Privacy Policy

Effective Date: April 28, 2026 · Last Updated: April 29, 2026

This Privacy Policy describes how Profylio ("Profylio," "we," "us," or "our") collects, uses, and shares information when you use our mobile application and related services (collectively, the "Service"). By using Profylio, you agree to the practices described in this Policy.

Profylio is operated by Christina Von Der Becke, Schiedhaldenstrasse 27, 8700 Küsnacht ZH, Switzerland. If you have questions about this Policy or how your data is handled, contact us at profylio.app@gmail.com.

1. Information We Collect

We collect the categories of information described below. As Profylio evolves, we may collect additional categories within these same purposes; if we ever process a fundamentally new category of personal data or use it for a new purpose, we will update this Policy and, where required by law, request your consent.

1.1 Information You Provide

Account & identity data: email address, username, display name, age confirmation (18+), authentication identifiers, and similar identity data needed to create and maintain your account.
Profile data: profile photo, bio, optional external links, preferences and settings (e.g. notification opt-ins, marketing-email choice).
Biometric / image data (non-identifying): face photographs and similar visual content you submit to be scored, analyzed, or shared. We do not use this data to identify you outside of Profylio and do not build a biometric template for surveillance purposes.
User-generated content: posts, comments, direct messages, reactions, reports, blocks, and any other content you submit.
Communications: messages you send to support, feedback, survey responses.
Transaction & subscription data: Pro subscription status, plan tier, renewal status (handled by Apple In-App Purchase or Google Play Billing — we never see your payment details).
Optional data: any other information you voluntarily provide (e.g. location tags on posts, custom achievements).

1.2 Information Collected Automatically

Device & technical data: device model, operating system, app version, language, time zone, screen size, and similar diagnostic information.
Push notification tokens: if you enable notifications.
Usage & product analytics: features used, scan counts, session length, taps and screens viewed, performance metrics, error and crash logs.
Approximate location (region-level): derived from IP address for leaderboard filtering, fraud prevention, and content localization. We do not collect precise GPS location unless you explicitly enable a future feature that requires it.
Cookies & similar technologies: see Section 4 below.

1.3 Information from Third Parties

Authentication providers (e.g. Apple, Google, future SSO providers): when you sign in via a third party, we receive limited profile information (email, name, account ID). With Apple Sign-In, you can choose to hide your real email.
Payment platforms: Apple App Store and Google Play share subscription status and renewal events with us; we do not receive your payment card details.
Other integrations: if we add optional integrations in the future (e.g. social sharing, friend invites), we will only receive the data you authorize and will describe it before you connect.

2. How We Use Your Information

To provide and operate the Service (account creation, scanning, leaderboards, messaging).
To analyze your face scans using AI and return a score and tier.
To send transactional communications (e.g. account verification, security alerts, subscription receipts, password reset) — these are necessary for the Service and not opt-in.
To send push notifications you opted into (e.g. streak reminders, social activity).
To send marketing emails (tips, new features, product news) — only if you explicitly opted in during sign-up or in Settings. See Section 2.1 below.
To prevent fraud, abuse, and policy violations.
To improve our AI models and Service quality (using anonymized aggregate data only — we do not train AI models on your individual photos).
To comply with legal obligations.

2.1 Marketing Communications

During sign-up we ask you to actively choose Yes or No for marketing emails. We only send you marketing emails if you choose Yes. You can change this preference at any time:

In the app under Settings → Notifications.
By clicking the "unsubscribe" link at the bottom of every marketing email — one click is enough, no login required.
By emailing us at profylio.app@gmail.com with the subject "Unsubscribe".

Unsubscribing from marketing emails does not stop transactional emails (e.g. password reset, subscription receipts), as those are required to operate your account.

Your marketing-email preference is stored together with your account data and is processed on the legal basis of your consent (Art. 6(1)(a) GDPR / Art. 6 revDSG).

3. AI & Machine-Learning Processing

Profylio uses third-party AI services (currently OpenAI's vision and language models, and potentially additional or replacement providers in the future such as Anthropic, Google, AWS, or open-source on-device models) to analyze the photos you submit and return a numeric score, tier classification, and other features.

What this means for your data:

Transmission: photos are sent over an encrypted connection (HTTPS/TLS) to the AI provider for analysis.
No training on your data: we contractually require AI providers to not use your images or content to train their general-purpose models. As of the date of this Policy, OpenAI's API terms confirm this and require deletion within 30 days; if we change AI providers we will only use providers offering equivalent or stronger commitments.
On-device processing: where technically feasible (e.g. for lightweight features), we may process data on your device to minimize transmission.
Storage: the resulting score, metadata, and any photos you choose to keep are stored on our backend (currently Supabase). You can delete your scans, photos, and posts at any time from within the app.

AI Transparency & Human Review: The Profylio score is generated by an AI model and is intended for entertainment purposes only. It is not a medical, psychological, dating, or professional recommendation. Under the EU AI Act, Art. 22 GDPR, Art. 21 revDSG, and similar laws, you have the right to be informed that AI is being used, to obtain a meaningful explanation of the result, and to request human review of any automated decision that significantly affects you. Email profylio.app@gmail.com to exercise this right.

4. Third-Party Services, Cookies & Similar Technologies

Profylio is built on top of several categories of third-party services. We choose providers that offer strong security and privacy commitments. Each provider has its own privacy policy and processes data only as our processor / sub-processor under written agreements.

4.1 Categories of Third-Party Providers

AI & machine-learning providers — to analyze your images and generate scores (currently OpenAI; may include additional providers such as Anthropic, Google, AWS, or others in the future).
Backend, database & storage — to host your account, scans, posts, and content (currently Supabase; may include AWS, Google Cloud, or similar).
Authentication providers — to let you sign in (currently Apple Sign-In, Google Sign-In; may include other identity providers).
Payments & subscription management — to handle Pro subscriptions (currently Apple In-App Purchase, Google Play Billing, and RevenueCat for subscription state; may include other compliant providers).
Push notifications — to deliver reminders and social activity updates (currently Expo Push, Apple APNs, Google FCM).
Analytics, crash reporting & performance — to understand how the app is used, fix bugs, and improve quality (we may use providers such as Sentry, PostHog, Mixpanel, Amplitude, or similar; we will not use these for cross-site advertising or to sell your data).
Customer support & communications — to respond to your messages and (if you opt in) send marketing emails (e.g. email service providers, helpdesk tools).
Content delivery, security, hosting — to deliver our website, prevent fraud, and protect against abuse (e.g. Cloudflare, hosting providers, anti-abuse tools).

An up-to-date list of specific sub-processors and their privacy policies is available on request at profylio.app@gmail.com.

4.2 Cookies & Similar Technologies

Inside our mobile app we currently do not use cookies. We do use:

Local storage on your device (e.g. AsyncStorage) for app functionality such as remembering your login, preferences, and your local block list.
Mobile advertising identifiers (IDFA / GAID): currently not used. If we ever introduce advertising or attribution, we will request your consent through Apple's App Tracking Transparency (ATT) prompt and the equivalent on Android.

On our marketing website (e.g. profylio.pages.dev) we may use strictly necessary cookies for security and basic functionality. If we add analytics or marketing cookies on the website, we will display a cookie banner and ask for your consent where required.

5. How We Share Your Information

We do not sell your personal information. We share information only in these limited circumstances:

With service providers listed above, strictly to operate the Service.
With other users, when you choose to share publicly (your username, profile, scan posts, leaderboard rank).
For legal reasons, when required by law, court order, or to protect the rights and safety of users.
In a business transfer, if Profylio is acquired or merged, your data may be transferred to the new owner under the same protections.

6. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where retention is required for legal, fraud prevention, or regulatory purposes (e.g. payment records).

Anonymized aggregate data (e.g. average tier distributions) may be retained indefinitely.

7. Your Rights

7.1 EU/UK Users (GDPR)

If you are in the EU or UK, you have the right to:

Access the personal data we hold about you.
Request correction of inaccurate data.
Request deletion of your data ("right to be forgotten").
Object to or restrict processing.
Data portability (receive your data in a structured format).
Withdraw consent at any time.
Lodge a complaint with your local data protection authority.

7.2 California Users (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, opt out of any "sale" or "sharing" of personal information (we do not sell or share for cross-context behavioral advertising), and not be discriminated against for exercising these rights.

7.3 Swiss Users (FADP / revDSG)

If you are in Switzerland, the revised Federal Act on Data Protection (revDSG / nFADP, in force since 1 September 2023) applies. As Profylio is operated from Switzerland, the FADP applies to all our processing activities. You have the right to:

Request information about whether and how we process your personal data (Art. 25 revDSG).
Request correction of inaccurate data (Art. 32 revDSG).
Request deletion or destruction of your data.
Object to specific processing activities.
Data portability — receive your data in a structured, commonly used, machine-readable format (Art. 28 revDSG).
Withdraw any consent you have given at any time.
Lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC / EDÖB), Feldeggweg 1, 3003 Bern, www.edoeb.admin.ch.

For automated individual decisions (Art. 21 revDSG): The AI score generated by Profylio is purely informational and entertainment-based. It does not produce legal effects or significantly affect you in a similar way, but you may still request human review of any score by contacting us.

7.4 Other Jurisdictions (Worldwide)

Profylio is available worldwide. We respect privacy rights wherever you live. If you reside in a jurisdiction with its own data protection law — including but not limited to:

U.S. states with comprehensive privacy laws (e.g. Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Iowa, Indiana, Tennessee, Montana, Oregon, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Kentucky, Rhode Island, Nebraska, and any other state that adopts similar laws);
Canada — Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial equivalents (Quebec Law 25, BC PIPA, Alberta PIPA);
United Kingdom — UK GDPR and Data Protection Act 2018;
Brazil — Lei Geral de Proteção de Dados (LGPD);
Australia — Privacy Act 1988 and Australian Privacy Principles;
New Zealand — Privacy Act 2020;
Singapore — Personal Data Protection Act (PDPA);
Japan — Act on the Protection of Personal Information (APPI);
South Korea — Personal Information Protection Act (PIPA);
India — Digital Personal Data Protection Act 2023 (DPDP);
South Africa — Protection of Personal Information Act (POPIA);
UAE, Saudi Arabia, Türkiye, Israel, Mexico, Argentina, Chile, and any other jurisdiction with a comparable framework.

You have at minimum the following core rights, regardless of your location:

Right to access the personal data we hold about you.
Right to correction of inaccurate or incomplete data.
Right to deletion / erasure of your data.
Right to receive your data in a portable format.
Right to object to or restrict certain processing.
Right to withdraw any consent you have given.
Right not to be discriminated against for exercising these rights.
Right to lodge a complaint with your local data protection authority.

If your local law grants you stronger or additional rights, those apply on top of this baseline.

7.5 Exercising Your Rights

To exercise any of these rights, email profylio.app@gmail.com from the email address linked to your account. We respond within 30 days (or sooner if your local law requires it). We may need to verify your identity before fulfilling certain requests.

8. Children's Privacy

Profylio is intended for users 18 years and older. We do not knowingly collect data from children under 18. If you become aware that a child has provided us with personal information, please contact us and we will delete it.

9. Security

We use industry-standard security measures including encryption in transit (HTTPS/TLS), encryption at rest, secure authentication, and access controls. However, no method of transmission or storage is 100% secure. You use Profylio at your own risk.

10. International Data Transfers

Profylio is operated from Switzerland. Your data may be processed in countries outside your home country, including the United States (where OpenAI, Supabase, RevenueCat, and Expo operate) and the European Union.

Where personal data is transferred from Switzerland or the EU/EEA to a country without an adequacy decision, we rely on the following safeguards:

USA: Transfers to U.S. providers rely on the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework where the recipient is certified, or alternatively on EU Standard Contractual Clauses (SCCs) supplemented by the Swiss FDPIC's recognized addendum for Swiss data subjects.
Other countries: Standard Contractual Clauses, Binding Corporate Rules, or other appropriate safeguards under Art. 16 revDSG and Art. 46 GDPR.

You can request a copy of the relevant safeguards by emailing profylio.app@gmail.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect new features, new third-party services, legal changes, or operational improvements. The "Last Updated" date at the top of this Policy always reflects the most recent version.

We distinguish between two types of changes:

Minor / clarifying changes (e.g. adding a new sub-processor in an existing category, fixing typos, restructuring sections): we update this page and post a notice in the app changelog.
Material changes (e.g. processing data for a fundamentally new purpose, changing legal basis, broadening data sharing): we will notify you in advance through the app, by email (if you have given us your email address), and/or via a prominent in-app banner. Where required by law, we will also seek fresh consent before relying on any new processing.

Continued use of Profylio after changes take effect means you accept the updated Policy. If you do not agree, you can stop using the Service and delete your account.

12. Contact Us

For privacy questions, requests, or complaints, email profylio.app@gmail.com.