Privacy Policy · Version 1.4 · Effective Date: 24 May 2026
Governing Law: Australia (Victoria)
In this Privacy Policy, the following terms have the meanings set out below:
This Privacy Policy applies to all Users of the Application, regardless of location. Where applicable law confers additional rights on Users in specific jurisdictions — including, without limitation, the European Economic Area, the United Kingdom, California, and Australia — those rights are described in Section 17.
This Policy does not apply to third-party websites, services, or applications that may be linked to or referenced within the Application. We encourage you to review the privacy policies of any third-party services you access.
This Policy should be read together with our Terms of Service, which sets out the terms governing your use of the Application, including limitations of liability and disclaimers regarding ingredient data accuracy.
The following data is created by you within the Application and stored exclusively in your device's local storage (Apple UserDefaults). It is not transmitted to any server operated by or on behalf of the developer:
This data may be included in standard iOS device backups (iCloud Backup or local backups via Finder/iTunes) in accordance with Apple's standard backup behaviour, which is governed entirely by Apple's Privacy Policy and is outside the developer's control.
The primary categories of data that may leave your device when you scan a product are product-identifying information only — specifically, the product barcode, product name, or brand name — transmitted to one or more third-party ingredient databases for the purpose of retrieving ingredient information. No allergy profile data, health preference data, or scan history is transmitted as part of this lookup process. See Section 9 for details of each third-party service.
When you use Photo scan mode, an image of the product packaging captured by your device camera is transmitted to Google Cloud Vision API for optical character recognition. You should be aware that if the captured image incidentally contains personal information — such as a face, background setting, or visible personal items — that image data will be transmitted to and processed by Google. We recommend capturing only the product packaging itself.
If you choose to publish a post to the Community feed, the following information is stored in Apple's CloudKit public database and may be visible to other users of the Application:
Community posts do not include your Apple ID, legal name, or email address, except to the extent that you voluntarily include such information in the post text. CloudKit infrastructure maintained by Apple may associate metadata — such as record creation timestamps or internal identifiers — with submitted posts; this metadata is governed by Apple's Privacy Policy. Submission of a community post is entirely voluntary.
Once a community post is published to CloudKit's public database, it may be viewed, copied, or screenshotted by other users. We cannot guarantee the removal of copies that have already been made by third parties prior to a deletion request.
Where a scanned product cannot be found in any available database, the Application may automatically transmit a report to the developer via Formspree. This report contains: the product name, brand, barcode, product category, and the date and time of the scan. This report does not intentionally contain Personal Data. However, if a product name entered by a user contains Personal Data, that information may be included in the report. We do not use such information for any purpose other than improving database coverage.
As of the effective date of this Policy, the Application does not intentionally collect:
This list reflects the Application's current functionality. If future versions of the Application collect additional categories of data, this Policy will be updated prior to or concurrent with the release of such version.
The Application enables you to record allergy information, skin concerns, pregnancy status, and lifestyle health preferences. Under the GDPR and certain other applicable laws, some of this information — particularly allergy data and pregnancy status — may constitute health-related data or Sensitive Data as defined by applicable law.
This information is stored exclusively on your local device and is not transmitted to the developer or to any third party, except to the extent that you voluntarily include it in a community post. The developer does not have access to your allergy profile or health preferences at any time.
Because this information is processed locally by the Application on your own device and is not received by, transmitted to, or remotely accessible by the developer, the developer does not receive or retain a copy of this data. You retain full control over this data and may delete it at any time by clearing your profile within the Application or by deleting the Application entirely.
Important: The Application is not a medical device, healthcare service, or clinical allergy testing tool. Allergy safety assessments generated by the Application are informational estimates only. They may be incomplete, inaccurate, or outdated. Do not rely on the Application as a substitute for professional medical advice. See Section 5 for the full ingredient accuracy disclaimer.
The Application retrieves ingredient data from multiple third-party databases and web sources, including crowd-sourced, open-source, and commercially maintained databases. We do not independently verify the accuracy, completeness, or currency of any ingredient information retrieved through the Application.
In particular, you should be aware that:
We do not warrant or guarantee the accuracy, completeness, or fitness for purpose of any ingredient information provided by the Application. Users must independently verify all ingredient information directly from product packaging or the relevant manufacturer before relying on any analysis produced by the Application, particularly where the User has known allergies, medical sensitivities, or is pregnant or breastfeeding.
Where the GDPR or UK GDPR applies, we rely on the following legal bases for processing Personal Data:
| Processing Activity | Legal Basis |
|---|---|
| Storing your allergy profile and scan history locally on your device | Legitimate interest — necessary to deliver the core functionality you have requested. This data is processed exclusively on your device; the developer does not receive, store, or remotely access it. |
| Transmitting product identifiers to third-party databases to retrieve ingredient data | Legitimate interest — necessary to deliver the core functionality of the Application. |
| Transmitting camera images to Google Cloud Vision API (Photo mode) | Legitimate interest — necessary to deliver the photo-based scan functionality you have actively initiated. |
| Publishing community posts to CloudKit | Consent — you actively and voluntarily choose to publish each individual post. |
| Sending missing product reports to the developer | Legitimate interest — improving the Application's database coverage for the benefit of all users. Reports contain no Personal Data in ordinary operation. |
| Responding to support correspondence | Legitimate interest — handling enquiries you have directed to us. |
We use the information described in Section 3 solely for the following purposes:
We do not use your information for profiling, targeted advertising, or automated decision-making that produces legal or similarly significant effects on you.
Automated rules-based processing: The ingredient safety assessments, allergen flags, and product scores generated by the Application are produced by automated rules-based algorithms operating on your device. These algorithms apply fixed logic to ingredient data retrieved from third-party databases. They do not involve machine learning that is trained on your personal data, and they do not produce decisions with legal or similarly significant effects. They are informational outputs only. See Section 5 for the full accuracy disclaimer.
We do not sell, rent, trade, or otherwise transfer your Personal Data to third parties for commercial or marketing purposes.
We may disclose Personal Data in the following limited circumstances:
As of the effective date of this Policy, the Application integrates with the following third-party services. Each service is an independent data controller or processor with its own privacy policy, which we encourage you to review.
| Service | Purpose | Data Transmitted | Privacy Policy |
|---|---|---|---|
| Open Beauty Facts / Open Food Facts / Open Products Facts | Ingredient and product lookup by barcode or product name | Product barcode; product name | openfoodfacts.org/privacy |
| UPC Item DB | Barcode-to-product name resolution | Product barcode | upcitemdb.com/privacy |
| Go-UPC | Barcode-to-product name and ingredient resolution | Product barcode | go-upc.com/privacy |
| INCI API (inciapi.com) | Beauty ingredient data lookup by barcode | Product barcode | inciapi.com/privacy |
| Google Cloud Vision API (Google LLC) | Optical character recognition for Photo scan mode — extracts text from product packaging images | Image of product packaging captured by device camera. May incidentally contain personal information if the image captures more than the product packaging. | policies.google.com/privacy |
| INCIDecoder | Ingredient list lookup by product name and brand | Product name; brand name | incidecoder.com/pages/privacy-policy |
| SkinSafe (Mintel) | Ingredient list lookup by product name and brand | Product name; brand name | skinsafeproducts.com/privacy |
| Apple CloudKit (Apple Inc.) | Storage and retrieval of voluntarily submitted community posts in a public database | Community post content as described in Section 3.3. Apple may associate infrastructure-level metadata with submitted records. | apple.com/legal/privacy |
| Formspree | Delivery of missing product reports to the developer by email | Product name; brand; barcode; category; date and time of scan | formspree.io/legal/privacy-policy |
As of the effective date of this Policy, the Application does not include any advertising SDKs, third-party analytics SDKs, or third-party crash reporting SDKs. This list reflects the Application's current functionality and will be updated if additional third-party integrations are introduced in future versions.
The retention practices, logging, and abuse-prevention mechanisms of each third-party service listed above are governed exclusively by that service's own privacy policy and terms of service. In particular, Google LLC may retain image data submitted via the Cloud Vision API for purposes including abuse prevention in accordance with Google's own data policies. We have no control over, and no visibility into, third-party data retention practices.
The Application requests access to your device camera for the following purposes only:
Camera and photo library access is requested at runtime and will only be activated if you grant permission. You may revoke camera or photo library permission at any time via your device's Settings application, which will disable the relevant features of the Application.
We recommend that when using Photo scan mode, you capture only the product packaging. If your image incidentally captures other individuals, bystanders, or personal details in the background, that image data will be transmitted to Google Cloud Vision for processing as described in Section 9.
The Community feature allows Users to publish posts, reviews, and reaction alerts that are visible to other Application users. By submitting community content, you agree that such content is subject to the following rules and to our Terms of Service.
You must not submit community content that:
We reserve the right, at our sole discretion and without prior notice, to remove, edit, or restrict access to any community content that we determine — or that is reported to us as — violating these rules, our Terms of Service, or any applicable law. We are not obligated to monitor community content on an ongoing basis, but we will act on reports of prohibited content in a reasonable timeframe.
To report prohibited community content, contact us at beautybriefapp@gmail.com.
Community posts represent the personal opinions and experiences of individual users. The developer does not verify, endorse, or warrant the accuracy of any user-submitted content. You should not rely on community posts as medical or dermatological advice.
Community posts published to CloudKit's public database are accessible to all users of the Application and may be visible to or indexed by other systems connected to Apple's CloudKit infrastructure. We do not control whether other users screenshot, copy, or redistribute your community posts once they are published.
Deletion requests submitted under Section 14 or Section 17 will remove your content from active public display within the Application. However, we cannot guarantee the removal of copies that were made by third parties prior to deletion, nor can we guarantee that transient residual copies do not persist temporarily in CloudKit infrastructure-level backups or caches maintained by Apple. Such residual copies are outside our control and are subject to Apple's own data management practices.
The developer is based in Australia. Some of the third-party services listed in Section 9 — including Google LLC (United States) — may process data in jurisdictions outside Australia and outside the country in which you are located. We rely on those services' own internationally recognised transfer mechanisms (such as Standard Contractual Clauses, adequacy decisions, or participation in approved certification frameworks) to ensure an adequate level of protection for Personal Data transferred internationally.
We do not ourselves operate servers that receive Personal Data from users. Consequently, we do not independently conduct international transfers of Personal Data.
Your allergy profile, scan history, and local preferences are retained on your device for as long as you choose to keep them. Deleting the Application from your device will delete locally stored app data from that device, although copies may remain in device backups controlled by Apple or the user.
Community posts are retained in Apple's CloudKit public database indefinitely until you request their removal. To request deletion of one or more community posts, contact us at beautybriefapp@gmail.com with sufficient detail to identify the posts. We will arrange deletion within fourteen (14) calendar days of receiving your request. Residual copies may temporarily persist in Apple's infrastructure-level backups or caches, as described in Section 12, and their removal is subject to Apple's own retention schedules.
Missing product reports submitted via Formspree are retained by the developer for the purpose of improving database coverage and are not subject to standard deletion timelines. We will delete any such report promptly on written request if you believe it contains your Personal Data.
Emails sent to our support address are retained for a period of twenty-four (24) months from the date of receipt, after which they are permanently deleted, unless a longer retention period is required by law or is necessary for the resolution of an ongoing dispute.
We implement the following measures to protect your information:
To the maximum extent permitted by applicable law, we are not responsible for the security practices of third-party services listed in Section 9, each of which is an independent controller or processor of data transmitted to it. No method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security against all forms of unauthorised access, disclosure, or loss.
In the event of a data breach that is likely to result in a risk to the rights and freedoms of Users — including, without limitation, a breach of Personal Data held by a third-party service provider used by the Application — we will, to the extent we become aware of such breach:
Because the developer does not hold Personal Data on servers it operates, material breach risk is principally associated with third-party service providers. We will cooperate with affected service providers to provide Users with timely and accurate information where a material breach affects User data.
Regardless of your location, you may at any time:
If you are located in the European Economic Area or the United Kingdom, you have the following rights under the GDPR or UK GDPR, subject to applicable exemptions:
To exercise any of the above rights, contact us at beautybriefapp@gmail.com. We will respond within thirty (30) calendar days. You also have the right to lodge a complaint with the supervisory authority in your Member State of residence.
If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:
To submit a CCPA/CPRA request, contact us at beautybriefapp@gmail.com.
If you are located in Australia, you may access or seek correction of Personal Information we hold about you by contacting us at beautybriefapp@gmail.com. We will respond within thirty (30) days. If you believe we have breached the Australian Privacy Principles, you may first contact us to resolve the matter. If you remain dissatisfied, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
The Application is not directed at, and is not intended for use by, persons under the age of 13. We do not knowingly collect Personal Data from children under 13. If we become aware that a child under 13 has submitted a community post or otherwise provided Personal Data through the Application, we will take reasonable steps to remove that information promptly.
Users in jurisdictions where the age of digital consent exceeds 13 — for example, 16 years in certain EEA member states — must meet the applicable age threshold before using consent-dependent features of the Application, including the Community post feature.
Minors who are permitted to use the Application under parental supervision must not upload photographs that depict identifiable minors in community posts. Parents and guardians who believe their child has submitted Personal Data through the Application — including photographs — should contact us at beautybriefapp@gmail.com. We will remove such content within fourteen (14) calendar days of a verified request.
The Application does not require users to create a traditional user account. There is no registration process, no username and password, and no account dashboard. Your allergy profile, scan history, and preferences are stored solely on your local device.
If you use the Community feature, you choose a display name and avatar for that post at the time of posting. This display name is not linked to a persistent account and does not constitute an account or identity system managed by the developer. You may use a different display name for each post.
Because there is no account system, there is no account deletion workflow in the traditional sense. To remove your local data, delete the Application. To remove community posts you have submitted, contact us as described in Section 14.2.
We do not warrant that the Application or any of its features will be available at all times, free from errors or interruptions, or that third-party ingredient databases will return results for any particular product. The Application's functionality depends on third-party services that may be subject to outages, rate limits, API changes, or discontinuation without notice. We accept no liability for any loss or inconvenience resulting from the unavailability of the Application or any connected third-party service.
Features of the Application may be modified, suspended, or discontinued at any time and without notice. We are not liable to you or any third party for any such modification, suspension, or discontinuation.
As of the effective date of this Policy, the Application contains no third-party advertising. No advertising SDK, advertising identifier (IDFA or equivalent), or third-party advertising network is used. The developer does not receive revenue from advertising in connection with the Application.
As of the effective date of this Policy, the Application does not include any third-party analytics or crash reporting SDK, including without limitation Firebase Analytics, Google Analytics, Mixpanel, Amplitude, Crashlytics, Sentry, or similar services. The developer does not collect usage statistics, session data, crash reports, or device telemetry through any third-party service.
If future versions of the Application introduce advertising, analytics, or crash reporting integrations, this Policy will be updated prior to or concurrent with such release.
To the maximum extent permitted by applicable law, the developer's total liability in connection with this Privacy Policy, the Application, or any breach thereof is limited to the amount you paid (if any) to download or access the Application in the twelve (12) months preceding the relevant claim.
To the maximum extent permitted by applicable law, the developer is not liable for any indirect, incidental, consequential, special, or punitive damages arising from or relating to your use of the Application, including any reliance on ingredient safety information generated by the Application, any allergic reaction, adverse health event, or other harm arising from use of or reliance on the Application.
Nothing in this Section limits liability that cannot be lawfully excluded or restricted under Australian Consumer Law or other mandatory applicable legislation.
This Privacy Policy is governed by and construed in accordance with the laws of the State of Victoria, Australia, without regard to its conflict of laws principles. You agree to submit to the exclusive jurisdiction of the courts of Victoria, Australia for the resolution of any dispute arising under or in connection with this Policy, except to the extent that mandatory consumer protection laws in your jurisdiction confer jurisdiction on local courts.
Where you are located in the EEA or UK, nothing in this clause limits your right to bring proceedings before the supervisory authority in your jurisdiction or to benefit from any mandatory consumer protection provisions that apply in your country of residence.
We reserve the right to amend this Privacy Policy at any time. Material amendments — meaning changes that affect the categories of Personal Data collected, the purposes for which it is used, or the third parties with whom it is shared — will be communicated by:
Your continued use of the Application following notification of a material amendment constitutes your acknowledgment of the updated Policy. If you do not agree with any amendment, you should cease using the Application and may request deletion of any Personal Data we hold by contacting us at beautybriefapp@gmail.com.
Non-material changes (such as typographical corrections or clarifications that do not alter the substance of the Policy) may be made without notice.
The current version of this Policy is always available at the URL from which you are reading this document.
All privacy-related enquiries, access requests, correction requests, deletion requests, and complaints should be directed to:
BeautyBrief — Privacy
Email: beautybriefapp@gmail.com
We will acknowledge receipt of your enquiry within five (5) business days and will endeavour to resolve it within thirty (30) calendar days. Complex requests may require additional time, in which case we will notify you of the extended timeframe.
If you are not satisfied with our response, you may escalate your complaint to the relevant supervisory authority in your jurisdiction, including: