Privacy Policy

Effective Date: March 8, 2026

1. Introduction

kissinskin ("we", "our", "us") operates the website https://kissinskin.net. This Privacy Policy explains how we collect, use, protect, and disclose your information when you use our AI makeup analysis service ("Service").

We are committed to protecting your privacy and complying with applicable data protection laws worldwide, including the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA/CPRA), Brazil's Lei Geral de Proteção de Dados (LGPD), South Korea's Personal Information Protection Act (PIPA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Japan's Act on the Protection of Personal Information (APPI), and the Australian Privacy Act 1988.

2. Data Controller

kissinskin is the data controller responsible for your personal data processed through the Service. For payment-related data, Polar acts as an independent data controller.

3. Information We Collect

3.1 Photos You Upload (Biometric/Facial Data)

  • When you use our Service, you upload a facial photo for AI analysis.
  • Your photo is sent to OpenAI's API for processing and is not stored on our servers.
  • Photos are processed in real-time memory and discarded immediately after your analysis results are generated.
  • We do not keep, archive, or back up your photos in any form.
  • Biometric data notice: Your facial photo may constitute biometric data under certain laws (e.g., Illinois BIPA, Texas CUBI, Washington state law). We do not extract, store, or create biometric identifiers or templates from your photos. The photo is used solely for the purpose of generating AI makeup simulations and is not retained.

3.2 Payment Information

  • All payment processing is handled by Polar (polar.sh), acting as our Merchant of Record.
  • We never receive, see, or store your credit card number, CVV, or full billing details.
  • Polar collects the necessary payment information (card details, billing address, email) to process your transaction. This data is subject to Polar's Privacy Policy.
  • We may receive from Polar: transaction confirmation, order amount, and a reference ID for customer support purposes.

3.3 Automatically Collected Data

  • Cloudflare Analytics: As our hosting provider, Cloudflare may collect anonymous usage data (page views, country, device type, browser). This data does not identify you personally.
  • We do not use cookies for tracking or advertising.
  • We do not use Google Analytics or any third-party tracking pixels.
  • We do not use any first-party or third-party cookies. Cloudflare may use strictly necessary technical cookies for security purposes (e.g., bot protection).

4. Legal Basis for Processing (GDPR Article 6)

For users in the EU/EEA and UK, we process your data based on the following legal grounds:

Processing ActivityLegal BasisGDPR Article
Processing your uploaded photo for AI analysisYour explicit consent (you actively upload and submit)Art. 6(1)(a), Art. 9(2)(a)
Processing paymentPerformance of contractArt. 6(1)(b)
Anonymous analytics (Cloudflare)Legitimate interest (service improvement)Art. 6(1)(f)
Responding to support requestsPerformance of contract / Legitimate interestArt. 6(1)(b), Art. 6(1)(f)
Legal complianceLegal obligationArt. 6(1)(c)

5. How We Use Your Information

DataPurposeRetention
Uploaded photoGenerate AI makeup analysisNot retained (real-time processing only, deleted immediately)
Analysis resultsDisplay in your browserBrowser session only (not stored on server)
Payment infoProcess payment via PolarManaged by Polar per their retention policy
Transaction referenceCustomer supportUp to 12 months or as required by tax/accounting law
Anonymous analyticsImprove service qualityAggregated, no PII, managed by Cloudflare

6. Automated Decision-Making & Profiling

In accordance with GDPR Article 22:

  • The Service uses automated processing (AI models by OpenAI) to generate makeup simulations and skin analysis reports.
  • This automated processing produces results that are artistic/cosmetic in nature and do not produce legal effects or similarly significantly affect you.
  • We do not use your data for profiling, targeted advertising, credit scoring, or any automated decision-making that produces legal or similarly significant effects.
  • The legal basis for this automated processing is your explicit consent provided when you upload your photo and initiate the analysis.

7. Third-Party Services & Data Processors

We use the following third-party services. Each has their own privacy policy:

ServiceRolePurposeData TransferredLocationPrivacy Policy
OpenAIData ProcessorAI image generation & text analysisUploaded photo (transient)United Statesopenai.com/privacy
PolarIndependent ControllerPayment processing (MoR)Payment & billing infoUnited States / EUpolar.sh/legal/privacy
CloudflareData ProcessorWebsite hosting, CDN, securityAnonymous analytics, IP (transient)Global (edge network)cloudflare.com/privacy

Important: OpenAI's API data usage policy states that data sent through the API is not used to train their models. Your photos are not used for AI training by OpenAI or by us.

8. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. We ensure appropriate safeguards are in place:

  • EU/EEA to US: Transfers to OpenAI and Polar are protected by Standard Contractual Clauses (SCCs) as adopted by the European Commission, and/or the EU-U.S. Data Privacy Framework where applicable.
  • UK: Transfers are protected by the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs.
  • South Korea: Cross-border transfers comply with PIPA Article 17 requirements. Your consent to use the Service constitutes consent to cross-border data transfer for the stated purposes.
  • Brazil: Transfers comply with LGPD Article 33, based on your consent and adequate safeguards.
  • Japan: Transfers comply with APPI requirements, with appropriate safeguards in place.
  • Since we do not store your photos or personal data on our servers, the actual data transfer is transient and limited to the duration of API processing.

9. Data We Do NOT Collect

  • We do not collect your name, email, phone number, or address (unless provided to Polar during payment).
  • We do not create user accounts or profiles.
  • We do not track you across websites.
  • We do not sell, rent, or share your personal information with third parties for advertising, marketing, or any commercial purpose.
  • We do not use your photos for AI model training.
  • We do not engage in cross-context behavioral advertising.
  • We do not create or store biometric identifiers or biometric templates.

10. Data Security

  • All data transmission is encrypted using HTTPS/TLS (TLS 1.2 or higher).
  • Photos are transmitted directly from your browser to OpenAI's API via our secure serverless function — no intermediate storage.
  • Our infrastructure runs on Cloudflare Workers (serverless), meaning there is no persistent server where data could be stored or accessed.
  • We implement appropriate technical and organizational measures to protect against unauthorized access, alteration, disclosure, or destruction of data.

11. Data Breach Notification

In the unlikely event of a data breach involving personal data:

  • EU/EEA (GDPR): We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33). If the breach poses a high risk to your rights and freedoms, we will also notify affected individuals without undue delay (Article 34).
  • UK: We will notify the Information Commissioner's Office (ICO) within 72 hours.
  • South Korea (PIPA): We will notify affected individuals and the Personal Information Protection Commission (PIPC) without delay.
  • Brazil (LGPD): We will notify the National Data Protection Authority (ANPD) and affected individuals.
  • California (CCPA): We will notify affected California residents as required by Cal. Civ. Code § 1798.82.
  • Canada (PIPEDA): We will notify the Privacy Commissioner of Canada and affected individuals for breaches posing a real risk of significant harm.
  • Australia: We will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals for eligible data breaches under the Notifiable Data Breaches scheme.

12. Your Rights

12.1 Rights for All Users

Regardless of your location, you have the right to:

  • Access: Know what data we hold about you (effectively none, as described above).
  • Deletion: Request deletion of any data. Since we don't store photos or personal data, this primarily applies to payment records held by Polar.
  • Portability: Request your data in a portable format.
  • Objection: Object to any data processing.
  • Withdraw consent: You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

12.2 EU/EEA Users (GDPR)

In addition to the above, you have the right to:

  • Rectification: Correct inaccurate personal data (Art. 16).
  • Restriction: Request restriction of processing in certain circumstances (Art. 18).
  • Object to legitimate interest processing: You may object to processing based on legitimate interests (Art. 21).
  • Not be subject to automated decision-making: You have rights regarding automated processing (Art. 22). See Section 6 above.
  • Lodge a complaint: You have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU DPAs is available at edpb.europa.eu.

12.3 UK Users (UK GDPR)

  • You have equivalent rights to EU users under the UK GDPR and Data Protection Act 2018.
  • You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

12.4 California Users (CCPA/CPRA)

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
  • Right to Delete: You may request deletion of your personal information.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined by the CCPA/CPRA. No opt-out is necessary.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
  • Authorized Agent: You may designate an authorized agent to make requests on your behalf.
  • Categories of PI collected: Internet activity (anonymous analytics via Cloudflare), financial information (via Polar, not by us directly). We do not collect sensitive personal information as defined under the CPRA.
  • We will respond to verifiable consumer requests within 45 days.

12.5 South Korean Users (PIPA)

  • You have the right to access, correct, delete, and suspend processing of your personal information under PIPA.
  • We comply with the duty to destroy personal information when its purpose has been achieved — photos are destroyed immediately after processing.
  • You may lodge a complaint with the Personal Information Protection Commission (PIPC) at pipc.go.kr.
  • You may also seek dispute resolution through the Korea Internet & Security Agency (KISA) Privacy Center (privacy.kisa.or.kr).

12.6 Brazilian Users (LGPD)

  • You have the right to confirmation, access, correction, anonymization, portability, deletion, information about sharing, and revocation of consent under the LGPD.
  • You may lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

12.7 Canadian Users (PIPEDA)

  • You have the right to access your personal information, challenge its accuracy, and withdraw consent.
  • You may lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

12.8 Japanese Users (APPI)

  • You have the right to request disclosure, correction, cessation of use, and deletion of your personal information under the APPI.
  • You may lodge a complaint with the Personal Information Protection Commission (PPC) of Japan.

12.9 Australian Users (Privacy Act 1988)

  • You have the right to access and correct your personal information under the Australian Privacy Principles (APPs).
  • You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

To exercise any of these rights, contact support@kissinskin.net. We will respond within the timeframe required by applicable law (generally 30 days, or 45 days for CCPA).

13. Children's Privacy

  • The Service is not intended for children under 16 (or the applicable minimum age in your jurisdiction).
  • We do not knowingly collect data from children under 16 (or 13 under COPPA in the United States).
  • If you believe a child has used our Service, contact us and we will take appropriate action, including deleting any data that may have been inadvertently collected.
  • In the EU/EEA, the minimum age varies by member state (13–16) per GDPR Article 8.
  • In South Korea, the minimum age is 14 under PIPA.

14. Do Not Track (DNT) Signals

Our Service does not track users across third-party websites and therefore does not respond to Do Not Track (DNT) signals. We do not engage in any cross-site tracking.

15. Data Retention & Destruction

  • Photos: Not retained. Destroyed immediately after AI processing is complete.
  • Analysis results: Exist only in your browser session. Not stored on any server.
  • Transaction references: Retained for up to 12 months for customer support and legal/tax compliance, then deleted.
  • Payment data: Retained by Polar according to their data retention policy and applicable financial regulations.
  • We comply with the data destruction requirements under PIPA (South Korea), LGPD (Brazil), and other applicable laws.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be reflected with an updated effective date at the top of this page. Where required by law (e.g., GDPR, PIPA), we will provide notice of material changes before they take effect. Continued use of the Service after changes constitutes acceptance.

17. Contact Us

For privacy-related questions, data requests, or to exercise any of your rights:

We aim to respond to all privacy-related inquiries within 30 days (or within the timeframe required by your applicable local law).