Privacy Policy

1. Information We Collect

Information You Provide:

• Account information: Email address, password (hashed)
• Skin profile: Skin type, concerns, allergies, Fitzpatrick scale, climate, age range, budget
• Product interactions: Scanned labels, reviews, routines, wishlists, reactions
• Conversations: Messages with Yuri AI advisor

Information Collected Automatically:

• Device type and browser for responsive design
• IP address for rate limiting and abuse prevention
• Usage patterns (pages visited, features used) for product improvement

2. How We Use Your Information

• Personalization: Tailoring Yuri's recommendations to your skin type and concerns
• Product intelligence: Ingredient conflict detection, routine building, compatibility scoring
• Learning engine: Anonymized, aggregated data across users improves recommendations for everyone (e.g., “users with oily skin found Product X effective”)
• Account management: Authentication, subscription billing, support
• Service improvement: Understanding which features are used to improve the product

3. AI Processing & Third-Party Services

We use the following third-party services:

• Supabase: Database and authentication (hosted in the US)
• Anthropic: AI processing for Yuri advisor and scanning features
• Stripe: Payment processing for subscriptions
• Vercel: Application hosting and delivery

4. Cross-User Learning (Anonymized)

Seoul Sister's learning engine aggregates anonymized data across users to improve recommendations. This means:

• Your skin type + product reactions contribute to effectiveness scores (e.g., “88% of users with dry skin rated this moisturizer positively”)
• All learning data is fully anonymized — no personally identifiable information is stored in learning patterns
• You cannot be identified from aggregated learning data

5. Data Retention

• Account & profile data: Retained while your account is active
• Yuri conversations: Retained for cross-session memory while your account is active. Conversation summaries are generated periodically and older message content may be pruned after 90 days of inactivity
• Scan images: Processed in real-time by Anthropic's API and not permanently stored on our servers. Scan results (ingredient lists, analysis) are retained while your account is active
• Anonymous widget conversations: Not stored; streamed and discarded immediately
• Analytics data: Aggregated usage analytics are retained for up to 90 days
• After account deletion: All personal data (profile, conversations, scans, routines, reviews) is deleted within 30 days. Database backups containing your data are purged within 30 days of deletion. Anonymized learning contributions (which cannot be traced back to you) are retained

6. Your Rights & Controls

You have the right to:

• Access: View all data we have about you (available on your Profile page)
• Delete: Delete your account and all associated data (Settings → Delete Account)
• Export & Portability: Request a copy of your data in a machine-readable format (JSON) by contacting us. This includes your profile, conversations, routines, reviews, and scan history
• Correct: Update your skin profile at any time through Yuri onboarding
• Object: You may object to automated processing of your data for personalization purposes by contacting us

7. Cookies & Local Storage

• Authentication: Session tokens stored in browser for login
• Widget tracking: localStorage tracks anonymous widget message count (resets after 30 days)
• Analytics: We use Google Analytics 4 to understand how visitors use the site (pages visited, traffic sources). GA4 sets cookies to distinguish users. We do not use this data for advertising or share it with ad networks. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on
• No advertising cookies: We do not use Facebook Pixel, ad retargeting pixels, or similar advertising tracking tools

8. Children's Privacy

Seoul Sister is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us personal information, please contact us for immediate deletion.

9. California Privacy Rights (CCPA)

California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information. To exercise these rights, contact us at the email below.

10. International Users & Data Transfers

Seoul Sister is operated from the United States. Our data infrastructure (Supabase, Vercel, Anthropic) is hosted in the United States. If you access Seoul Sister from outside the US, you consent to the transfer of your information to the United States, where data protection laws may differ from those in your jurisdiction.

For users in the European Economic Area (EEA), United Kingdom, or other regions with data transfer regulations: by using Seoul Sister and providing your information, you consent to the transfer, processing, and storage of your data in the United States. We rely on your consent and the necessity of processing for the performance of our service as the legal basis for these transfers.

11. Security

We protect your data with:

• HTTPS encryption for all data in transit
• Row Level Security (RLS) on all database tables
• Passwords hashed via Supabase Auth (bcrypt)
• API keys stored as environment variables, never in client code
• Rate limiting on all public endpoints

12. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by posting a notice on the app or sending an email. Continued use after changes constitutes acceptance.

13. Contact

For privacy questions, data requests, or concerns:

Email: privacy@seoulsister.com