Sharp Sharp
How it works Features Pricing FAQ
Get Sharp
Legal

Privacy Policy

Last updated: July 6, 2026

1. Controller

The data controller under the GDPR is:

Esat Karabiyik
Bahnhofstraße 8a
76676 Graben-Neudorf, Germany
Email: daybeeapp-privacy@web.de

2. Overview

This Privacy Policy explains what personal data we process when you use the Sharp app, for what purposes, on what legal basis, and what rights you have.

In short:

  • Sharp processes account data, quiz responses, face photos, and analysis results.
  • Face photos are stored on our servers and sent to an AI service for analysis.
  • We do not sell your data and use no advertising or analytics tracking SDKs.
  • Sharp does not provide medical diagnoses.

3. What Data We Process

3.1 Account and Authentication Data

When you register or sign in, we process:

  • email address and password (for email registration),
  • authentication data from Sign in with Apple or Google (e.g. user ID, and name/email where you authorize it),
  • session and security information (JWT/token).

Provider: Supabase Auth
Purpose: account creation, sign-in, security
Legal basis: Art. 6(1)(b) GDPR (performance of contract)

3.2 Profile Data

  • display name (optional, provided during onboarding)

Storage: Supabase database (profiles)
Legal basis: Art. 6(1)(b) GDPR

3.3 Onboarding Quiz and Skin Profile

The quiz may collect, among other things:

  • skin concerns and priorities,
  • age, skin type, existing routine,
  • products used, shaving frequency,
  • sleep, stress, SPF use, exercise,
  • water intake, time budget, product budget, commitment,
  • follow-up answers for specific concerns (e.g. affected area, patterns).

Storage: Supabase database (onboarding)
Purpose: personalization of analysis, plan, and recommendations
Legal basis: Art. 6(1)(b) GDPR

3.4 Face Photos and Scan Results

For cosmetic skin analysis, we process:

  • face photos (JPEG, compressed to approx. 1080 px width before upload),
  • scan week and timestamp,
  • cosmetic scores across 6 dimensions (clarity, oil, redness, pores/texture, eye area, hydration),
  • overall score (calculated on our servers),
  • cosmetic findings (text, severity, location),
  • AI model used.

Storage:

  • photos: uploaded to a private, access-controlled storage bucket (face-scans) solely so the automated analysis can run. The photo is deleted from our servers immediately after the analysis has been performed — typically within seconds of upload. We do not store face photos at rest on our servers (see Section 7). Your before/after photos are stored only locally on your device.
  • metadata and results (numeric scores and short cosmetic text findings — no facial imagery): Supabase database (scans)

Purpose: cosmetic skin analysis, progress tracking, plan adaptation
Legal basis: Art. 6(1)(b) GDPR; for processing of facial images, where applicable Art. 9(2)(a) GDPR (explicit consent), which you give by actively using the scan feature.

Important: Your photos are transmitted to an external AI vision service for analysis (see Section 5).

3.4a Face Data: Retention and Sharing at a Glance

Because face photos are sensitive, here is a plain-language summary of exactly how we handle them:

  • Is face data retained? No. We do not retain face data. Face photos are processed transiently and are not stored at rest on our servers. We do not create face templates, faceprints, or any biometric identifiers, and we do not perform face recognition.
  • Why is face data processed and stored at all? A face photo is uploaded for one single reason: to run the automated cosmetic skin analysis that computes your scores. There is no other storage purpose.
  • How long is face data stored, and why this length? The uploaded photo remains on our servers only for the duration of the analysis itself — typically a few seconds, from upload until the analysis has been performed — and is then deleted automatically. We chose this minimal duration because the photo is needed solely as input for the score computation; nothing in the service requires keeping it afterwards. If an analysis cannot be completed (e.g. a network error), the residual upload is deleted automatically with your next scan and, in any event, when you delete your data or account.
  • Which third parties is face data shared with? Two categories only: (1) Supabase Inc. (our hosting provider, as a processor) transiently handles the upload described above; (2) one AI vision provider per analysis — Google LLC (Gemini API) or OpenAI, L.L.C. (OpenAI API), depending on our server configuration. Face data is not sold and is not shared with anyone else.
  • Why is face data shared with these third parties? Solely so the automated cosmetic analysis can be performed: Supabase provides the infrastructure that receives the upload, and the AI vision provider's model computes the cosmetic scores from the photo. No advertising, profiling, identification, or other purpose.
  • Do these third parties store face data?
    • Supabase: only the transient upload described above, which we delete immediately after the analysis. Supabase does not use the data for any own purposes (processor under Art. 28 GDPR).
    • Google (Gemini API, paid tier): Google does not use API inputs or outputs to train its models. Google retains API prompts (including images) and outputs for up to 55 days solely to detect and prevent violations of its Prohibited Use Policy (abuse monitoring), after which they are deleted. See Google's Gemini API usage policies: https://ai.google.dev/gemini-api/docs/usage-policies.
    • OpenAI (API): OpenAI does not use API inputs or outputs to train its models. OpenAI retains API abuse-monitoring logs (which may include prompts such as images) for up to 30 days solely to enforce its usage policies and prevent harmful use, after which they are deleted. See OpenAI's API data controls and enterprise privacy commitments: https://openai.com/enterprise-privacy/.

3.5 Skincare Plans and Progress

  • personalized 8-week plan (morning/evening routine),
  • plan versions and adaptation reasons on re-scans,
  • daily routine completion (e.g. completed steps, water intake),
  • selected products (name, store, price, volume, affiliate flag).

Storage: Supabase database (plans, plan_adaptations, task_completions, user_products) and locally on your device
Legal basis: Art. 6(1)(b) GDPR

3.6 Subscription and Payment Data

Payment details (e.g. credit card) are not processed by us; they are handled exclusively by Apple through the App Store.

We store:

  • subscription status (active/inactive),
  • product ID (e.g. weekly, annual, lifetime),
  • subscription start and expiry dates,
  • RevenueCat events for subscription synchronization.

Providers: Apple App Store, RevenueCat
Legal basis: Art. 6(1)(b) GDPR

3.7 Location (Optional)

If you grant location permission, we process:

  • GPS coordinates temporarily to find nearby drugstores,
  • a derived country code (stored locally),
  • drugstore names, brands, and distances.

Location coordinates are not permanently stored on our servers. Store lookup uses the OpenStreetMap Overpass API; climate data (UV index, humidity, temperature, air quality) is fetched via Open-Meteo and stored locally on your device.

Legal basis: Art. 6(1)(a) GDPR (consent, revocable in device settings)

3.8 Local App Data

On your device, we store among other things:

  • app settings (language, dark mode, reminders),
  • local copies of scan photos in app storage,
  • cached catalog and recommendation data,
  • session data (Supabase Auth via AsyncStorage).

Legal basis: Art. 6(1)(b) GDPR

3.9 Technical Log Data

On our servers, the following may be generated:

  • AI usage logs (function name, timestamp) for abuse prevention,
  • RevenueCat webhook events,
  • standard server logs from our service providers.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operation and security)

3.10 What We Do Not Collect

  • No advertising or analytics SDKs (no Google Analytics, Meta Pixel, Mixpanel, etc.)
  • No remote push tokens, reminders are local on your device only
  • No microphone use, no audio is recorded despite any declared Android permissions
  • No sharing of your data for advertising purposes

4. Camera and Photo Library

The App requires access to the camera to capture face photos for skin analysis. For positioning guidance, on-device face detection (ML Kit) may be used; image data is not transmitted to us for this purpose.

Photo library permission may be used to select existing photos.

Legal basis: Art. 6(1)(a) GDPR (consent via the operating system)

5. AI Processing

We use artificial intelligence to analyze your skin and generate plans and recommendations. Processing runs server-side via Supabase Edge Functions.

5.1 AI-Powered Features

FeatureInput dataStored
Skin analysis (analyze-scan)face photo + quiz contextscan results in database
Plan creation (generate-plan)scores + quiz answersplan in database
Product recommendations (recommend-products)scores, quiz, budget, climate, storesreturned to app only
Weekly re-scan (weekly-rescan)scan comparison, plan, adherencenew plan if changed

5.2 AI Providers

Depending on server configuration, we use:

  • Google Gemini (default, e.g. model gemini-2.5-flash), and/or
  • OpenAI (e.g. model gpt-4o).

For skin analysis, your photo is sent as a Base64-encoded JPEG to the respective vision service. Text data (quiz, scores) is sent to the text service.

Neither provider uses data submitted through their APIs to train their models. Google retains API inputs and outputs for up to 55 days solely for abuse monitoring (Gemini API usage policies); OpenAI retains API abuse-monitoring logs for up to 30 days (OpenAI enterprise privacy). After these periods the data is deleted. See Section 3.4a for the full face-data summary.

AI output is cosmetic assessment only, not medical diagnosis.

5.3 Rate Limits

To prevent abuse, per-user daily limits apply on our servers, including:

  • skin analysis: 5 calls/day
  • plan creation: 3 calls/day
  • product recommendations: 5 calls/day
  • weekly re-scan: 3 calls/day

6. Recipients and Processors

We use the following service providers:

ProviderPurposeLocation
Supabase Inc.auth, database, file storage, edge functionsEU region (configured)
Google LLC (Gemini)AI image analysis and text generationUSA / global
OpenAI LLC (optional)AI image analysis and text generationUSA
RevenueCat Inc.subscription managementUSA
Apple Inc.App Store, Sign in with Apple, paymentsglobal
Google LLCSign in with Googleglobal
OpenStreetMap / Overpassstore lookupEU (overpass-api.de)
Open-Meteoweather and climate dataEU

Where required, we conclude data processing agreements (DPAs) under Art. 28 GDPR with processors. For transfers to third countries (especially the USA), we rely on appropriate safeguards, such as EU Standard Contractual Clauses.

7. Retention

We retain personal data only as long as necessary for the purposes described:

  • face photos: transient processing only — we do not store face photos at rest on our servers. An uploaded face photo is kept on our servers only for the moment it takes to run the automated cosmetic analysis and is deleted automatically as soon as the analysis has been performed, typically within seconds of upload. We use this minimal retention period because the photo is needed solely to compute your cosmetic scores; nothing in the service requires the server to keep it afterwards. In the rare case that an analysis cannot be completed (e.g. a network error), the residual upload is deleted automatically with your next scan and, in any event, immediately when you delete your data or account. The photos shown in the App (e.g. before/after comparison) are stored exclusively locally on your device and never leave it except for the transient analysis described above,
  • scan results (numeric scores and short cosmetic text findings — these contain no facial imagery and are not face data): for as long as your account exists, so the App can track your progress over time,
  • account data, quiz, plans: for as long as your account exists,
  • subscription/webhook logs: as required by law and for technical necessity,
  • local device data (including your face photos for the before/after view): until you delete data in the App or uninstall the App.

8. Deleting Your Data

8.1 "Delete Data" in the App

Under Settings → Delete Data, you can permanently delete your data. After confirmation:

If you are signed in, we delete:

  • your account (Supabase Auth),
  • your profile, onboarding quiz, scan results, plans, product selections, and routine history from our database (via cascade delete),
  • all face photos stored in our private cloud storage (face-scans bucket),
  • your local data on the device (local scan photos, app state, and preferences).

If you are not signed in, we delete local data on your device only (local scan photos and app state).

This action cannot be undone.

If deletion fails (e.g. no network connection), you will see an error message and your data will not be removed until deletion succeeds.

8.2 Sign Out

Sign Out in Settings ends your session only. Your stored server data remains until you use Delete Data or request deletion by email.

8.3 Deletion by Email

You may also request deletion of your account and associated data at any time by emailing:

daybeeapp-privacy@web.de
Subject: "Sharp account deletion"

We will process your request within 30 days, unless legal retention obligations apply.

9. No Medical Diagnosis

Sharp is a cosmetic skincare tool. Analyses, scores, and recommendations:

  • are not medical diagnoses,
  • do not replace a visit to a healthcare professional,
  • do not constitute treatment promises.

For skin conditions, severe reactions, or health concerns, consult qualified medical personnel.

10. No Advertising / No Ad Profiling

We do not show ads in the App and do not build advertising profiles. Amazon affiliate links in product recommendations are for product linking only, not for tracking your browsing behavior.

11. Security

We implement appropriate technical and organizational measures, including:

  • encrypted transmission (HTTPS/TLS),
  • JWT authentication,
  • private storage of face photos (not publicly accessible),
  • Row Level Security (RLS) in the database, users can access only their own data,
  • server-side validation of AI output and upload paths,
  • rate limiting for AI calls.

Absolute security cannot be guaranteed.

12. Your Rights

You have the following rights against us:

  • access (Art. 15 GDPR),
  • rectification (Art. 16 GDPR),
  • erasure (Art. 17 GDPR),
  • restriction of processing (Art. 18 GDPR),
  • data portability (Art. 20 GDPR),
  • objection (Art. 21 GDPR),
  • withdrawal of consent (Art. 7(3) GDPR) with effect for the future.

To exercise your rights, email daybeeapp-privacy@web.de.

13. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your residence.

In Germany, for example:

Federal Commissioner for Data Protection and Freedom of Information (BfDI)
https://www.bfdi.bund.de

Or the data protection authority of your federal state.

14. Requirement to Provide Data

Account data and face photos are required for core App features. Without registration and photos, analysis, plans, and progress tracking cannot be used. Location and reminders are optional.

15. Minors

The App is intended for users aged 16 and older. We do not knowingly collect data from children under 16.

16. Changes to This Privacy Policy

We may update this policy when legal requirements, App features, or services change. The current version is available in the App and on this website.

We will notify you appropriately of material changes.

← Back to home

© 2026 Sharp · Esat Karabiyik Terms of Service · Impressum · daybeeapp-privacy@web.de