top of page

Privacy Policy

HairLook Privacy Policy

Effective Date: May 22, 2025
Last updated: May 22, 2025

1. Who We Are

HairLook is operated by Antac S.A.S. (Carrera 17 #93-82 Bogotá • Colombia). In this document, “HairLook,” “we,” “our,” or “us” refers to Antac S.A.S.

For the purposes of the General Data Protection Regulation (GDPR), the UK GDPR, and other privacy laws, HairLook is the data controller for personal data processed through the HairLook mobile, web, and API‑based applications (collectively, the “Service”).

We have appointed a Data Protection Officer (DPO). Contact our DPO at privacy@hairlook.app or by post at the address above (attn: DPO).

2. Scope of This Policy

This Policy explains how we collect, use, disclose, store, and protect personal data when you:

  • install, access, or use the HairLook app on iOS, Android, or the web;

  • visit our websites, customer‑support channels, or social‑media pages; or

  • otherwise interact with us (for example, by emailing us).

It does not cover third‑party websites, services, or content that we do not control.

3. The Information We Collect

3.1 Information You Provide Directly

  • Account Data – name, email address, hashed password, sign‑in provider ID (Apple, Google, or email), country/region, and language.

  • User Images & Videos – photos, videos, and other media you upload to generate or preview hairstyles, including any derivatives we produce.

  • Payment & Subscription Data – purchase receipts, transaction IDs, subscription tier, and related metadata received from RevenueCat, the Apple App Store, Google Play, or Stripe.

  • Support Data – messages, screenshots, logs, or other content you voluntarily send to our support team.

3.2 Information We Collect Automatically

  • Device Data – device model, operating‑system version, browser type, IP address, advertising identifier, language, time‑zone, screen size, and battery or network status.

  • Usage Data – app‑launch time, screens viewed, taps or clicks, filters applied, and crash logs.

  • Cookies & Similar Technologies – HTTP cookies, local storage, Firebase analytics events, and SDK‑provided identifiers.

3.3 Special‑Category Data (Images That Contain Faces)

Facial images can constitute biometric data under Art. 4(14) GDPR when processed to uniquely identify a person. HairLook does not use your images to recognize or authenticate you (or anyone else). Images are processed only to generate the requested hairstyle previews and—if you opt in—to improve our AI models.

4. How and Why We Use Personal Data

  • To provide and operate the Service (GDPR Art. 6 §1 b – Contract performance) – create accounts, process uploads, render hairstyle previews, and deliver purchases.

  • To process payments and subscriptions (Art. 6 §1 b) – through Apple, Google, Stripe, and RevenueCat APIs.

  • To improve, debug, and secure the Service (Art. 6 §1 f – Legitimate interest) – analytics, A/B testing, crash diagnostics, and fraud prevention.

  • To train our AI models (Art. 6 §1 a / 9 §2 a – Consent) – only if you explicitly opt in within settings. You can withdraw consent at any time.

  • For marketing communications (Art. 6 §1 a – Consent, or legitimate‑interest “soft opt‑in” where applicable) – push notifications and emails that you can opt out of at any time.

  • For legal and compliance purposes (Art. 6 §1 c – Legal obligation) – invoicing, tax, responding to regulatory requests, and enforcing our Terms of Service.

5. How Long We Keep Data

  • Images and hairstyle previews (not opted‑in) – deleted 24 hours after generation or when you delete them in‑app, whichever comes first.

  • Images used for AI training (opt‑in) – stored for a maximum of 12 months or until you withdraw consent.

  • Account, purchase, and usage data – retained for three years from your last interaction or the end of the fiscal year, whichever is later.

  • Support tickets – retained for three years after ticket closure.

  • Back‑ups and audit logs – kept for up to 12 months, with monthly roll‑over.

We may keep data longer when required by law or to establish or defend legal claims. When the retention period ends, we delete or anonymise the data.

6. Sharing and Disclosure

We do not sell or rent your personal data. We disclose data only:

  1. To service providers (for example, Google Cloud Firebase, Cloudflare, RevenueCat, Apple, Google Play, Stripe, Replicate, Fal AI and customer‑support platforms) under strict confidentiality agreements.

  2. To affiliated entities within our corporate group for internal administration.

  3. To legal or regulatory authorities when required to comply with law or to protect rights, safety, or property.

  4. In connection with a business transfer such as a merger, acquisition, or asset sale (you will be notified of any change of control).

  5. With your consent or at your direction—for example, when you share a hairstyle image to social media.

All third parties are bound by contractual obligations consistent with this Policy and with applicable law.

7. International Transfers

HairLook stores data in the United States and the European Economic Area (EEA). When we transfer personal data outside your jurisdiction, we rely on:

  • European Commission adequacy decisions (where available);

  • Standard Contractual Clauses (SCCs) approved by the European Commission;

  • Your explicit consent; or

  • Another lawful transfer mechanism.

You may request a copy of the relevant safeguards by contacting us.

8. Security

We use administrative, technical, and physical safeguards including:

  • End‑to‑end TLS encryption in transit and AES‑256 encryption at rest;

  • Network firewalls, access‑control lists, and role‑based permissions;

  • A secure development lifecycle;

  • Incident‑response procedures and data‑breach notification protocols.

Although no system can be 100 % secure, we continuously work to protect your information.

9. Your Privacy Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you;

  • Rectify inaccurate or incomplete data;

  • Erase your data;

  • Restrict or object to certain processing activities;

  • Data portability – receive your data in a structured, commonly used, machine‑readable format;

  • Withdraw consent at any time without affecting the lawfulness of prior processing;

  • Lodge a complaint with a supervisory authority (e.g., the Colombian SIC, the Dutch DPA, the UK ICO, or any EEA authority).

Most rights can be exercised through in‑app settings or by contacting our DPO.

California (CCPA / CPRA)

California residents can request information about data categories collected, disclosed, or “sold” / “shared,” and may opt out of any “sale” or “sharing” of personal information. HairLook does not sell or share personal information as defined by the CCPA/CPRA.

Brazil (LGPD)

Brazilian users have equivalent rights under the Lei Geral de Proteção de Dados (LGPD) and can exercise them via the contact details above.

10. Children’s Privacy

HairLook is not directed to children under 18 years old, and we do not knowingly collect personal data from anyone under that age. If we learn that we have inadvertently processed data from a child under 16, we will promptly delete it and close the account.

11. Cookies and Tracking Technologies

We use cookies, SDKs, and similar technologies to:

  • remember user preferences;

  • measure app performance and diagnose bugs;

  • perform analytics to improve the Service; and

  • deliver or measure marketing communications.

You can control cookies in your device or browser settings. Disabling certain cookies may affect functionality.

12. Automated Decision‑Making and Profiling

HairLook does not make decisions based solely on automated processing that produce legal or similarly significant effects. Limited profiling may be used to personalise your in‑app experience or offers; you can object to this via settings.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in law or our practices. We will post the updated version and, where required, obtain your consent. Material changes will take effect no sooner than 30 days after notification unless a shorter period is required by law.

14. Contact Us

If you have questions, concerns, or requests regarding this Policy or our data‑handling practices, contact us:

Email: info@antac.ai

Antac S.A.S.

bottom of page