H HAIRMAXXING

Privacy Policy

Last updated: April 19, 2026

1. Data controller

HairMaxxing — contact: contact@hairmaxxing.com.

2. Data collected

  • Account: email, name, profile picture (if using Google/Apple sign-in).
  • Profile: gender, age, hair goal, hair type and density, satisfaction level.
  • Photos: 3 face photos (front, profile, top) submitted to generate visualizations.
  • Subscription: status (free / premium), App Store or Google Play receipt.
  • Referral: personal referral code, code used at sign-up (if any), number of validated referred friends.
  • Push notifications: Expo device token, only if the user granted notification permission.
  • Usage & analytics: aggregated usage events (app opens, screens viewed, paywall steps, analyses run), pseudonymous per-user identifier. No sensitive data is ever sent.

3. Purposes

  • Generate the requested hairstyle visualizations.
  • Personalize recommendations based on your face shape.
  • Manage your account and subscription.
  • Improve service quality (aggregated, anonymized data).

4. Legal basis

Performance of the contract (Terms), consent for sensitive data (photos), legitimate interest for usage statistics.

4 bis. Biometric data & AI (GDPR Art. 9, EU AI Act)

Face photos you submit are processed on the basis of your explicit consent (GDPR Article 9(2)(a)). They are used solely to generate a hairstyle visualization: no biometric identification (facial recognition, biometric templates) is performed or stored.

Visualizations are AI-generated (Google Gemini, OpenAI) from your photos. The resulting image is a synthetic preview and may not reflect the actual result achieved at a hairdresser. A HAIRMAXXING watermark is burned onto every generated image to indicate its origin.

5. Recipients

  • Google Gemini and OpenAI — visualization generation and analysis. Photos are sent encrypted and are not retained by these providers beyond processing.
  • Cloudflare R2 — secure storage of generated results (S3-compatible, EU/US hosting).
  • Apple App Store / Google Play — in-app purchase validation and subscription management (including cancellation notifications that trigger the win-back offer).
  • PostHog EU Cloud — product analytics, hosted in the European Union (eu.i.posthog.com). Pseudonymous identifier, no sensitive data. Used only to improve the product (funnels, A/B tests, usage metrics). A DPA is available on request.
  • Expo (push notifications) — device token transmission for transactional notifications only (triggered by a user action, not periodic marketing). Five scenarios: scan reminder at D+60 (max once per 60 days), paywall opened without conversion at D+1, onboarding started without scan at D+1, free trial ending at D−1 (transparency requirement), come-back after subscription cancellation at D+2. A user receives no more than 4–5 notifications per year. Opt-out is controlled by the device's system settings.

5 bis. Analytics and opt-out

Usage event collection (PostHog) can be disabled at any time from Profile → Settings → Disable analytics. Opting out stops event transmission without affecting other features. No event is sent before consent is given at first launch.

6. Retention period

  • Photos submitted for analysis: streamed to our AI providers for generation, not stored on our servers.
  • Generated visualizations (stored on Cloudflare R2): kept as long as the account is active. They are automatically erased from R2 when a user deletes an individual analysis or their account.
  • Account and profile: as long as the account is active.
  • Billing data: 10 years (legal obligation).

Pursuant to GDPR Article 17 (right to erasure), account deletion triggers an atomic erasure of database records and the removal of visualizations stored on R2.

7. Your rights (GDPR)

Under GDPR, you have the right to access, rectify, erase, port, and object. You can:

  • Export your data directly from the App (Settings → Export my data).
  • Delete your account directly from the App (Settings → Delete account). This action is irreversible.
  • Contact us at contact@hairmaxxing.com for any other request.

8. Security

Data is encrypted in transit (TLS) and at rest. Passwords are hashed (bcrypt). JWT tokens have a short lifespan (15 minutes, secure refresh).

9. Cookies

The hairmaxxing.com website does not use advertising cookies or third-party trackers. Only essential technical cookies are used.

9 bis. Minimum age

HairMaxxing is available from 13 years old. In EU countries where local law sets a higher threshold (up to 16, GDPR Article 8), minors must have obtained prior consent from their legal guardian before using the service. By creating an account, users declare either to have reached that age or to have obtained such consent.

10. DPO contact / Complaints

For any question related to your data: contact@hairmaxxing.com. You may also file a complaint with the CNIL (cnil.fr).