Privacy Policy

Effective Date: March 8, 2026 · Last updated: May 2, 2026

1. Introduction

kissinskin ("we", "our", "us") operates the website https://kissinskin.net. This Privacy Policy explains how we collect, use, protect, and disclose your information when you use our AI makeup analysis service ("Service").

We are committed to protecting your privacy and complying with applicable data protection laws worldwide, including the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA/CPRA), Brazil's Lei Geral de Proteção de Dados (LGPD), South Korea's Personal Information Protection Act (PIPA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Japan's Act on the Protection of Personal Information (APPI), and the Australian Privacy Act 1988.

2. Data Controller

kissinskin is the data controller responsible for your personal data processed through the Service. For payment-related data, Polar acts as an independent data controller.

Data Controller: kissinskin
Contact: [email protected]
Website: https://kissinskin.net

3. Information We Collect

3.1 Photos You Upload (Biometric/Facial Data)

When you use our Service, you upload a facial photo for AI analysis.
Your photo is sent to OpenAI's API for processing and is not stored on our servers.
Photos are processed in real-time memory and discarded immediately after your analysis results are generated.
We do not keep, archive, or back up your photos in any form.
Biometric data notice: Your facial photo may constitute biometric data under certain laws (e.g., Illinois BIPA, Texas CUBI, Washington state law). We do not extract, store, or create biometric identifiers or templates from your photos. The photo is used solely for the purpose of generating AI makeup simulations and is not retained.

3.2 Payment Information

All payment processing is handled by Polar (polar.sh), acting as our Merchant of Record.
We never receive, see, or store your credit card number, CVV, or full billing details.
Polar collects the necessary payment information (card details, billing address, email) to process your transaction. This data is subject to Polar's Privacy Policy.
We may receive from Polar: transaction confirmation, order amount, and a reference ID for customer support purposes.

3.3 Automatically Collected Data, Cookies, and Advertising

We use the following third-party services with cookies and similar technologies (localStorage, pixels) to operate the site, measure traffic, and serve ads. EU/EEA and UK visitors are protected by Google Consent Mode v2: advertising and analytics cookies remain disabled until you click "Accept all" on the cookie banner.

Service	Purpose	Cookies / Storage	Retention
Google AdSense (ca-pub-5109067049933124)	Ads that fund the free content on this site, plus related measurement	Third-party cookies (`__gads`, `__gpi`, `IDE`, `ANID`, etc.) issued by google.com / doubleclick.net	Up to 13 months
Google Analytics 4 (G-JJ7G39W5T3)	Anonymous traffic analysis to improve the site	First-party cookies (`_ga`, `_ga_*`) on kissinskin.net	Up to 14 months
Microsoft Clarity (w5fx3z4rfg)	Anonymous usability analysis (heatmaps, scroll patterns); text content is masked before transmission	First- and third-party cookies (`_clck`, `_clsk`, `MUID`, etc.)	Up to 1 year
Cloudflare	Hosting, CDN, security (bot protection)	Strictly necessary technical cookies (`__cf_bm`, etc.)	Session or 30 minutes
kissinskin (first-party)	Stores cookie-consent decision and language preference	localStorage (`kissinskin_cookie_consent`, `kissinskin_locale`)	Until you clear it

Google AdSense advertising: We allow Google, as a third-party vendor, to serve ads based on your visit to this site and other sites using advertising cookies. You can opt out of personalized advertising at Google Ads Settings, and you can opt out of some third-party vendors at aboutads.info or, in the EU, at youronlinechoices.eu.

Changing your consent: Clearing your browser storage or site data will re-show the cookie banner. EU/EEA and UK visitors see only non-personalized AdSense ads until they consent.

Coupang Partners affiliate links: Some product recommendation cards contain Coupang affiliate links, marked with rel="sponsored". Tracking cookies (e.g. OVERSEAS_GUEST_COUNTRY, X-CP-PG-NID) are set by the Coupang domain (link.coupang.com, coupang.com) only when you click such a link. These cookies are not set by kissinskin.net and we have no access to the data they collect. Affiliate revenue does not influence which products we recommend. See Coupang Partners for their policies.

LinkPrice (CLIO) affiliate links: Some product recommendation cards and perfume diagnostic result pages contain CLIO official store (clubclio.co.kr) affiliate links served through LinkPrice, marked with rel="sponsored". Tracking cookies are set by the LinkPrice domain (newtip.net) and the CLIO domain only when you click such a link. These cookies are not set by kissinskin.net and we have no access to the data they collect. Affiliate revenue does not influence which products we recommend. See LinkPrice for their policies.

4. Legal Basis for Processing (GDPR Article 6)

For users in the EU/EEA and UK, we process your data based on the following legal grounds:

Processing Activity	Legal Basis	GDPR Article
Processing your uploaded photo for AI analysis	Your explicit consent (you actively upload and submit)	Art. 6(1)(a), Art. 9(2)(a)
Processing payment	Performance of contract	Art. 6(1)(b)
Anonymous analytics (Cloudflare)	Legitimate interest (service improvement)	Art. 6(1)(f)
Responding to support requests	Performance of contract / Legitimate interest	Art. 6(1)(b), Art. 6(1)(f)
Legal compliance	Legal obligation	Art. 6(1)(c)

5. How We Use Your Information

Data	Purpose	Retention
Uploaded photo	Generate AI makeup analysis	Not retained (real-time processing only, deleted immediately)
Analysis results	Display in your browser	Browser session only (not stored on server)
Payment info	Process payment via Polar	Managed by Polar per their retention policy
Transaction reference	Customer support	Up to 12 months or as required by tax/accounting law
Anonymous analytics	Improve service quality	Aggregated, no PII, managed by Cloudflare

6. Automated Decision-Making & Profiling

In accordance with GDPR Article 22:

The Service uses automated processing (AI models by OpenAI) to generate makeup simulations and skin analysis reports.
This automated processing produces results that are artistic/cosmetic in nature and do not produce legal effects or similarly significantly affect you.
We do not use your data for profiling, targeted advertising, credit scoring, or any automated decision-making that produces legal or similarly significant effects.
The legal basis for this automated processing is your explicit consent provided when you upload your photo and initiate the analysis.

7. Third-Party Services & Data Processors

We use the following third-party services. Each has their own privacy policy:

Service	Role	Purpose	Data Transferred	Location	Privacy Policy
OpenAI	Data Processor	AI image generation & text analysis	Uploaded photo (transient)	United States	openai.com/privacy
Polar	Independent Controller	Payment processing (MoR)	Payment & billing info	United States / EU	polar.sh/legal/privacy
Cloudflare	Data Processor	Website hosting, CDN, security	Anonymous analytics, IP (transient)	Global (edge network)	cloudflare.com/privacy

Important: OpenAI's API data usage policy states that data sent through the API is not used to train their models. Your photos are not used for AI training by OpenAI or by us.

8. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. We ensure appropriate safeguards are in place:

EU/EEA to US: Transfers to OpenAI and Polar are protected by Standard Contractual Clauses (SCCs) as adopted by the European Commission, and/or the EU-U.S. Data Privacy Framework where applicable.
UK: Transfers are protected by the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs.
South Korea: Cross-border transfers comply with PIPA Article 17 requirements. Your consent to use the Service constitutes consent to cross-border data transfer for the stated purposes.
Brazil: Transfers comply with LGPD Article 33, based on your consent and adequate safeguards.
Japan: Transfers comply with APPI requirements, with appropriate safeguards in place.
Since we do not store your photos or personal data on our servers, the actual data transfer is transient and limited to the duration of API processing.

9. Data We Do NOT Collect

We do not directly collect your name, phone number, or address (except information you provide to Polar during payment, or the email you enter to receive your analysis report).
We do not force you to create user accounts or profiles.
We do not use your uploaded photos for AI model training — we use OpenAI's API with the no-training option enabled.
We do not create or store biometric identifiers (face embeddings, hashes, or templates).
We do not sell or rent your personal information ourselves. Note: ads served via Google AdSense may use Google's general demographic estimates; you can opt out at Google Ads Settings.

10. Data Security

All data transmission is encrypted using HTTPS/TLS (TLS 1.2 or higher).
Photos are transmitted directly from your browser to OpenAI's API via our secure serverless function — no intermediate storage.
Our infrastructure runs on Cloudflare Workers (serverless), meaning there is no persistent server where data could be stored or accessed.
We implement appropriate technical and organizational measures to protect against unauthorized access, alteration, disclosure, or destruction of data.

11. Data Breach Notification

In the unlikely event of a data breach involving personal data:

EU/EEA (GDPR): We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33). If the breach poses a high risk to your rights and freedoms, we will also notify affected individuals without undue delay (Article 34).
UK: We will notify the Information Commissioner's Office (ICO) within 72 hours.
South Korea (PIPA): We will notify affected individuals and the Personal Information Protection Commission (PIPC) without delay.
Brazil (LGPD): We will notify the National Data Protection Authority (ANPD) and affected individuals.
California (CCPA): We will notify affected California residents as required by Cal. Civ. Code § 1798.82.
Canada (PIPEDA): We will notify the Privacy Commissioner of Canada and affected individuals for breaches posing a real risk of significant harm.
Australia: We will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals for eligible data breaches under the Notifiable Data Breaches scheme.

12. Your Rights

12.1 Rights for All Users

Regardless of your location, you have the right to:

Access: Know what data we hold about you (effectively none, as described above).
Deletion: Request deletion of any data. Since we don't store photos or personal data, this primarily applies to payment records held by Polar.
Portability: Request your data in a portable format.
Objection: Object to any data processing.
Withdraw consent: You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

12.2 EU/EEA Users (GDPR)

In addition to the above, you have the right to:

Rectification: Correct inaccurate personal data (Art. 16).
Restriction: Request restriction of processing in certain circumstances (Art. 18).
Object to legitimate interest processing: You may object to processing based on legitimate interests (Art. 21).
Not be subject to automated decision-making: You have rights regarding automated processing (Art. 22). See Section 6 above.
Lodge a complaint: You have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU DPAs is available at edpb.europa.eu.

12.3 UK Users (UK GDPR)

You have equivalent rights to EU users under the UK GDPR and Data Protection Act 2018.
You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

12.4 California Users (CCPA/CPRA)

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
Right to Delete: You may request deletion of your personal information.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined by the CCPA/CPRA. No opt-out is necessary.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
Authorized Agent: You may designate an authorized agent to make requests on your behalf.
Categories of PI collected: Internet activity (anonymous analytics via Cloudflare), financial information (via Polar, not by us directly). We do not collect sensitive personal information as defined under the CPRA.
We will respond to verifiable consumer requests within 45 days.

12.5 South Korean Users (PIPA)

You have the right to access, correct, delete, and suspend processing of your personal information under PIPA.
We comply with the duty to destroy personal information when its purpose has been achieved — photos are destroyed immediately after processing.
You may lodge a complaint with the Personal Information Protection Commission (PIPC) at pipc.go.kr.
You may also seek dispute resolution through the Korea Internet & Security Agency (KISA) Privacy Center (privacy.kisa.or.kr).

12.6 Brazilian Users (LGPD)

You have the right to confirmation, access, correction, anonymization, portability, deletion, information about sharing, and revocation of consent under the LGPD.
You may lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

12.7 Canadian Users (PIPEDA)

You have the right to access your personal information, challenge its accuracy, and withdraw consent.
You may lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

12.8 Japanese Users (APPI)

You have the right to request disclosure, correction, cessation of use, and deletion of your personal information under the APPI.
You may lodge a complaint with the Personal Information Protection Commission (PPC) of Japan.

12.9 Australian Users (Privacy Act 1988)

You have the right to access and correct your personal information under the Australian Privacy Principles (APPs).
You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

To exercise any of these rights, contact [email protected]. We will respond within the timeframe required by applicable law (generally 30 days, or 45 days for CCPA).

13. Children's Privacy

The Service is not intended for children under 16 (or the applicable minimum age in your jurisdiction).
We do not knowingly collect data from children under 16 (or 13 under COPPA in the United States).
If you believe a child has used our Service, contact us and we will take appropriate action, including deleting any data that may have been inadvertently collected.
In the EU/EEA, the minimum age varies by member state (13–16) per GDPR Article 8.
In South Korea, the minimum age is 14 under PIPA.

14. Do Not Track (DNT) Signals

Our Service does not track users across third-party websites and therefore does not respond to Do Not Track (DNT) signals. We do not engage in any cross-site tracking.

15. Data Retention & Destruction

Photos: Not retained. Destroyed immediately after AI processing is complete.
Analysis results: Exist only in your browser session. Not stored on any server.
Transaction references: Retained for up to 12 months for customer support and legal/tax compliance, then deleted.
Payment data: Retained by Polar according to their data retention policy and applicable financial regulations.
We comply with the data destruction requirements under PIPA (South Korea), LGPD (Brazil), and other applicable laws.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be reflected with an updated effective date at the top of this page. Where required by law (e.g., GDPR, PIPA), we will provide notice of material changes before they take effect. Continued use of the Service after changes constitutes acceptance.

17. Contact Us

For privacy-related questions, data requests, or to exercise any of your rights:

Email: [email protected]
Website: https://kissinskin.net

We aim to respond to all privacy-related inquiries within 30 days (or within the timeframe required by your applicable local law).