Privacy Policy
Last updated: July 3 2025
1. Introduction
DS Maker LTD ("DS Maker", "we", "our" or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose and safeguard your information—including face data—when you use the ByeByeAcne mobile application, our website and related services (collectively, the "Services"). By accessing or using the Services, you agree to the practices described below.
2. Definitions
- "Personal Data": Any information relating to an identified or identifiable person.
- "Face Data": Photographs of your face (selfies, progress photos) and related assessment responses.
- "Processing": Any operation performed on Personal Data (collection, storage, analysis, deletion, etc.).
- "EU Standard Contractual Clauses": Model clauses approved by the European Commission for data transfers outside the EEA.
3. Information We Collect
| Category | Examples | Source |
|---|---|---|
| Account & Contact Data | Name, email, password (hashed), support inquiries | Provided by you |
| Device & Usage Data | Device model, OS version, app interactions, crash logs | Collected automatically |
| Face Data |
• On-boarding selfie • Weekly progress photos (front & profiles) • Acne assessment responses (severity, history, lifestyle) |
Provided by you |
| Analytics Events | Anonymous in-app events, feature usage | Collected automatically |
We do not knowingly collect Personal Data from children under 13 (or equivalent minimum age). If you are a parent or guardian and believe we have collected a child's data, please contact us to request deletion.
4. How We Use Your Information
| Purpose | Legal Basis* | Details |
|---|---|---|
| Provide & improve Services | Performance of contract | Account creation, selfie storage, progress display |
| Acne severity analysis | Legitimate interest / Consent | On-device & cloud AI grading of face images |
| Personalised care plans | Performance of contract | Tailored skincare, nutrition & habit recommendations |
| Optional AI cosmetic preview | Consent | Temporary upload to AI Skin Beauty API via RapidAPI |
| Analytics & product development | Legitimate interest | Aggregate metrics via Mixpanel to enhance the app |
| Legal & security | Legal obligation | Fraud detection, terms enforcement, legal compliance |
*If you reside in the EEA/UK, the above GDPR legal bases apply. Consent can be withdrawn at any time via the app.
5. Sharing & Third-Party Processing
| Recipient | Data Shared | Purpose | Safeguards |
|---|---|---|---|
| Google Firebase (EU region) | Photos, questionnaire answers, auth data | Secure storage, database, hosting | TLS in transit; AES-256 at rest |
| AI Skin Beauty API (AILab Tools) via RapidAPI | Temporary copy of selfies (Beautify feature) | Real-time enhanced image preview | Original deleted immediately; enhanced file purged ≤ 24 h |
| Mixpanel | Pseudonymised usage events (no images) | Analytics | TLS; encrypted at rest; EU Standard Contractual Clauses |
We do not sell, rent or share Face Data with advertisers.
6. Data Retention
6.1 Face Data
- Active account: Retained while your account exists.
- Post-deletion / inactivity: Permanently erased 30 days after you delete your account or 12 months of inactivity, whichever is sooner.
- Third-party copies: AILab Tools purges all temporary files within 24 hours (per their §3.2).
6.2 Other Data
- Account & Contact Data: Retained while account is active or up to 24 months after deletion.
- Device & Usage Data: Stored up to 12 months for diagnostics.
- Analytics Events: Kept for 24 months in anonymized form.
7. Cookies & Similar Technologies
We use cookies, local storage and SDK trackers (e.g. Firebase Crashlytics, Mixpanel) to:
- Enable core functionality (auth, preferences).
- Analyze usage and performance.
You may disable non-essential cookies via your browser or device settings, but core functionality may degrade.
8. Security Measures & Data Breach Notification
- Encryption: TLS 1.2+ in transit; AES-256 at rest (Firebase Storage & Firestore).
- Access controls: Principle of least privilege; role-based permissions.
- Audits & testing: Regular penetration tests and vulnerability scans.
In the unlikely event of a data breach, we will notify affected users within 72 hours (or as required by law) and inform relevant supervisory authorities.
9. International Transfers
When transferring Personal Data outside the EEA/UK, we rely on EU Standard Contractual Clauses or equivalent safeguards to ensure adequate protection.
10. Your Rights & Choices
You may exercise the following in-app (Settings → Privacy) or by emailing [email protected]:
- Access – Receive a copy of your data.
- Correction – Update or amend your data.
- Deletion – Erase Personal Data ("Delete My Data"). Fulfilled within 30 days.
- Portability – Obtain data in machine-readable format.
- Objection / Restriction – Limit certain processing activities.
- Withdraw Consent – Revoke any consents (e.g. cosmetic preview).
10.1 Additional Rights
- EEA/UK (GDPR): Right to lodge a complaint with a supervisory authority.
- California (CCPA): Right to know, delete, and opt-out of the sale of Personal Data. To exercise CCPA rights, contact [email protected].
11. Children's Privacy
We do not target or knowingly collect data from children under 13. Parents may request deletion of a minor's data via [email protected].
12. Changes to This Policy
We may update this Policy. Material changes will be communicated via in-app notice or email. Continued use after updates constitutes acceptance.
13. Contact Us
For questions or requests regarding this Policy or your data, email [email protected] or write to:
DS Maker LTD
9 Efesou, 5280, Paralimni, Famagusta, Cyprus
Attn: Privacy Officer
End of Policy