Privacy Policy: HairSnap Mobile Application

Last Updated: July 15, 2026

Data Controller: Shine Shine Apps, S.L.

Applicable Law: EU General Data Protection Regulation (GDPR) (EU) 2016/679, Spanish LOPDGDD 3/2018, and the EU AI Act (Regulation (EU) 2024/1689).

1. Data Controller & Data Protection Officer (DPO)

The data controller responsible for the processing of your personal data within the HairSnap mobile application is:

  • Company Name: Shine Shine Apps, S.L.
  • Address: Avenida Alcalde Díaz Saavedra Navarro, 31, 2ª planta, CP: 35001, Las Palmas de Gran Canaria, Spain.
  • Contact Email: admin@2shineapps.com
  • Data Protection Officer (DPO) Contact: admin@2shineapps.com

2. Types of Data We Process & Data Minimization

In strict compliance with the principle of Data Minimization (Art. 5(1)(c) GDPR), we only collect and process personal data that is strictly necessary to deliver the hair and scalp analysis service:

  • Diagnostic Images: User-submitted photos of your hair and scalp uploaded directly via your device's camera or photo gallery. We do NOT extract biometric templates, nor do we use facial recognition technology (Art. 4(14) GDPR).
  • Onboarding Selections: Your self-reported questionnaire answers regarding your hair type, scalp concerns, and lifestyle habits.
  • Data Kept Locally: Your user account registration details (email, password, or Google/Apple SSO tokens) are stored locally on your device or securely processed on our servers. They are never transmitted to our AI subprocessors.
  • No Irrelevant Device Access: We do NOT access, collect, or monitor your precise location (either in the foreground or background), device contacts, call logs, SMS, or unrelated hardware statistics.

3. Purposes and Lawful Bases for Processing

We process your personal data under the following legitimate grounds defined by Art. 6 & Art. 9 GDPR:

  • Contractual Necessity (Art. 6(1)(b) GDPR): Processing is required to perform the core hair analysis service you requested. This applies to standard cosmetic, styling, and general hair quality evaluations.
  • Explicit Consent (Art. 9(2)(a) GDPR): If your uploaded hair/scalp photos or survey selections reveal health-related conditions (such as alopecia, severe dermatitis, or scalp diseases), this constitutes special category health data. We will only process this health data if you provide explicit, granular consent via our in-app onboarding screen. You have the right to withdraw this consent at any time without affecting your account.
  • Legitimate Interests (Art. 6(1)(f) GDPR): To secure our application, prevent fraud, debug software crashes, and generate aggregated, non-identifying usage statistics to optimize app performance.

4. AI-Powered Processing & Transparency (EU AI Act)

Pursuant to Article 50(1) of the EU AI Act, we inform you that the HairSnap analysis is generated through interaction with an automated Artificial Intelligence (AI) system.

  • We utilize OpenAI's secure generative models to analyze your uploaded photos and onboarding selections.
  • The output is fully automated. It does not constitute medical advice or a formal dermatological diagnosis. For medical evaluations, please consult a healthcare professional.

5. Subprocessors & Model Training Opt-Out

To deliver our service, your diagnostic images and onboarding selections are shared with our secure AI infrastructure provider:

  • Processor: OpenAI, LLC (San Francisco, USA).
  • Contractual Safeguards: We have executed a formal Data Processing Addendum (DPA) under Art. 28 GDPR. OpenAI acts strictly as our processor and is contractually prohibited from using your diagnostic photos, questionnaire selections, or analysis results to train, improve, or refine their public AI models.

6. International Data Transfers

OpenAI's servers are located in the United States. To legally transfer your data under Art. 44-49 GDPR, we rely on:

  • EU-U.S. Data Privacy Framework (DPF): OpenAI is certified under the DPF, which the European Commission recognizes as providing an adequate level of protection (Art. 45 GDPR).
  • Standard Contractual Clauses (SCCs): As a supplementary safety net, our DPA incorporates the EU Commission's SCCs (Module 2: Controller-to-Processor) to guarantee data protection.

7. Data Retention

Under Art. 5(1)(e) GDPR, your data is kept only as long as necessary:

  • Diagnostic images and onboarding selections are deleted from our active databases immediately after your analysis is generated and delivered to your device, or kept for a maximum of 30 days if you choose to save your analysis history.
  • Upon account deletion, all associated personal data is permanently destroyed or irreversibly anonymized.

8. Your Data Protection Rights

Under Art. 15-22 GDPR, you have the right to access, rectify, or erase your data, restrict or object to its processing, and request data portability. If we process your health data based on consent, you may withdraw it at any time.

To exercise your rights: Email admin@2shineapps.com.

Supervisory Authority: You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.