Privacy Policy

This Privacy Policy describes how Thinking Studio LLC ("Company", "we", "us", "our"), operator of skinic.app and api.skinic.app, collects, uses, stores, and protects personal data across our two products: • SKINIC Studio — a no-code branded skin profiling platform for beauty businesses • SKINIC API — a developer API for integrating skin intelligence into third-party applications Controller relationships: • Thinking Studio LLC is the Data Controller for all account holder data (names, emails, billing). • Where Studio Clients collect data from their end users via a branded scan page, the Studio Client acts as Data Controller for those end users' data, and Thinking Studio LLC acts as Data Processor on their behalf. • Where API Clients integrate SKINIC into their own product, they act as a separate Data Controller for their end users' data, and we act as Data Processor. For privacy enquiries: skinic@thinkingstudio.ai

We collect the following categories of data: 2.1 Account Data (provided by you at signup): • Full name • Email address • Company or organisation name • Country / billing region 2.2 Usage & Technical Data (collected automatically): • API call counts per endpoint and per time period • Request timestamps and response times • HTTP status codes and error types • API key identifiers (hashed — plaintext never stored) • IP addresses for rate limiting and abuse prevention • Browser/device type for dashboard and Studio sessions 2.3 Billing Data: • Subscription tier and status • Payment transaction IDs (provided by Paddle) • We do NOT store full card numbers, CVV, or bank account details 2.4 API Submitted Content: • Skin images submitted to /analyze endpoints via the API are processed in-memory and are NOT stored after the API response is returned. We retain no copies of API-submitted images. • Text inputs to /recommend are not stored beyond the API session. 2.5 Studio End User Data (collected on behalf of Studio Clients): When a Studio End User (i.e., a customer of a beauty business using SKINIC Studio) scans their skin via a branded scan page, the following data may be collected and stored in that Studio Client's database: • Name and email address (if lead capture is enabled by the Studio Client) • Skin type profile, visible trait scores, and ingredient suggestions (scan results) • Timestamp and scan metadata • Which catalog items were matched and whether any CTA was clicked IMPORTANT: This data is collected on behalf of and under the instruction of the Studio Client (the beauty business). Thinking Studio LLC stores it as Data Processor. The Studio Client, as Data Controller, is responsible for informing their end users and handling data rights requests.

For users in the European Economic Area (EEA) and United Kingdom, we process your personal data under the following legal bases: • Contract performance: Processing necessary to provide the SKINIC API service you have subscribed to • Legitimate interests: Security monitoring, fraud prevention, service improvement, and abuse detection • Legal obligation: Compliance with applicable laws, tax obligations, and regulatory requirements • Consent: Where we send optional marketing communications (you may withdraw consent at any time)

We use collected data for the following purposes: • Providing, operating, and maintaining SKINIC Studio and the SKINIC API • Account management, authentication, and API key management • Processing payments and managing subscriptions • Enforcing rate limits and scan quotas, and detecting abuse or security threats • Sending transactional emails (account creation, API key notifications, billing receipts) • Improving the accuracy and performance of our AI models using aggregated, anonymised usage patterns • Responding to support requests and legal enquiries • Complying with legal obligations and regulatory requirements For Studio End User data specifically: • We store and serve it back to the Studio Client via their dashboard and API • We do not use Studio End User data for any purpose beyond providing the Studio service to the relevant Studio Client • We do not cross-reference Studio End User data between different Studio Client accounts We do NOT use any data for targeted advertising or sell it to data brokers or third parties.

We share data only with trusted service providers under data processing agreements: • Paddle.com — Payment processing and subscription management. Paddle acts as Merchant of Record. See paddle.com/legal/privacy. • Supabase Inc. — Database hosting (PostgreSQL) and authentication. Data hosted on AWS infrastructure in the US. • Railway.app — API server hosting and deployment infrastructure. • Cloudflare Inc. — DNS, CDN, and DDoS protection. May process IP addresses. • Vercel Inc. — Frontend hosting for skinic.app dashboard. We do not sell, rent, or share your personal data with any other third party for their own commercial purposes.

Skin images and derived skin profiles may constitute biometric or sensitive personal data under applicable law (including GDPR Article 9 and Malaysia PDPA Section 40). 6.1 SKINIC API — Image Processing: • Images submitted to /analyze are transmitted over encrypted TLS connections • Images are processed in-memory only and deleted immediately after the API response is generated • No copies, thumbnails, or raw image embeddings from individual images are stored or retained • We do not use API-submitted images to train or fine-tune AI models without explicit written consent 6.2 SKINIC Studio — Scan Result Storage: • When a Studio End User scans via a branded page, the skin profile result (skin type, trait scores, matched recommendations) is stored in the Studio Client's database. The original image is NOT stored — only the derived profiling results. • Studio scan results are stored until the Studio Client's account is terminated (see Data Retention) • Studio End Users may request deletion of their scan data by contacting the Studio Client (the beauty business) directly As a SKINIC client (API or Studio), you are responsible for obtaining valid, informed consent from your end users before submitting their biometric data or directing them to a scan page.

We retain different categories of data for different periods: • Account data: Retained for the duration of your account plus 90 days after deletion or cancellation • Usage metadata: Retained for 12 months on a rolling basis • Billing records: Retained for 7 years to comply with tax and accounting obligations • Security logs (IP addresses, access logs): Retained for 90 days • API-submitted images: Not retained — deleted immediately after processing • Studio End User data (names, emails, scan results): Retained for as long as the Studio Client's account is active. Upon account cancellation, Studio End User data is retained for 30 days to allow CSV export, then permanently deleted. You may request early deletion of your account data at any time (subject to legal retention obligations). Studio Clients should export their customer data before cancelling.

If you are a Studio End User — meaning a customer of a beauty business that uses SKINIC Studio — the beauty business (Studio Client) is the Data Controller of your data, not Thinking Studio LLC. To exercise your data rights (access, correction, deletion), you should contact the beauty business directly. They are responsible for handling your requests. If you are unable to contact the Studio Client or believe your data is being misused, you may also contact us at skinic@thinkingstudio.ai and we will assist within our capacity as Data Processor. We will relay verified deletion requests to the Studio Client and, where the Studio Client is unresponsive, may delete the data directly upon reasonable verification.

We implement industry-standard security measures to protect your data: • All data in transit is encrypted using TLS 1.2 or higher • Data at rest is encrypted in Supabase / AWS storage • API keys are stored only as SHA-256 hashes — the plaintext key is shown once and never stored • Dashboard access is protected by Supabase Auth with email verification • Access to production database is restricted to authorised personnel only • We conduct periodic security reviews of our infrastructure Despite these measures, no system is completely secure. In the event of a data breach affecting your personal data, we will notify you within 72 hours where required by law.

Your data may be transferred to and processed in the United States and other countries where our service providers operate. For transfers of EEA personal data to the United States, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. For transfers subject to Malaysia PDPA, we ensure adequate protection through contractual safeguards with our processors.

Depending on your jurisdiction, you may have the following rights regarding your personal data: • Right of Access: Request a copy of the personal data we hold about you • Right to Rectification: Request correction of inaccurate or incomplete data • Right to Erasure: Request deletion of your personal data (subject to legal retention obligations) • Right to Restriction: Request that we restrict processing of your data in certain circumstances • Right to Portability: Receive your data in a structured, machine-readable format • Right to Object: Object to processing based on legitimate interests • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent • Right to Lodge a Complaint: File a complaint with your local data protection authority To exercise any of these rights, email skinic@thinkingstudio.ai with the subject "Privacy Request" and your registered email address. We will respond within 30 days.

The SKINIC dashboard uses essential cookies for authentication session management (Supabase Auth tokens stored in browser storage). We do not use third-party tracking cookies, advertising pixels, or analytics platforms that profile individual users. The landing page (skinic.app) does not use any tracking cookies beyond what is required for Vercel's hosting infrastructure.

The SKINIC API is intended for use by businesses and developers aged 18 and above. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us at skinic@thinkingstudio.ai and we will delete it promptly. If you integrate SKINIC into a product used by minors, you are responsible for obtaining appropriate parental consent and complying with applicable children's privacy laws (including COPPA).

SKINIC operates in compliance with: • Malaysia Personal Data Protection Act 2010 (PDPA) • EU General Data Protection Regulation (GDPR) — where applicable • UK GDPR — where applicable • California Consumer Privacy Act (CCPA) — where applicable For enterprise clients requiring compliance documentation for SOC 2, ISO 27001, or other frameworks, contact skinic@thinkingstudio.ai with subject "Compliance Inquiry".

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. We will notify you of material changes via email to your registered address or via an in-dashboard notice at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

We may use aggregated, anonymised, and de-identified usage statistics (such as endpoint call frequency, response time distributions, and error rate patterns) to improve the performance and accuracy of our AI models. This data contains no personal identifiers and cannot be used to identify individual users or their submitted images. We will never use personally identifiable submitted images for model training without explicit, separate written consent from the submitting client. No individual skin images are retained beyond the API session under any circumstances.

To the fullest extent permitted by applicable law, our liability for any privacy breach, data loss, or unauthorised disclosure of your personal data shall be limited to the greater of (a) the total fees paid by you in the three months preceding the incident or (b) USD $100. We are not liable for privacy breaches originating from: • Your failure to secure your API keys or account credentials • Unauthorised access resulting from your application's security vulnerabilities • Actions of your end users or third parties beyond our reasonable control • Force majeure events as defined in our Terms of Service

For any privacy-related questions, data requests, or concerns: Thinking Studio LLC Email: skinic@thinkingstudio.ai Website: https://skinic.app Response time: Within 3 business days for general enquiries; within 30 days for formal data subject requests.