Privacy Policy - VibeHair

Last updated: March 25, 2026 | Effective: March 25, 2026

1. Data Controller

VibeHair is developed and operated by Beijing Lingkesi Cultural Technology Co., Ltd. ("we", "us", "our"), registered in Beijing, China.

Data Protection Contact: support@linkos.cc

2. Overview

VibeHair is an AI-powered hairstyle recommendation and preview application. To provide our services, we process facial photographs, which constitute biometric data under the EU General Data Protection Regulation (GDPR) and sensitive personal information under the Chinese Personal Information Protection Law (PIPL). We take the protection of this data extremely seriously.

3. Information We Collect

3.1 Information You Provide Directly

Data Type	Purpose	Retention
Facial photographs (biometric/sensitive personal information)	AI hairstyle analysis, recommendation, and preview generation	Deleted within 60 minutes of processing; not stored persistently
Hairstyle preferences	Personalized recommendations	While your account is active
Apple Sign In credentials	Account creation and authentication	While your account is active
Feedback messages	Customer support	Up to 24 months

3.2 Information Collected Automatically

Data Type	Purpose	Retention
Device identifier (IDFV only)	Service quality, fraud prevention	While your account is active
Usage statistics	Service improvement	Aggregated within 90 days
Purchase records	Transaction fulfillment	3–5 years (legal requirement)

3.3 Information We Do NOT Collect

We do not collect the Identifier for Advertisers (IDFA) and do not perform cross-app tracking.
We do not use cookies or web tracking technologies.
We do not collect precise geolocation data.
We do not use your facial data for AI model training.

4. How We Use Your Information

4.1 Facial Photograph Processing

Upload: Your photo is transmitted via TLS-encrypted connection to our secure processing servers.
AI Processing: The photo is forwarded to our AI service providers (see Section 5) for real-time analysis.
Deletion: Your original photograph is deleted from our servers within 60 minutes of processing completion.
No Training: Your facial photographs are never used to train, fine-tune, or improve any AI models.

4.2 Face Data — Explicit Disclosure

1. Face data is NOT retained. Your facial photographs are processed in real-time and are not stored permanently on our servers or any third-party servers. All facial images are deleted within 60 minutes of processing completion.

2. Why we temporarily hold face data. During the processing window (up to 60 minutes), your facial photograph may be held in temporary server memory solely for: transmitting the image to AI service providers for analysis, recommendation generation, and hairstyle preview rendering; and allowing you to request additional AI operations within the same session without re-uploading.

3. Why 60 minutes specifically. The 60-minute retention window is the minimum time needed to complete a typical user session (selecting preferences, receiving recommendations, generating previews). Once the session ends or 60 minutes elapse (whichever comes first), the image is permanently deleted.

4. Third parties who receive face data:

Volcengine (ByteDance) — for hairstyle image editing using the Seedream model. Does not retain images after processing.
Google (Gemini API) — for facial analysis and hairstyle recommendation. Processes inputs in real-time; does not store or use inputs to improve products unless you separately opt in.
HuggingFace (AIRI HairFastGAN) — for hairstyle transfer/preview generation. Processes images in server memory during inference and discards them immediately. Does not store uploaded images.

5. Why we share face data with third parties. The core functionality of our app — analyzing your face shape, recommending suitable hairstyles, and generating realistic preview images — requires specialized AI models hosted by these providers. We do not have the capability to run these models locally on your device.

6. Third-party storage practices. None of our AI service providers permanently store your facial photographs. All providers process images in real-time (in-memory) and discard them upon completion. No provider uses your facial data for model training under their respective API terms of service.

4.3 In-App Disclosure Before Data Sharing

Before your facial photograph is sent to any third-party AI service for the first time, VibeHair displays an in-app consent dialog that:

Explains exactly what data will be sent (facial photo and style preferences).
Identifies who receives the data (Volcengine, Google Gemini, HuggingFace).
Describes how your data is protected (TLS encryption, 60-minute deletion, no training use).
Requires your explicit consent before proceeding.

You may decline, in which case no data is sent and the AI features are not used.

4.4 Automated Decision-Making

VibeHair uses AI to analyze your facial features and generate hairstyle recommendations. This constitutes automated profiling under GDPR Article 22. You have the right to request human review, express your view, and contest the result. The recommendations are advisory only and do not produce legal or similarly significant effects.

5. Third-Party Data Processors

Provider	Service	Data Shared	Location
Google (Gemini API)	Hairstyle recommendation	Facial photo, preferences	United States
Volcengine (ByteDance)	Hairstyle image editing	Facial photo, editing instructions	China (Beijing)
HuggingFace (HairFastGAN)	Hairstyle transfer/preview	Facial photo, reference photo	United States
Stability AI	Reference image generation	Text descriptions only (no photos)	UK / US
Supabase	Backend infrastructure	Account data, transactions	Tokyo, Japan
Apple	Authentication, IAP	Apple User ID, transactions	United States

5.1 International Data Transfer Safeguards

EU/EEA users: Transfers protected by Standard Contractual Clauses (SCCs).
Mainland China users: Cross-border transfers comply with PIPL Article 38.
Japan users: Transfers comply with APPI requirements.

6. Data Security

Encryption in transit: TLS 1.2 or higher for all data transmission.
Encryption at rest: Sensitive database data is encrypted.
Access control: Strict role-based access.
Temporary processing: Facial photos held in memory only, securely purged afterward.
Incident response: Supervisory authority notified within 72 hours of any breach (GDPR Art. 33).

7. Data Retention

Data Type	Retention Period
Facial photographs	Deleted within 60 minutes
Account information	Until account deletion or 12 months of inactivity
Transaction records	3–5 years (legal requirement)
Usage statistics	Aggregated within 90 days

8. Your Rights

GDPR (EU/EEA)

Right of access, rectification, erasure, restriction, data portability, objection.
Right not to be subject to automated decision-making.
Right to withdraw consent and lodge complaints with your local DPA.

PIPL (Mainland China)

Right to know, decide, restrict, refuse, access, copy, correct, delete.
Right to file complaints with the Cyberspace Administration of China.

APPI (Japan)

Right to disclosure, correction, cessation of use, and cessation of third-party provision.

How to Exercise Your Rights

In-App: Settings > Privacy > Manage My Data
Email: support@linkos.cc
Account Deletion: Settings > Account > Delete Account

9. Children's Privacy

VibeHair is not intended for children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us immediately.

10. App Tracking

We do not use App Tracking Transparency because we do not track users across apps or websites. We do not display ads or share data with advertising networks.

11. Changes to This Policy

For material changes, we will notify you via in-app notification at least 30 days before changes take effect. Continued use after the effective date constitutes acceptance.

12. Contact Us

Data Controller: Beijing Lingkesi Cultural Technology Co., Ltd.
Address: Beijing, China
Email: support@linkos.cc
In-App: Settings > Feedback & Support