Privacy policy
The short version: your photos never leave your iPhone. Severity scores, trigger tags, and timestamps sync through your own private iCloud container so the timeline survives a phone swap. We don't operate user-facing servers. We do send anonymous app-usage signals to TelemetryDeck and crash reports to Sentry, both with a strict no-PHI guard documented below.
1. What stays on your device
Selfies, free-text notes, and the dermatologist PDFs you generate are stored in a sandboxed app folder on your iPhone. They are not in your Camera Roll unless you explicitly export them. Image bytes never leave the device. Face detection during capture and import runs on-device with Apple's Vision framework.
2. What syncs through your iCloud
Severity scores, trigger tags, timestamps, and app preferences sync through Apple's CloudKit using your Apple ID, in your private container. We cannot access your CloudKit container; only your Apple ID can. This is automatic when you're signed into iCloud on the device, and it's how your timeline survives a phone swap. Photos are not part of this sync.
3. What we send to third parties
Skinframe ships two operations-only SDKs in the iOS binary: TelemetryDeck (aggregated app-usage signals) and Sentry (crash reports). Both are subject to a strict allowlist enforced at the call site:
- → What we send: Lifecycle events (app launched, foregrounded), auth events (sign-in started, completed, failed), paywall events (viewed, purchase completed) with non-content properties only (e.g. tier = lifetime, source = upgrade_cta).
- → What we never send: Photo metadata, severity scores, trigger names or content, Fitzpatrick selection, RosaQoL responses, any free-text from notes or custom triggers, dates of flares.
- → TelemetryDeck: aggregated by design. No per-user storage, no session replays. User IDs are hashed before they leave the device, used only to deduplicate active-user counts.
- → Sentry: screenshot attachment is off, view-hierarchy attachment is off. Crash payload includes stack trace and device context only.
- → Before every App Store submission we audit the recent event stream for any property name or value that looks PHI-shaped. If anything leaks, we fix the call site and audit again.
4. What we don't use
- → No Facebook pixel, Google Analytics, Mixpanel, Amplitude, Segment, Heap, Hotjar, or other product-analytics SDKs.
- → No advertising SDKs of any kind.
- → No data brokers, no resale, no sharing with anyone for any purpose. We don't have your data to share.
- → No collection of your name, email, phone number, or address through the app. (Only through email if you write to support.)
5. The dermatologist report
When you generate a report, the PDF is created on your device. We do not see it. The methodology footer documents how patterns were computed and which consensus framework (ROSCO 2017 + NRS 2017) the severity scoring follows, so any clinical reader can judge the evidence on its own terms. We don't operate a verification backend; the PDF is what your device produced and what you choose to share.
6. Your rights
You can delete every byte we hold about you with two taps. The "Delete account" row in Settings wipes your CloudKit private record zone first; only after that confirms does it wipe local SwiftData, UserDefaults, and sign you out. CSV self-export is available at any time, also in Settings, regardless of subscription state. GDPR and CCPA "right to access" and "right to delete" are operationally satisfied by these two paths. If you want written confirmation, write to privacy@skinframe.app.
7. Children
Skinframe is not intended for children under 13. We do not knowingly collect data from children. (We do not knowingly collect data from anyone, see above.)
8. Changes
If this policy changes in any material way, for example if we ever introduce server-side features that hold your data, we will notify you in the app before the change takes effect, and you can opt out by not using the new feature.
9. Contact
privacy@skinframe.app for any privacy-related question or request.