← Back

Privacy Policy

Straight answers in Q&A form. No legalese where we can avoid it.

Effective: June 2026 · Last updated: June 2026

TL;DR

HairOn is anonymous — there is no email sign-up. We assign your device a random ID and accept the selfie you upload so our AI providers can apply a hairstyle, color, beard, makeup, glasses, age or skin edit. That selfie contains your face, so we treat it as face data: we do not run facial recognition, we do not create any biometric template or faceprint, and we automatically delete the uploaded photo from our servers within 24 hours. We do not train AI models on your photos. You can delete everything from inside the app at any time.

Who is responsible for this app?

Who runs HairOn?

HairOn is operated by Muratcan Yusufoğlu, an independent developer. For privacy questions, write to myapps.feature@gmail.com.

Who is the data controller under GDPR?

Muratcan Yusufoğlu is the data controller. The app processes data anonymously by device, but where regional law (GDPR, UK-GDPR, CCPA) applies, the contact above acts as the controller and the point of contact for data-subject requests.

What we collect

What data do you collect about me?

HairOn collects only what it needs to make the app work. There is no email, name, or phone number. We collect:

An anonymous device ID — a random string generated on first launch and stored on your device. We use it to remember your subscription status and generation history across sessions.
Photos you upload (face data) — the selfies you choose to upload for AI hairstyle/color/beard/makeup/glasses/age/skin try-on. These photos contain your face. See the dedicated Face data section below for exactly what we do and do not do with them.
Generated results — the AI-edited images we produce in response to your requests.
Subscription state — whether you are a free or paid user, plan type, and renewal date. Managed by RevenueCat.
Push notification token — only if you grant notification permission. Used to tell you when a long-running generation finishes.
Usage data — how many generations you ran today (so we can enforce the free limit), feature taps, error events.
Technical diagnostics — app version, OS version, device model, locale, time zone, crash logs.

Do you collect my real name or email?

No. There is no login. The only personal identifier we hold is the random device ID, which cannot be traced back to you unless you contact us and tell us it is yours.

Do you collect my location?

No precise location. We may infer a rough country from your IP address (handled at the network level by our hosting provider) for fraud detection and to comply with regional billing rules. We do not request location permissions.

What we do with it

Why do you collect this information?

Each piece of data has a specific purpose:

Data	Purpose	Legal basis (GDPR)
Device ID	Identify your device anonymously across launches	Legitimate interest
Photos	Run the AI hairstyle / color / makeup transform you request	Contract (delivering the service)
Generated results	Show them in your gallery and let you save or share them	Contract
Subscription state	Enforce free limits and unlock premium features	Contract
Push token	Notify you when a generation finishes (optional)	Consent (you grant permission)
Usage / diagnostics	Fix bugs, prevent abuse, measure performance	Legitimate interest

Are my photos used to train AI models?

No. Your photos are sent only to the AI provider needed to fulfil the specific transformation you requested — fal.ai for hairstyle, age, makeup, beard, glasses and skin-retouch edits, and LightX for hair color. Per these providers' published policies, your images are processed for that single request and are not added to any training dataset.

Do you look at my photos?

We do not browse user photos. If you contact support about a failed generation and explicitly share an example, we may look at that specific image to debug. Otherwise photos sit encrypted in storage and are accessible only to automated pipelines.

Face data

Does HairOn collect face data?

Yes. The selfie you upload contains an image of your face, so we treat it as face data and want to be precise about it:

What we collect: the single photo you choose to upload, from your camera or your photo library. It contains your face.
What we do NOT do: HairOn does not perform facial recognition, does not create or store a faceprint, face template, face geometry, or any other biometric identifier, and does not use your face to identify, verify, or authenticate you. Any "face shape" suggestion shown in the app is a cosmetic estimate only — it is not a biometric measurement, it is not stored, and it is never matched against any database. The photo is used only as the input image for the AI styling you request.

What do you use my face data for?

Only to perform the single transformation you ask for — applying a hairstyle, hair color, beard, makeup, glasses, age change, or skin retouch to your photo. Once the AI returns the edited image, the uploaded photo has served its purpose. We do not use it for advertising, profiling, training AI models, or any purpose other than producing the result you requested.

How long do you keep my face data, and why?

No more than 24 hours. The selfie you upload is stored on our backend (Supabase) only long enough to run your request, and is automatically deleted within 24 hours of upload. We keep it for this short window for one reason: so the AI generation can complete and so you can re-run or refine a style within the same session without re-uploading. We do not retain face data indefinitely and we have no business reason to keep it beyond this. You can also delete it immediately via Profile → Delete Account.

Do you share my face data with third parties, and why?

Yes — to generate your result, your photo is sent to the AI image-processing provider for the feature you use. We share it for one reason only: these providers run the AI models that produce your edited image. There is no way to deliver the feature without sending them the photo.

fal.ai — hairstyle, age, makeup, beard, glasses, and skin-retouch transformations.
LightX — hair color transformations.

We do not share face data with advertisers, data brokers, analytics SDKs, or anyone else, and we never sell it.

Do those third parties also store my face data?

Yes — each provider temporarily stores your image while it runs your request. We disclose their practices below based on their published policies:

fal.ai
- Why they store it: to receive your upload, run the AI model, return the edited result, and allow short-term retries and debugging of failed requests.
- How long: per its data-retention documentation, request media is available for a limited period (at least 7 days, after which it may be deleted) and request metadata for around 30 days, then deleted.
- Why that length: this is fal.ai's standard operational window for delivering generated media and keeping a short request history for reliability and debugging. The image is not kept beyond this and is not used to train models, to build a biometric template, or to identify you. See fal.ai's privacy policy.
LightX (operated by Andor Communications)
- Why they store it: to run the requested hair-color edit and return the result. LightX states uploaded images are used solely to generate the AI image you ask for.
- How long: per its privacy policy, the original and output images are deleted within 30 days unless you request otherwise.
- Why that length: this 30-day window is LightX's standard operational retention for delivering and supporting your request. LightX states it does not use your photos or Face Data for marketing, does not share them with third parties, does not use them to train models, does not build a biometric template, and does not use them to identify you. See LightX's privacy policy.

Both providers act as data processors that handle your image solely to return the edit you asked for. Our own copy of the uploaded selfie is deleted within 24 hours as described above.

How long we keep your data

How long do you keep my photos and results?

The selfie you upload is automatically deleted from our servers within 24 hours. We only hold it long enough to run your request (and let you re-run or refine a style in the same session). Generated result images are hosted by our AI provider and are available for a limited time only — if you want a result permanently, save it to your device's photo library from inside the app. You can also wipe everything immediately via Profile → Delete Account.

How long do you keep the rest of my data?

Device ID, subscription, usage counters: kept while your install is active. If the app is uninstalled and inactive for 180 days, the device record is purged.
Diagnostics / crash logs: 90 days, then deleted.
Subscription billing records: kept as long as required by tax/accounting law (typically 5–10 years depending on jurisdiction). These are held by RevenueCat and Apple/Google, not directly by us.

Sharing your data

Do you sell my data?

No. We do not sell or rent personal data to anyone, and we do not allow advertisers to read your photos or results.

Who do you share my data with?

Only the third-party providers we need to run the app. Each receives the minimum data required to do its job:

Provider	What they receive	Why
Supabase (US/EU)	All app data: photos, device ID, results, subscription state	Backend database and storage
fal.ai	The single selfie (face data) + the style parameters for the requested edit	AI hairstyle, age, makeup, beard, glasses & skin-retouch generation
LightX	The single selfie (face data) + the requested color	AI hair color generation
RevenueCat	Device ID, purchase events, subscription status	Subscription management
Expo (push notifications)	Push token + notification payload	Deliver push notifications to your device
Apple / Google	Subscription transaction data	Payment processing inside in-app purchases

These providers act as data processors under our instructions. They cannot use your data for their own purposes.

Do you use advertising or analytics SDKs?

Currently HairOn uses only first-party analytics (events we log into our own Supabase database). We do not currently use TikTok, Meta (Facebook/Instagram), Google Ads, or AppLovin SDKs.

Planned: We are likely to add TikTok and Meta attribution SDKs in a future version so that the marketing we run on those platforms can measure installs and purchases. When that happens:

This policy will be updated and you will be notified inside the app.
The SDKs will receive limited identifiers (Apple's IDFA only if you allow App Tracking Transparency, the Android advertising ID, install/purchase events) — never your photos.
You will be able to refuse the iOS App Tracking Transparency prompt and continue using the app normally.

Cookies and trackers

Does the app use cookies?

HairOn is a native mobile app, so it does not use browser cookies. We do store small files on your device for app state (such as your device ID in secure storage and cached images), comparable to cookies in function.

Children

Is HairOn for children?

HairOn is intended for users aged 16 and over. We do not knowingly collect data from anyone under 16. If you believe a minor has used HairOn and you are their parent or guardian, contact us at myapps.feature@gmail.com and we will delete their data.

Your rights

What rights do I have over my data?

Depending on where you live, you have some or all of the following rights:

Access: request a copy of the data we hold about your device.
Deletion: request that we delete everything tied to your device.
Correction: request a correction of inaccurate data.
Portability: receive a copy in a machine-readable format.
Object / restrict: ask us to stop processing for specific purposes.
Withdraw consent: turn off push notifications in your system settings at any time.
Lodge a complaint: with your local data protection authority (e.g. KVKK in Turkey, the ICO in the UK, your national DPA in the EU).

For California residents (CCPA/CPRA): you have the right to know, delete, correct, and opt out of "sale" of personal information. We do not sell personal information.

How do I delete my data?

From inside the app: go to Profile → Delete Account. This wipes your photos, generated results, subscription record (subject to billing-law retention), and all device data within 24 hours. You can also email myapps.feature@gmail.com with your device ID (visible in Profile → My Stats) and we will action it manually.

International transfers

Where is my data stored?

Our backend (Supabase) is hosted in EU regions. Some of our processors (fal.ai, LightX, RevenueCat, Apple, Google, Expo) operate in the United States and may transfer data outside the EU/EEA, UK, and Turkey. For those transfers we rely on Standard Contractual Clauses or other recognised safeguards under GDPR Article 46.

Security

How is my data protected?

Data in transit is encrypted with TLS. Photos at rest are stored in Supabase Storage with access restricted by row-level security policies tied to your anonymous device ID. Our serverless backend uses service-role credentials that never leave Supabase. We do not store passwords because there is no login.

No system is perfectly secure. If a breach affects your data, we will notify affected users without undue delay as required by GDPR and applicable laws.

Changes

Will this policy change?

Yes, as the app evolves. If we make a material change (such as adding new SDKs or new data categories) we will update the "Last updated" date at the top and surface an in-app notice on next launch. Continued use of HairOn after the change indicates acceptance.

Contact

How do I contact you?

Email: myapps.feature@gmail.com
Operator: Muratcan Yusufoğlu