Privacy Policy

Account Information

• Name and email address: Provided when you sign in via Google or Apple OAuth. We store your display name, email address, and profile picture URL as provided by the OAuth provider.
• Authentication tokens: OAuth access and refresh tokens are stored securely to maintain your session. We do not store your Google or Apple password.

Usage Data

• Scan history: When you scan a product using our camera feature, we store the scan result (product identified, safety score, and timestamp) linked to your account so you can review past scans.
• Favourites: Products you save to your favourites list are stored linked to your account.
• Ingredient analyses: When you use the ingredient checker on the web, the text you submit is processed in real-time. For logged-in users, analysis results may be stored as part of your scan history.

Product Images (Scan Feature)

• When you use the scan feature, the product photo you submit is sent to OpenAI's API (GPT-4o Vision) for ingredient extraction and product identification. The image is transmitted securely and is processed in accordance with OpenAI's Privacy Policy. OpenAI does not use API inputs to train their models. We do not permanently store the original images on our servers.

Analytics Data

• We use Vercel Analytics to collect anonymized, aggregated usage data including page views, device type, browser, country, and referral source. This data does not personally identify you and is used solely to improve the Service.

We offer sign-in via Google OAuth and Apple Sign-In. When you authenticate, we receive limited profile information (name, email, profile photo) as authorized by you through the OAuth consent screen. We do not access your contacts, calendar, drive, or any other Google/Apple services.

You can revoke our access at any time through your Google Account settings or Apple ID settings.

Our scan and AI chat features use OpenAI's API to process product images and provide skincare guidance. When you use these features:

• Product photos are sent to OpenAI for ingredient extraction via their Vision API.
• Chat messages are sent to OpenAI to generate responses from our AI assistant, Vera.
• OpenAI processes this data under their API Data Usage Policy, which states that API inputs and outputs are not used to train their models.
• We do not send your personal information (name, email) to OpenAI — only the content necessary for processing (image data or message text).

We do not sell your personal data. We share data only with the following categories of service providers, strictly as needed to operate the Service:

• Vercel: Hosting and serverless functions. Vercel Analytics collects anonymized usage data.
• Neon (PostgreSQL): Secure cloud database hosting for account and product data.
• OpenAI: AI processing for scan and chat features (images and text only, no personal identifiers).
• Google / Apple: OAuth authentication providers.

We may also disclose data if required by law, regulation, or legal process, or to protect the rights, property, or safety of our users or the public.

We use the following cookies and storage mechanisms:

• Essential cookies: Session cookies for authentication (Auth.js/NextAuth session token). These are strictly necessary for the Service to function.
• Analytics: Vercel Analytics uses privacy-friendly, anonymized data collection that does not use cookies for tracking.

We do not use advertising cookies or third-party tracking pixels.

• Account data: Retained as long as your account is active. When you delete your account, all personal data (profile, scan history, favourites) is permanently deleted within 30 days.
• Scan images: Product photos sent for analysis are not permanently stored. They are processed in real-time and discarded.
• Analytics data: Anonymized analytics data may be retained indefinitely as it cannot be linked to individuals.

Regardless of where you reside, we provide the following rights. If you are in the EU/EEA, UK, or California, you have additional legal protections:

• Access: Request a copy of all personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request permanent deletion of your account and all associated data.
• Export: Request a machine-readable export of your data (scan history, favourites).
• Restriction: Request that we limit processing of your data.
• Objection: Object to processing of your data for specific purposes.

To exercise any of these rights, email us at privacy@verimom.com. We will respond within 30 days.

We implement industry-standard security measures to protect your data:

• All data in transit is encrypted via TLS/HTTPS.
• Database connections use SSL encryption.
• OAuth tokens are stored securely with JWT-based session management.
• API endpoints are protected with authentication and rate limiting.

While we strive to use commercially acceptable means to protect your data, no method of electronic transmission or storage is 100% secure.

For privacy-related inquiries, data requests, or complaints, contact us at:

privacy@verimom.com

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.