposes.

8.4 Brazil Residents (LGPD Rights)

If you are a Brazil resident, you have similar rights under the LGPD, including:

Confirmation of processing and access to data
Correction of incomplete or inaccurate data
Anonymization, blocking, or deletion of unnecessary data
Data portability
Information about sharing with third parties
Revocation of consent

8.5 How to Exercise Your Rights

To exercise any of these rights, please contact us through our website. We will respond to your request within the timeframes required by applicable law (typically 30–45 days). We may need to verify your identity before processing your request.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws.

For transfers from the EEA, UK, or Switzerland, we rely on:

Standard Contractual Clauses approved by the European Commission
Adequacy decisions where applicable
Your explicit consent where appropriate

By using our Service, you consent to the transfer of your information to these countries.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

Encryption: TLS/SSL encryption for all data transmission
Secure Infrastructure: Hosted behind modern security controls (e.g., Cloudflare)
Access Controls: Strict access controls and authentication
No Permanent Storage: Photos are not permanently stored (see Section 5)
Regular Reviews: Periodic security assessments and updates
Secure Payment: PCI-compliant payment processing through Polar

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

11. Cookies and Tracking Technologies

11.1 What We Use

Essential Cookies: Required for the Service to function properly
Local Storage: Temporarily stores your input data during parts of the flow (e.g., checkout)
Analytics: Aggregated usage statistics (may be anonymized)

11.2 Third-Party Cookies

Our payment provider (Polar) and hosting/security providers (e.g., Cloudflare) may use their own cookies. Please refer to their respective privacy policies.

11.3 Cookie Choices

You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our Service.

11.4 Do Not Track

We currently do not respond to "Do Not Track" signals as there is no industry standard for this.

12. Children's Privacy

Our Service is not intended for children under 18 years of age (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we become aware that we have collected personal information from a child without verification of parental consent, we will take steps to delete that information.

13. Third-Party Links and Services

Our Service may contain links to third-party websites or services that are not owned or controlled by us. This Privacy Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services you access.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

Posting the new Privacy Policy on this page
Updating the "Last Updated" date
Sending an email notification for significant changes (if we have your email)

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

15. Data Protection Officer

For GDPR-related inquiries, you may contact our data protection representative through our website. You also have the right to lodge a complaint with your local supervisory authority.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through our website. We are committed to addressing your concerns and will respond within the timeframes required by applicable law.

For GDPR-related requests, we aim to respond within 30 days. For CCPA requests, we aim to respond within 45 days.