Privacy Policy
1. Data controller
The data controller is an individual — Bazarbayev Abylay (IIN 990707350094), registered at Almaty, Nauryzbay Batyra St 50, Republic of Kazakhstan. Contact email: bazarbayev.abylay@gmail.com.
For users in the European Union, the operator acts as the data controller under GDPR.
2. What data we collect
2.1. Account and session
- Anonymous device identifier (UUID generated by the client) — for the guest session before sign-up.
- Email — after sign-up via email OTP.
- Login type (anonymous / email / google / apple) and verification status.
- Technical identifiers: IP address, User-Agent, platform (iOS/Android), app version, locale, time zone, device_id.
- Security log: sign-in, sign-out, token refresh, account deletion events (retained for at least 3 years for audit purposes).
2.2. Profile and quiz answers
- Demographics: gender, age, city (optional).
- Goals and preferences: main reason for using the app, up to 3 concerns, mirror-checking frequency, skin type and tone, face shape, current hair length, beard state.
- Display name and avatar (if you provide them).
- Public visibility flag for the social-proof sample (off by default).
2.3. Biometric data
When you use the Analyzer, Sheen processes selfies of your face — this is special-category biometric personal data. We do not create or store a permanent biometric template (face embedding). The full conditions of processing and revocation are in a separate document.
2.4. Subscriptions and payments
Payments are processed by Apple App Store or Google Play Store. Sheen does not receive or store payment details (card numbers, bank info). From App Store / Google Play we only receive:
- Subscription identifier and status (active / expired / cancelled).
- Term length and price plan.
- Technical transaction identifiers for verification and cancellation.
2.5. Push notifications
If you opt in to push notifications, we store your device token (FCM / APNs) to deliver them. Without consent the token is not requested.
3. Legal basis
Under the Republic of Kazakhstan Personal Data Law and GDPR:
| Category | Basis |
|---|---|
| Email, name, quiz answers | Performance of the user agreement |
| Biometrics (selfies) | Separate explicit consent (Art. 8 §4 of the KZ PD Law; GDPR Art. 9(2)(a)) |
| Security log and IP | Legitimate interest (security, compliance) |
| Marketing communications | Only with separate opt-in |
4. How we use the data
- Authenticate you and maintain your session.
- Remember your quiz answers and show personalized recommendations.
- Analyze your selfies with AI models and return scores.
- Process subscriptions and unlock paid features.
- Send push notifications (only if you opt in).
- Detect and prevent abuse.
- Improve the service via aggregated, anonymous statistics.
5. Who we share data with
Sheen uses a limited list of sub-processors. They only receive what is needed to deliver the service and are bound by data protection agreements.
| Sub-processor | Data | Purpose | Jurisdiction |
|---|---|---|---|
| Resend | Email address and OTP letter content | Email delivery | USA |
| Cloud Services Kazakhstan LLP (Yandex Cloud) | All app data (encrypted), including selfie object storage (Yandex Object Storage) | Servers, DB and selfie storage | Kazakhstan |
| Apple App Store / Google Play | Payment transactions | Subscription processing | USA / EU |
| RevenueCat | Subscription ID, app_user_id | Subscription management | USA |
| Amplitude | Anonymized product analytics and events (no PII or selfies) | Usage analytics | USA |
| Google (Gemini) | Selfies (anonymized where possible) | AI face analysis | USA / EU |
| OpenAI | Selfies and quiz text (as fallback) | AI analysis when Gemini is unavailable | USA |
6. How long we keep data
| Category | Retention |
|---|---|
| Account and profile | Until account deletion |
| Inactive anonymous account | Deleted after 90 days of inactivity |
| Selfies in S3 | 24 hours from upload |
| Permanent biometric template (face embedding) | Not stored |
| Biometric data (for users in the USA) | No longer than 3 years from last interaction, or until consent withdrawal — whichever is earlier |
| Security log (auth_events) | 3 years |
| DB backups | 30 days |
After account deletion, data is marked for removal and physically erased within 30 days, except records we are legally required to keep (e.g. security logs).
7. Your rights
Under the KZ PD Law and GDPR you have the right to:
- Access your data — via
GET /users/me/profilein the app or by email request. - Correct inaccurate data — via app settings or email request.
- Delete your account and associated data — via
DELETE /auth/mein the app. - Withdraw consent to biometric processing — in Settings → Privacy. After withdrawal, selfies are removed from S3 within 24 hours.
- Restrict processing — disable push notifications, turn off public visibility, sign out.
- Obtain a copy of your data in machine-readable format — by email request.
- Lodge a complaint with the supervisory authority: in Kazakhstan — Information Security Committee of the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan (complaints are filed via the e-Otinish portal); in the EU — your national data protection authority.
7.1. California (CCPA / CPRA)
If you are a California resident, you have the right to know which categories of personal data we collect, to access them, to delete them, and to correct them. Biometric data is "sensitive personal information." We do not sell or share your personal data for cross-context behavioral advertising.
You can submit a request to support@sheen.style. We confirm receipt within 10 business days and respond substantively within 45 days.
7.2. US state biometric laws (Illinois / Texas / Washington / Colorado)
Residents of these states have separate rights regarding biometric data (including the Illinois BIPA). These are detailed in the Biometric Consent document.
8. Security
- All communication with our servers is encrypted with TLS 1.2+.
- Refresh-token secrets are hashed (scrypt) before being stored in the database.
- Selfies are uploaded to S3 via short-lived presigned URLs.
- Biometric data is processed only during AI analysis and removed when retention expires.
- Access to production servers is restricted and logged.
9. Children
Sheen is intended for users 16 years and older. We do not knowingly collect data of persons under 16. See Children's Privacy.
Sheen is a general-audience service not directed at children under 13. We do not knowingly collect data from children under 13; if we learn we have, we delete it. In the USA, COPPA applies (a threshold of 13). Our own bar is stricter — 16 years.
10. Changes to this policy
For material changes we will notify you in the app and/or by email. The version and effective date are at the top of this page. Previous versions are available on request.
11. Contact
Privacy-related questions — support@sheen.style.