Privacy Policy

Definitions and key terms

• Cookie: A small piece of data stored by a browser or similar environment. It may be used to keep you signed in, remember preferences, or support analytics on our web properties.
• Company: When we say “Company,” “we,” “us,” or “our,” we mean Aoria as the party responsible for personal information under this policy.
• Country: Poland, where Aoria is based.
• Device: Any phone, tablet, computer, or other device used to access the Service.
• IP address: A network identifier assigned to your Device. It may indicate approximate region or network type.
• Personal Data / personal information: Information that identifies you or can reasonably be linked to you, alone or together with other data.
• Processor: A vendor that processes Personal Data on our instructions (for example hosting or subscription tooling).
• Service: The Aoria app, website, and features we make available to you.
• Skin-related information: Optional information derived from photos you choose to submit (for example optional skin appearance insights and similar in-app outputs). It is cosmetic / wellness-style information for your personal use in the app, not clinical advice and not a substitute for a qualified professional.
• Website: https://aoria.eu/
• You: A person who uses the Service, including registered account holders.

What information do we collect?

We collect information you provide, information generated when you use the Service, and limited information from partners where needed to run the Service.

Account and profile

• Email address and password (password is stored using secure one-way hashing practices).
• Optional profile details you add (for example display name, age or birthday if you choose to provide them).
• If you use Sign in with Google or Sign in with Apple, we receive identifiers and basic profile elements allowed by that provider according to your choices and the provider’s policies.

Optional skin-related and media you submit

• Optional photos or images you upload for optional in-app features (for example optional skin appearance insights, profile images, or attachments you send in support or in-app messaging). You decide whether to use these features.
• Outputs generated from those submissions (for example labels, scores, or text suggestions) so we can show them back to you in the app.

Skincare routine and in-app content

• Products, steps, notes, and similar content you save inside the app.

Subscriptions and purchases

• Purchase and entitlement information processed through Apple App Store, Google Play, and our subscription partner RevenueCat. We do not receive your full payment card number from those stores; they handle payment credentials.

Technical and security

• Device type, operating system, app version, diagnostics, and approximate location inferred from IP where useful for fraud prevention, security, and reliability.
• Authentication tokens or similar data stored on your Device to keep you signed in.

Communications

• Messages you send us (for example support email) and optional push-notification tokens if you enable reminders.

How we use your information

We use Personal Data to:

• Create and secure your account, authenticate you, and prevent abuse.
• Provide core app features (routines, product tools, optional skin-related features you turn on, and in-app experiences).
• Process subscriptions and restore purchases through platform billing partners.
• Send service messages (for example verification, security notices) and, where allowed, product updates you can opt out of.
• Improve reliability, debug issues, and understand aggregate usage patterns.
• Comply with law, enforce our terms, and protect rights, safety, and security.

We process optional skin-related information only when you choose to use the related features, to power those features for you inside the Service.

Information from third parties

We may receive limited information from:

• Apple or Google when you sign in with them or complete in-app purchases.
• RevenueCat regarding subscription status and related events tied to your app account.
• Fraud or abuse-prevention signals from service providers we use to protect accounts and payments, where applicable.

We do not buy lists of personal information for marketing. We do not rely on scraping social networks to build profiles about you.

Do we share your information?

We do not sell your Personal Data. We share it only as needed to run the Service or as required by law:

• Infrastructure and operations: Cloud hosting, storage, databases, email delivery, logging, and similar processors under contracts that require appropriate security and confidentiality.
• AI and media processing: Providers that perform analysis or generation on our instructions for features you use (for example optional image-based features you trigger).
• Subscriptions: Apple, Google, and RevenueCat to validate purchases and entitlements.
• Professional advisers: Lawyers or accountants where permitted.
• Legal and safety: Regulators, courts, or others if we in good faith believe disclosure is required to comply with law, respond to lawful requests, or protect rights, users, or the public.
• Business transfers: If we merge, are acquired, or sell assets, your information may transfer subject to safeguards and notice where required.

We ask processors to use data only for the purposes we specify.

Where and when we collect information

We collect information when you register, sign in, update your profile, use in-app features (including optional photo-based features), contact us, enable notifications, or otherwise interact with the Service. Some collection is automatic (for example technical logs) to keep the Service secure and available.

Email and notifications

We use your email for account-related messages (verification, password reset, billing notices through platforms, security alerts) and, if you agree where required, occasional product news. Marketing emails, if any, include an unsubscribe or preference mechanism.

Push notifications are optional and controlled in your device or in-app settings. If you disable them, we stop using your push token for that purpose except as needed to clear it technically.

How long we keep your information

We retain Personal Data only as long as needed to provide the Service, meet legal obligations, resolve disputes, and enforce agreements. Retention periods can depend on the type of data (for example subscription records may be kept longer for tax or accounting rules where applicable).

When you delete your account, we delete or de-identify Personal Data on active systems within a reasonable period, subject to backup rotation and legal holds. Some residual copies may persist for a limited time in backups; we do not use them to restore your account except where required by law.

How we protect your information

We use administrative, technical, and organizational measures designed to protect Personal Data, including encryption in transit where appropriate, access controls, and vendor security reviews for material processors. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

International transfers

Aoria is based in Poland (European Economic Area). Some processors may be located outside the EEA. Where required, we use appropriate safeguards such as the European Commission’s standard contractual clauses or other mechanisms recognized under GDPR.

Is the information secure?

We take reasonable steps to protect Personal Data. Because no system is perfect, you should use a strong unique password, keep your Device updated, and contact us if you suspect unauthorized access to your account.

Your rights and choices

Depending on your location, you may have rights to access, correct, delete, export, restrict, or object to certain processing of your Personal Data, and to lodge a complaint with a supervisory authority.

In the app, you can update much of your profile directly. You may delete your account from settings where available; that is the primary way to request removal of account-held data subject to the retention section above.

To exercise other rights or ask questions, contact us using the details at the end of this policy. We may need to verify your identity before fulfilling certain requests.

Sale of business

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, Personal Data may be transferred as part of that transaction. We will require the successor to honor protections consistent with this policy or notify you as required by law.

Affiliates

We may share information with companies under common control with Aoria (“affiliates”) for purposes consistent with this policy. Affiliates must protect the information in line with this Privacy Policy.

Governing law

This Privacy Policy is governed by the laws of Poland, without regard to conflict-of-law rules that would apply another jurisdiction’s laws, except where mandatory consumer protections in your country of residence apply and cannot be waived.

Courts in Poland may have jurisdiction over disputes arising from this policy, subject to non-waivable rights you may have elsewhere.

If you do not agree with this policy, please do not use the Service.

Your consent

By using the Service, creating an account, or purchasing subscriptions through the app stores, you acknowledge this Privacy Policy. Where the law requires separate consent (for example certain marketing), we will ask for it clearly.

Links to other websites

The Service may link to third-party sites or services. We do not control their privacy practices. When you leave our Service, their policies apply instead of this one.

Cookies and similar technologies

On our website, we may use cookies and similar technologies for security, preferences, and limited analytics.

In the mobile app, we do not use browser cookies in the same way; we may use local storage, secure tokens, and platform identifiers needed for sign-in, subscriptions, and diagnostics. You can clear app data or reinstall the app to remove many locally stored items, understanding that you may need to sign in again.

Blocking cookies and similar technologies

Browser controls let you refuse or delete cookies. Blocking strictly necessary cookies may break parts of our website. Refer to your browser’s help documentation for steps.

Payments and subscriptions

Paid features are billed through Apple or Google in-app purchase systems. RevenueCat helps us manage subscription state. Payment card details stay with Apple or Google; we receive transaction references and entitlement information needed to unlock features.

Children’s privacy

The Service is not directed to children under 13 (or the higher age required by your country’s rules where stricter). We do not knowingly collect Personal Data from children under that threshold. If you believe we have collected such information, contact us and we will take steps to delete it.

Changes to this Privacy Policy

We may update this policy from time to time. We will post the new version in the app and/or on our website and update the “Last updated” date. If changes are material, we will provide additional notice or obtain consent where required by law. Continued use after the effective date means you accept the updated policy unless applicable law gives you additional choices.

Third-party services

The Service may include links, SDKs, or embedded experiences from third parties (for example app stores, OAuth providers, or subscription tools). Their use is subject to their own terms and privacy policies. We are not responsible for third-party practices beyond what the law requires.

Information for users in the European Economic Area (GDPR)

If you are in the EEA (or where similar laws apply), this section supplements the rest of the policy.

Controller: Aoria (contact below).

Legal bases (examples): Contract (providing the Service you request); Legitimate interests (security, product improvement balanced against your rights); Consent where we rely on it (for example optional marketing or certain optional features you activate); Legal obligation where the law requires processing.

Transfers: See International transfers above.

Rights: Access, rectification, erasure, restriction, objection, portability, and complaint to a supervisory authority (in Poland, the President of the Personal Data Protection Office, UODO), subject to conditions in applicable law.

You may contact us to exercise rights. We respond within the timeframes required by law.

What is GDPR?

The General Data Protection Regulation (GDPR) is an EU law that strengthens protections for individuals regarding Personal Data and governs organizations that offer services to people in the EEA or monitor their behavior there.

What counts as personal data under GDPR?

GDPR defines Personal Data broadly. What we process about you is described in What information do we collect? above. We aim to collect only what we need for the Service, including optional skin-related information only if you choose to use those features.

Why GDPR matters to us

We apply privacy-by-design practices suitable for a consumer app: minimizing data, securing accounts, using contracts with processors, and giving you controls such as account deletion where available.