What is CurlyGirlChecker?

CurlyGirlChecker is a free web app that instantly checks whether a hair product is Curly Girl Method (CGM) approved by scanning its ingredient list from a photo or barcode.

Is CurlyGirlChecker free?

Yes. CurlyGirlChecker offers 30 free ingredient checks and then 3 free checks per month.

How does Curly Girl Checker identify bad ingredients?

It extracts the ingredient list with OCR and vision AI, then matches every ingredient against 50+ Curly Girl Method rules covering silicones, sulfates, drying alcohols and waxes.

Privacy Policy — Curly Girl Checker

1. Who We Are

Curly Girl Checker ("the App") is operated by CGOK. For GDPR purposes, we are the data controller. Contact us at privacy@curlygirl.app for any data protection inquiries.

2. What Data We Collect

2.1 Essential Processing (Legitimate Interest)

Anonymized IP hash — A one-way SHA-256 hash of your IP address, truncated to 16 characters. Used for server-side usage analytics. We cannot reverse this hash to recover your IP address. Auto-deleted after 2 days.

2.2 Client-Side Data (Your Device Only)

The following data is stored only in your browser's localStorage and never sent to our servers:

Usage tracking — Scan count and plan status, used to enforce the free tier (30 free checks, then 3 per month).
Scan history — Product names, statuses, and ingredients from your recent scans (up to 10 for free, 50 for Pro).
CG tolerance profile — Ingredients you've whitelisted as acceptable for your routine (Pro feature).
Privacy consent preferences — Your cookie/tracking consent choice.

You can clear all client-side data at any time by clearing your browser's localStorage or using the in-app controls (History → Clear all, Profile → Clear all).

2.3 Payment Data (Pro Subscribers)

If you upgrade to Pro, payment is handled entirely by Stripe:

We never see or store your credit card number, CVV, or full card details.
Stripe stores your payment method, email, and billing address under their Privacy Policy.
We store only: anonymized IP hash, Stripe customer ID, subscription ID, and subscription status ("active"/"canceled") in Cosmos DB.
Subscription records are deleted when you cancel and your subscription expires.

2.4 Analytics (Consent Required)

Only collected if you click "Accept All" in the consent banner:

Scan records — Product name, brand, approval status, scan source (OCR/vision), ingredient counts. Contains no personal identifiers.
Application Insights telemetry — Page load times, error rates, and request metrics. IP addresses are anonymized (last octet zeroed).

2.5 What We Do NOT Collect

We do not store uploaded images. Photos are processed in server memory and immediately discarded after analysis.
We do not use cookies for tracking or advertising.
We do not collect names, emails, or account information from free users.
We do not sell or share personal data with third parties.

3. Legal Basis for Processing

Legitimate interest (Art. 6(1)(f) GDPR) — Rate limiting via anonymized IP hashes to prevent abuse and ensure fair access.
Consent (Art. 6(1)(a) GDPR) — Analytics and telemetry, only when you explicitly opt in.
Contract (Art. 6(1)(b) GDPR) — Processing payment and subscription data when you purchase a Pro plan.

4. Data Storage & Retention

All data is stored in Azure Cosmos DB (Sweden Central region, EU) and Azure Application Insights (Sweden Central).
Rate-limiting records: 2 days (auto-deleted via TTL).
Product cache: 30 days (auto-deleted via TTL).
Scan records: retained for analytics; anonymized (no personal identifiers).
Application Insights: default 90 days retention.

5. Your Rights (GDPR Articles 15–22)

You have the right to:

Access — Request a copy of data associated with your IP hash.
Erasure — Request deletion of your data viaDELETE /api/privacy/erase or by contacting us.
Withdraw consent — Click "Manage Privacy" in the app footer at any time. Analytics tracking stops immediately.
Object — Object to processing based on legitimate interest.
Portability — Request your data in a machine-readable format.
Lodge a complaint — With your local Data Protection Authority.

6. Third-Party Services

Azure AI Services (Microsoft) — Processes product images for OCR and identification. Images are processed in real-time and not retained by Microsoft per their data processing agreement. Region: Sweden Central (EU).
Azure Application Insights (Microsoft) — Performance monitoring with IP anonymization enabled. Region: Sweden Central (EU).
Stripe (Stripe, Inc.) — Payment processing for Pro subscriptions. Stripe is PCI DSS Level 1 certified. See Stripe's Privacy Policy. Stripe may process data in the US under Standard Contractual Clauses.

7. Data Transfers

Our servers and databases are in EU (Sweden Central). Microsoft is our data processor under a GDPR-compliant Data Processing Agreement (DPA). Stripe may process payment data in the US under Standard Contractual Clauses (SCCs) as permitted by GDPR Chapter V. No other personal data is transferred outside the EEA.

8. Children

This service is not directed at children under 16. We do not knowingly collect data from children.

9. Changes to This Policy

If we make material changes, we will re-prompt consent via the banner (consent version will be updated). The date at the top of this page indicates the latest revision.

10. Contact

For privacy inquiries, data access requests, or to exercise your GDPR rights:

privacy@curlygirl.app