SkinAI-Skincare Recommendation Privacy Policy

Effective Date: 20th May 2026

Welcome to SkinAI-Skincare Recommendation ("SkinAI", "we", "our", or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you install, access, or use the SkinAI Shopify application (the "App"), the storefront skin-analysis widget, and any related services (collectively, the "Services").

SkinAI enables Shopify merchants to offer AI-powered skin analysis and personalized product recommendations to their store visitors. Depending on how you interact with the Services, you may be a Merchant (store owner or staff using the embedded admin app) or an End User (customer using the widget on a merchant's storefront).

We are committed to complying with global data‑protection and privacy laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), the Singapore Personal Data Protection Act (PDPA), the India Digital Personal Data Protection Act 2023 (DPDP Act), the Australian Privacy Act 1988, and other applicable regional legislation across the United States (US), Europe (EU & UK), and Asia‑Pacific (APAC).

If you have any questions or concerns, please contact us at apps@seventhtriangle.com

1. Who We Are

SkinAI is a Shopify application developed and maintained by Seventh Triangle Consulting. We act as a data processor when processing information on behalf of Shopify merchants ("Merchants") including storefront End User data submitted through the widget and as a data controller for information we collect about visitors to our marketing materials, prospective merchants, or our own operational and security logs.

Merchants remain responsible for their own privacy notices to End Users and for ensuring that use of the widget on their storefront complies with applicable law. Where required, Merchants should obtain appropriate consent before enabling camera-based skin analysis.

2. Information We Collect

Category

Examples

Source

Purpose

Merchant Account Data

Store name, store URL (myshopify.com domain), contact email, Shopify plan, Shopify Admin API access tokens, locale & currency

Directly from Merchant via Shopify OAuth

• Provide, maintain & improve the App

• Authenticate admin sessions

• Billing (via Shopify where applicable)

Merchant Configuration & Usage Data

Widget settings (colors, copy, flow toggles, quiz questions, skin concerns, disclaimer text), product and collection mappings, onboarding status, in‑App feature interactions, support communications

Merchant input in the admin dashboard; automatic in‑App events

• Operate the skin-analysis widget on the storefront

• Match AI results to merchant products

• Product analytics & roadmap planning

• Fraud & abuse detection

Storefront End User Data

Client-generated session identifier; quiz responses (e.g. gender, age range, skin type, sensitivity, lifestyle and skincare preferences as configured by the Merchant); AI-derived skin attributes (skin type, score, insight, detected concerns with severity/scores); recommended product identifiers and match metadata; add-to-cart conversion flags

End User via the storefront widget (Shopify App Proxy)

• Deliver personalized skin analysis results

• Recommend merchant products

• Provide aggregated analytics to the Merchant

Facial Image Data (Transient)

Selfie or uploaded face photo submitted as a base64-encoded image when the Merchant enables image-based analysis

End User camera or file upload in the widget

• Process AI skin analysis in real time

• We do not persist raw photos in our application database after analysis completes

Aggregated Analytics Data

Daily per-store counts: widget opens, scans/completions, product recommendation add-to-cart conversions; aggregated concern and product performance metrics in the merchant dashboard

Automatically via widget and backend events

• Merchant reporting and performance insights

• Service improvement

Shopify Product Data

Product and collection titles, IDs, images, tags (including SkinAI concern tags applied by the App), variant and inventory information accessed via Shopify Admin API

Shopify Admin API on behalf of the Merchant

• Product mapping and recommendations

• Sync concern tags to merchant catalog

We do not intentionally collect End User names, email addresses, phone numbers, or Shopify customer IDs through the widget. End Users are not required to create an account to use the skin-analysis flow.

Sensitive and special-category data: When image-based analysis is enabled, End Users may submit facial photographs and receive inferences about skin characteristics. Depending on your jurisdiction, this may constitute biometric or health-related data. We process such data only to perform the analysis you initiate, we do not store raw facial images in our database, and we do not sell this data. Merchants and End Users should only use the camera feature where they have a lawful basis (typically explicit consent). Cardholder data, if any checkout occurs, is handled exclusively by Shopify's PCI‑DSS‑compliant infrastructure—we do not process payment card data.

3. Cookies & Similar Technologies

We use necessary Shopify session cookies and local storage to:

  • Authenticate Merchants into the embedded App dashboard.
  • Remember Merchant preferences and session state within the admin app.

On the merchant storefront, the SkinAI widget uses browser sessionStorage (not App-owned cookies) to temporarily hold analysis results and related session state for the current browser tab for example, to restore results on the same page without re-scanning. This data remains on the End User's device and is cleared when the browser session ends or storage is cleared.

Where consent is required (e.g., under GDPR or the ePrivacy Directive), Merchants are responsible for displaying appropriate notices on their storefront; we recommend obtaining consent before activating camera capture where required by law.

4. Legal Bases for Processing (GDPR/UK GDPR)

We rely on the following legal grounds:

  1. Contractual Necessity – to provide the Services the Merchant requests by installing the App, including operating the widget, product mapping, and admin dashboard.
  2. Legitimate Interests – to improve and secure our Services, provide aggregated analytics to Merchants, communicate with Merchants, and prevent fraud or abuse.
  3. Consent – for optional processing that requires explicit consent, including where End Users submit facial images or sensitive quiz responses on a Merchant's storefront (the Merchant, as storefront operator, is typically responsible for obtaining and documenting consent).
  4. Legal Obligation – to comply with applicable law, tax, accounting, and regulatory requirements.

5. How We Use Your Information

  • To deliver, operate, maintain, and update the App and storefront widget.
  • To perform AI-powered skin analysis and map results to merchant-configured products and concerns.
  • To authenticate Merchant access and secure admin accounts.
  • To store quiz responses and analysis outcomes for merchant analytics (without retaining raw facial images).
  • To synchronize product concern tags and mappings with the Merchant's Shopify catalog.
  • To answer support requests and resolve issues.
  • To comply with legal obligations, respond to data subject requests, and enforce our Terms of Service.

6. How We Share Information

We do not sell personal data. We only share information:

  • Within Seventh Triangle Consulting and its subsidiaries on a need‑to‑know basis;
  • With Service Providers acting on our behalf under data‑processing agreements and appropriate safeguards, including:
    • Shopify – hosting, OAuth, Admin API, App Proxy, webhooks, and embedded app infrastructure;
    • Google (Gemini API) – to analyze submitted facial images and quiz responses and return skin-analysis results (images are transmitted for processing only and are not stored by us in our database);
    • Amazon Web Services (AWS) – application hosting in the AP-South-1 (Mumbai) region;
    • MongoDB – secure database hosting for merchant configuration, analysis records, and analytics;
  • With the Merchant whose storefront generated the data—Merchants can view aggregated analytics and analysis-related records in the admin dashboard;
  • For Legal Reasons such as responding to lawful requests from regulators or to protect our rights, property, or users.

Where data is transferred outside the EEA/UK, we rely on approved transfer mechanisms such as Standard Contractual Clauses (SCCs) or an adequacy decision, and we require subprocessors to maintain appropriate safeguards.

7. International Data Transfers

Our application servers are hosted on Amazon Web Services (AWS) in Mumbai (AP-South-1). Subprocessors such as Google (Gemini) and MongoDB may process data in additional regions. Depending on your location, your personal data may be transferred to and processed in countries other than your own. We implement safeguards including:

  • ISO 27001‑certified data centres where applicable.
  • Encryption in transit (TLS 1.2+) and at rest (AES‑256).
  • Encrypted request payloads for Merchant admin API operations (RSA-OAEP and AES-256-CBC).

8. Data Subject & Consumer Rights

Depending on where you reside, you may have rights to:

  • Access, correct, or delete personal data;
  • Object to or restrict processing;
  • Data portability;
  • Opt‑out of marketing communications;
  • Withdraw consent at any time without affecting the lawfulness of prior processing;
  • Lodge a complaint with a supervisory authority (e.g., ICO in the UK, DPA in your EU member state, or local privacy regulator).

End Users who interacted with the widget on a Merchant's store should contact that Merchant first; Merchants may forward requests to us at apps@seventhtriangle.com. We will respond within the deadlines mandated by applicable law (e.g., 30 days under GDPR).

SkinAI supports Shopify's mandatory privacy webhooks (customer data request, customer redact, and shop redact). Merchants and End Users may also request deletion of stored analysis or configuration data by contacting us directly.

9. Security Measures

  • End‑to‑end TLS encryption (HTTPS) for all data in transit, including storefront traffic via Shopify App Proxy.
  • Encryption at rest using industry-standard AES‑256 mechanisms on our database and cloud infrastructure.
  • Encrypted request bodies for Merchant admin write operations.
  • No persistent storage of raw End User facial images in our application database after analysis.
  • Image upload size limits (e.g. 5 MB) to reduce abuse risk.
  • Principle of least privilege & role‑based access controls for internal systems.
  • Continuous monitoring, logging, and anomaly detection.

Although we implement industry‑standard safeguards, no system is 100 % secure. Merchants should keep Shopify credentials confidential and immediately notify us of any security incidents at apps@seventhtriangle.com.

10. Data Retention

We retain Merchant account and configuration data for as long as the App is installed on the store. Upon uninstall, we delete Merchant records, product and collection mappings, and OAuth sessions; certain analysis and aggregated analytics records may be retained for a limited period unless a deletion request is received or we complete shop-redact processing under Shopify's requirements.

Raw facial images submitted for analysis are processed in real time and are not stored in our application database. Quiz answers, AI-derived skin results, session identifiers, and recommendation metadata associated with completed analyses may be retained to provide merchant analytics and service continuity until deleted via privacy request or shop redact.

End User sessionStorage data on the storefront remains on the device only and is not controlled by our retention schedule.

11. Children's Privacy

Our Services are not directed to children under 16. We do not knowingly collect personal data from minors. The widget quiz may include age-range options; Merchants should configure flows appropriately for their audience. If you become aware that a child has provided us with personal information, please contact us and we will take steps to delete such data.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the revised version with an updated "Effective Date" and, where required, provide notice (e.g., via the App dashboard or email). Continued use of the Services after such changes constitutes acceptance.

13. Contact Us

If you have any questions, requests, or complaints regarding this Privacy Policy or our privacy practices, please contact:

Privacy Team
SkinAI / Seventh Triangle Consulting
Second Floor, The Berry Coworks , Plot No 15, Sector-142, Noida , Uttar Pradesh - 201304
Email: apps@seventhtriangle.com
Data Protection Officer (EU/UK): Sushant Gupta, sushant@seventhtriangle.com

© 2026 Seventh Triangle Consulting. All rights reserved.