AuraSkin — Privacy Policy

Effective Date: 1 December 2024 | **Last Updated:** 5 September 2025

Trueyogi Wellness Teknoloji A.Ş. (Hypera AI)

MERSİS: 0925086144100001

ODTÜ Teknokent Bilişim ve Innovation Center

Mustafa Kemal Mh. Dumlupınar Blv. No:280G İç Kapı No:1260

Çankaya, Ankara / Türkiye 06800

Privacy contact: beauty@auraskin.ai

Who we are ?

This Privacy Policy explains how Trueyogi Wellness Teknoloji A.Ş. (Hypera AI) ("AuraSkin," "we," "us") collects and processes personal data when you use auraskin.ai, our API and iframe integrations for cosmetic brands, and related services (the "Services").

Scope, Roles, and Who Decides "Why" & "How" ?

  • **Direct users of auraskin.ai:** AuraSkin is the data controller.
  • **Brand integrations (API/iframe):** the cosmetic brand is usually the data controller and AuraSkin is the processor under a Data Processing Addendum (DPA).
  • **Purpose:** AuraSkin performs cosmetic skin analysis and non-medical product recommendations; it is not a medical diagnosis tool.

    • What We Collect ?

  • **Information you provide:** facial images/photos you upload; account details if you create an account; and support communications.
  • **Data we derive or generate:** cosmetic analysis outputs (e.g., indications about acne, skin type, wrinkles/texture, spots, dryness/oiliness) and recommendation results; quality flags; and session-level analytics about the user journey. For brand customers, analytics are provided in aggregated or de-identified form by default.
  • **Technical data:** IP address, timestamps, device/browser type, referrer/UTM, and necessary telemetry.
  • **Cookies and SDKs:** We currently set no cookies. If we introduce cookies or SDKs (e.g., analytics or personalization), we will update this Policy, display a consent banner where required, and offer granular controls.

    • Purposes and Legal Bases

  • **Purposes:** provide the Services; operate and secure the platform; respond to support; provide aggregated or de-identified analytics to brands; and—only if you opt in—improve our AI models.
  • **Legal bases:** explicit consent for facial images and health-related inferences; contract to provide requested Services; legitimate interests to secure/maintain the Services and provide aggregated/de-identified analytics; and legal obligations where applicable.

    • Boundaries and Sensitive Data

  • **No identity recognition:** we do not perform facial recognition to identify a person.
  • **No protected-attribute inference:** we do not infer race/ethnicity, political opinions, religion, sexual orientation, or similar protected attributes.
  • **Health-related inferences** are generated solely for cosmetic recommendations and are not medical advice.

    • How We Share Information ?

    We do not sell personal data and we do not share personal data for cross-context behavioral advertising. Disclosures occur only to:

  • Service providers (sub-processors) such as Google Cloud Platform (EU regions) bound by contract and security obligations;
  • Brand partners (controllers) via API/iframe to return analysis outputs; analytics are aggregated/de-identified by default;
  • Legal/safety recipients where required by law or necessary to protect rights and security; and
  • Corporate transaction counterparties under appropriate safeguards.

    • Where We Store Data; Retention; Your Controls.

  • **Location:** EU data centers (Google Cloud). We do not intentionally transfer personal data outside the EU/EEA; if limited remote access were necessary, we would use EU Standard Contractual Clauses or an equivalent mechanism.
  • **Retention:** photos and analysis outputs are stored for up to 6 months. If you opt in, we may use the same data within the 6-month window to evaluate/tune/retrain models; afterward we delete or irreversibly de-identify (and may retain anonymized data). Business records may be retained longer where required by law or to establish, exercise, or defend legal claims.
  • **Your controls:** you may withdraw consent at any time and/or request deletion. Opting out of model improvement does not affect access to cosmetic analysis.

    • Security

    We implement appropriate technical and organizational measures (e.g., encryption in transit/at rest where applicable, access controls, network segmentation, secure development, logging/monitoring, and vendor due diligence) aligned to recognized security and privacy principles.

    Children & Minimum Age

    The Services are intended primarily for adults. Individuals aged 13–17 may use the Services only with parent/guardian consent and subject to local rules (some EU Member States set digital consent up to 16). We do not knowingly collect data from children under the minimum lawful age in their jurisdiction.

    International Transfers

    Our default is EU-only processing and storage. If a restricted transfer or remote access were unavoidable, recognized safeguards such as EU Standard Contractual Clauses and transfer risk assessments would be applied.

    Your Rights and How to Exercise Them

    Depending on your location, rights may include access, rectification, erasure, restriction, objection, portability, and withdrawal of consent. To exercise rights, email beauty@auraskin.ai. Where we act as a processor for a brand integration, we will forward your request to the brand (the controller) and support their response.

    Automated Decision-Making & Profiling

    AuraSkin uses automated analysis to create cosmetic profiles and recommendations. These are not medical determinations and are not intended to have legal or similarly significant effects. We provide meaningful information about the logic involved and, where appropriate, enable you to contest or request human review.

    Representatives and DPO

  • **EU/UK Article 27 representatives:** not currently appointed. If our activities change such that Article 27 applies, we will designate representatives and update this Policy.
  • **Data Protection Officer:** we will appoint and publish DPO contact details if and when legally required.

    • Contact, Complaints & Escalation

  • **First contact:** beauty@auraskin.ai. EU/UK users may contact their supervisory authority; users in Türkiye may contact the KVKK Authority. This does not limit your right to lodge complaints with regulators.

    • Changes to this Policy

    We will post updates here and revise the "Last Updated" date. Where required by law, we will notify you and/or request renewed consent (e.g., if we start using cookies or expand purposes).