BeautySparkBeautySpark

Privacy Policy

Last updated: 23/12/2025

1. Data Controller

BeautySpark is the data controller for your personal information.

Email: [email protected]

2. Information We Collect

2.1 Personal Information

  • Name and email address
  • Profile information and preferences
  • Gender identity and date of birth
  • Physical characteristics (height and weight)
  • Account credentials
  • Communication preferences

2.2 Photos and Biometric Data

SPECIAL CATEGORY DATA: Your photos containing facial data are considered biometric data under UK GDPR Article 9.

When you upload photos for AI makeup analysis and recommendations, we collect and process these images. Your photos are used solely for providing our beauty services and are not shared with third parties without your explicit consent.

2.3 Device and Usage Data

  • Device information (device type, operating system, unique device identifiers)
  • Usage patterns and feature interactions
  • Performance data and error logs
  • IP address and general location (country/city level)

2.4 Newsletter Subscription Data

When you subscribe to our newsletter, we collect:

  • Email address
  • Language preference
  • IP address and browser information (as proof of consent)
  • Subscription source (which page you signed up from)
  • Confirmation and unsubscribe timestamps

3. Legal Basis for Processing

Under UK GDPR, we process your personal data on the following legal bases:

Data Type
Legal Basis
Account data
Contract (Art. 6(1)(b))
Photos/facial analysis
Explicit consent (Art. 9(2)(a))
Payment information
Contract (Art. 6(1)(b))
Usage analytics
Legitimate interests (Art. 6(1)(f))
Marketing
Consent (Art. 6(1)(a))
Newsletter subscription
Consent (Art. 6(1)(a)), confirmed via double opt-in

You provide explicit consent for biometric data processing when uploading photos. You can withdraw this consent at any time by contacting [email protected]

4. How We Use Your Information

  • Provide AI-powered beauty recommendations and analysis (Requires Subscription)
  • Process and analyze uploaded photos for makeup suggestions (Requires Subscription)
  • Maintain and improve our services
  • Communicate with you about your account and our services
  • Ensure security and prevent fraud
  • Comply with legal obligations
  • Analyze usage patterns to improve user experience
  • Send newsletter emails to confirmed subscribers

We will NOT use your personal information or uploaded content to generate, facilitate, or promote any content that involves abuse, violence, pornography, hate speech, harassment, or any other harmful or illegal activities.

5. AI Processing and Facial Data

Our AI processes facial features from your photos, which is considered biometric data under UK GDPR.

What We Do:

  • Extract facial landmarks, skin tone, eye shape, and facial measurements
  • Analyze these features to generate makeup recommendations
  • Do NOT use facial data for identification or authentication
  • Do NOT share facial data with third parties (except AI processing services)

Data Retention:

  • Unprocessed photos: Retained until you delete or close account
  • Saved photos in your account: Retained until you delete or close account
  • Analysis results: Retained until you delete your account or close it

Third-Party AI Processors:

We use the following services for AI processing. All processors are bound by data processing agreements (DPAs):

Provider
Purpose of Processing
Data Shared
Google LLC (Gemini)
Multimodal makeup analysis and recommendation logic
Transient facial imagery, feature landmarks, colorimetric data
OpenAI OpCo, LLC (OpenAI)
Advanced natural language and vision processing
Transient facial imagery, descriptive prompts, user preferences
X.AI Corp
Natural language processing for beauty profiling
Anonymized user preferences, descriptive prompts
Fal.ai (Fal Corp)
High-fidelity generative makeup visualization
Source photos, segmentation masks, generated renders

Operational Service Providers (Non-AI):

We also rely on the following providers for operational purposes unrelated to AI processing. These services do not receive your facial data or analysis content. All processors are bound by data processing agreements (DPAs):

Provider
Purpose of Processing
Data Shared
Amazon Web Services (SES)
Transactional and newsletter email delivery
Email address, email content
MailBluster
Newsletter campaign management and subscriber list hosting
Email address, language preference, subscription status

Privacy Assurance: We configure our API integrations with these providers to ensure that your personal data (including photos) is used only for the specific purpose of generating your requested results. We explicitly opt-out of data usage for training their foundational models where available.

6. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  1. 1.Right to Access (Subject Access Request): Request a copy of your data (free, within 1 month)
  2. 2.Right to Rectification: Correct inaccurate data
  3. 3.Right to Erasure ('Right to be Forgotten'): Delete your data (subject to limitations)
  4. 4.Right to Restrict Processing: Limit how we use your data
  5. 5.Right to Data Portability: Receive your data in a structured format
  6. 6.Right to Object: Object to processing based on legitimate interests
  7. 7.Right to Withdraw Consent: Withdraw consent for facial data processing at any time
  8. 8.Right to Lodge a Complaint: Complain to the ICO

Exercise Your Rights

We will respond within 1 month (extendable by 2 months for complex requests)

ICO Contact Information:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk

7. International Data Transfers

We may transfer your data to countries outside the UK for AI processing and cloud storage.

Transfer Safeguards:

  1. 1.EU/EEA: Considered adequate by UK under transition provisions
  2. 2.USA: Transfers covered by Standard Contractual Clauses (SCCs) or Data Privacy Framework
  3. 3.Other Countries: Individual adequacy assessments and SCCs

You can request information about where your data is transferred and copies of transfer safeguards by contacting [email protected]

8. Data Retention

  • Account data: Retained while your account is active
  • Transaction records: 7 years for tax, legal, and dispute purposes
  • Credit usage logs: 2 years
  • Failed generation records: 1 year
  • Newsletter subscriber data: Retained until you unsubscribe; unconfirmed subscriptions are removed after 30 days

Data cannot be deleted during active disputes or investigations.

9. Security Measures

We implement appropriate technical and organizational security measures:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication requirements
  • Secure data centers and infrastructure

10. Children's Privacy

BeautySpark is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy and updating the "Last updated" date.

Contact Us

If you have questions about this Privacy Policy or our data practices:

Email: [email protected]

Privacy Policy Inquiry

Response Time: We aim to respond within 5 working days.

This Privacy Policy is provided in accordance with UK GDPR and the Data Protection Act 2018.