← Back to Checker

Privacy Policy

Last updated: 3 April 2026

1. Who We Are

Curly Girl Checker ("the App") is operated by CGOK. For GDPR purposes, we are the data controller. Contact us at privacy@curlygirl.app for any data protection inquiries.

2. What Data We Collect

2.1 Essential Processing (Legitimate Interest)

  • Anonymized IP hash — A one-way SHA-256 hash of your IP address, truncated to 16 characters. Used solely for rate limiting (5 free scans/day). We cannot reverse this hash to recover your IP address. Auto-deleted after 2 days.

2.2 Analytics (Consent Required)

Only collected if you click "Accept All" in the consent banner:

  • Scan records — Product name, brand, approval status, scan source (OCR/vision), ingredient counts. Contains no personal identifiers.
  • Application Insights telemetry — Page load times, error rates, and request metrics. IP addresses are anonymized (last octet zeroed).

2.3 What We Do NOT Collect

  • We do not store uploaded images. Photos are processed in server memory and immediately discarded after analysis.
  • We do not use cookies for tracking or advertising.
  • We do not collect names, emails, or account information from free users.
  • We do not sell or share personal data with third parties.

3. Legal Basis for Processing

  • Legitimate interest (Art. 6(1)(f) GDPR) — Rate limiting via anonymized IP hashes to prevent abuse and ensure fair access.
  • Consent (Art. 6(1)(a) GDPR) — Analytics and telemetry, only when you explicitly opt in.

4. Data Storage & Retention

  • All data is stored in Azure Cosmos DB (Sweden Central region, EU) and Azure Application Insights (Sweden Central).
  • Rate-limiting records: 2 days (auto-deleted via TTL).
  • Product cache: 30 days (auto-deleted via TTL).
  • Scan records: retained for analytics; anonymized (no personal identifiers).
  • Application Insights: default 90 days retention.

5. Your Rights (GDPR Articles 15–22)

You have the right to:

  • Access — Request a copy of data associated with your IP hash.
  • Erasure — Request deletion of your data viaDELETE /api/privacy/erase or by contacting us.
  • Withdraw consent — Click "Manage Privacy" in the app footer at any time. Analytics tracking stops immediately.
  • Object — Object to processing based on legitimate interest.
  • Portability — Request your data in a machine-readable format.
  • Lodge a complaint — With your local Data Protection Authority.

6. Third-Party Services

  • Azure AI Services (Microsoft) — Processes product images for OCR and identification. Images are processed in real-time and not retained by Microsoft per their data processing agreement. Region: Sweden Central (EU).
  • Azure Application Insights (Microsoft) — Performance monitoring with IP anonymization enabled. Region: Sweden Central (EU).
  • Affiliate links — When you click a product recommendation, you leave our app. The linked retailer's privacy policy applies.

7. Data Transfers

All data processing occurs within the EU (Sweden Central). We do not transfer personal data outside the EEA. Microsoft is our data processor under a GDPR-compliant Data Processing Agreement (DPA).

8. Children

This service is not directed at children under 16. We do not knowingly collect data from children.

9. Changes to This Policy

If we make material changes, we will re-prompt consent via the banner (consent version will be updated). The date at the top of this page indicates the latest revision.

10. Contact

For privacy inquiries, data access requests, or to exercise your GDPR rights:

privacy@curlygirl.app