Last updated: 19 May 2026

Privacy Policy

AuraMatch ("we", "us", "our") respects your privacy. This policy explains what data we collect, why, and how you can control it. By using AuraMatch, you agree to the practices described below.

1. Who We Are

AuraMatch is an AI-powered beauty discovery web application operated by Sam Allan, based in the United Kingdom. For any privacy-related questions, contact us at hello@auramatch.app.

2. What Data We Collect

2.1 Account information

If you create an account, we collect:

• Email address
• Full name (optional — used for personalisation)
• Profile photo (optional — for in-app avatar)

2.2 Skin profile data (you provide this)

To deliver personalised recommendations, we ask about:

• Skin type (oily, dry, combination, normal, sensitive)
• Skin concerns (acne, ageing, hyperpigmentation, etc.)
• Known allergies and sensitivities
• Undertone and skin tone (derived from an uploaded selfie)

2.3 Photos for AI analysis

Selfies you upload for shade matching or virtual try-on are processed in your browser. They are sent to our servers only when you trigger an AI analysis, processed by our AI provider (Anthropic), and not stored permanently on our servers.

2.4 Usage data

We collect anonymous usage analytics (pages viewed, features used, device type) to improve the app. No personally identifiable data is included in these analytics.

2.5 Cookies and tracking

We use:

• Essential cookies — for authentication and core app functionality
• Affiliate tracking cookies — set by partner networks (Amazon Associates, Awin, Skimlinks) when you click outbound product links
• Analytics cookies — to understand aggregate usage patterns

3. How We Use Your Data

• To deliver personalised product recommendations
• To power AI features (shade matching, ingredient analysis, virtual try-on)
• To process subscription payments via Stripe (Premium tier only)
• To send important service notifications (account verification, password reset)
• To improve AuraMatch through anonymised analytics

We never sell your personal data to third parties.

4. Third-Party Services

To run AuraMatch, we share specific data with these processors:

• Supabase (database & authentication) — stores your profile and preferences
• Anthropic Claude API (AI features) — receives uploaded photos and ingredient lists for analysis; does not retain data after the request
• Stripe (payments) — handles all subscription payments; we never see your full card details
• Vercel (hosting) — serves our website
• Amazon Associates / Awin / Skimlinks (affiliate networks) — track outbound clicks for commission attribution; see their privacy policies for details

5. Your Rights (UK GDPR / Data Protection Act 2018)

If you are based in the UK or EU, you have the right to:

• Access — request a copy of all personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion of your account and associated data ("right to be forgotten")
• Portability — receive your data in a machine-readable format
• Objection — opt out of specific data uses (e.g. analytics)
• Withdraw consent at any time

To exercise any of these rights, email hello@auramatch.app. We will respond within 30 days.

6. Data Retention

• Account data — kept while your account is active; deleted within 30 days of account closure
• Uploaded photos — never permanently stored; deleted from AI processing within 24 hours
• Payment records — retained for 7 years for tax and accounting compliance (UK HMRC requirement)
• Anonymised analytics — kept indefinitely (no personal identifiers attached)

7. Children's Privacy

AuraMatch is not intended for users under 16. We do not knowingly collect data from minors. If you believe a child has provided us with personal information, contact hello@auramatch.app and we will delete it promptly.

8. Security

We protect your data using industry-standard measures:

• HTTPS encryption on all data transmission
• Row Level Security policies on our database (only you can access your own data)
• Encrypted password storage (handled by Supabase Auth)
• Regular security audits of dependencies

No system is 100% secure. In the unlikely event of a data breach affecting your data, we will notify you within 72 hours.

9. International Transfers

Some of our service providers (notably Anthropic and Vercel) are based in the United States. When we transfer your data internationally, we rely on Standard Contractual Clauses (SCCs) and equivalent safeguards to ensure your data is protected to UK GDPR standards.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be notified via email or an in-app banner at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

11. Complaints

If you believe we have mishandled your data, you have the right to lodge a complaint with the UK Information Commissioner's Office:

• Website: ico.org.uk
• Phone: 0303 123 1113

Contact

Questions about this policy? Email hello@auramatch.app.