Privacy Policy
Last updated: May 1, 2026
This Privacy Policy ("Privacy Policy") describes how Gigzy Ltd ("Gigzy", "we", "us" or "our") collects, uses and protects personal data when you access or use the skinPulse mobile application and related services (collectively, the "Services").
Gigzy Ltd is incorporated in Israel.
Privacy contact: support@gigzy.net
By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal data as described herein.
1. Nature of the Services (Non-Medical Disclaimer)
The Services provide cosmetic, beauty and wellness-related insights based on visual analysis and user-provided information.
The Services:
- do not provide medical advice, diagnosis or treatment;
- are not intended to prevent, treat or cure any disease or medical condition;
- do not replace consultation with licensed medical professionals.
All recommendations provided through the Services are informational and cosmetic in nature only, including skincare routines, ingredient insights and general lifestyle or wellness suggestions.
General wellness suggestions (such as hydration, physical activity or daily habits) are not personalized medical recommendations and should be understood as lifestyle guidance only.
The Services describe only the visible cosmetic appearance of your skin and suggest cosmetic care steps. The Services do not diagnose conditions, do not identify diseases, and do not provide treatment recommendations. For any concern about your skin or general wellbeing, you should consult a qualified professional — the Services are not a substitute for such consultation.
2. Information We Process
2.1 Personal Data
"Personal Data" means any information relating to an identified or identifiable individual.
We may process the following categories of Personal Data:
a. Usage Data
Information about how you use the Services, including:
- IP address;
- device type and operating system;
- interaction events and usage patterns.
Usage Data is processed to operate, secure and improve the Services.
b. Facial Images and Face Data
You may choose to capture or upload a photograph of your face or skin solely for the purpose of cosmetic and beauty-related visual analysis. This section describes, in detail, what face data we collect, how it is used, with whom it is shared, where it is stored and how long it is retained.
What face data is collected:
- A standard photograph of your face or skin that you actively capture via your device camera or select from your photo library. The photograph is collected only when you tap "Scan" — it is never captured automatically or in the background.
- We do not extract, derive, generate or store any biometric templates, faceprints, face embeddings, face geometry data, facial landmarks, mathematical representations of unique facial features or any other biometric identifier that could be used to uniquely identify a specific individual.
- We do not use Apple's ARKit Face Tracking, Face ID, TrueDepth APIs or any face-recognition framework that would produce biometric data.
How face data is used:
- Cosmetic analysis. Each photograph you submit is transmitted to our AI processing infrastructure (provided by OpenAI, acting strictly as a data processor on our behalf) to generate non-medical cosmetic and skincare insights describing the visible appearance of your skin (e.g., redness, hydration, texture, pores).
- Storage for progress tracking and quality verification. After the analysis is returned, the photograph is stored on Gigzy's secure servers, linked to your account, so that you can review your scan history inside the app, compare results over time, and so that we can verify the accuracy of the AI output by comparing photographs and analyses against each other.
- Face data is not used for facial recognition, identification or authentication of any individual.
- Face data is not used for advertising, marketing, profiling or any purpose unrelated to the cosmetic analysis you requested and the quality of that analysis.
- Face data is not used to detect, diagnose or screen for any disease, medical condition, mental state or health risk.
- Face data is not used to train, retrain or improve any third-party artificial intelligence or machine learning model. Photographs may be reviewed internally by authorized Gigzy personnel, on a need-to-know basis, solely to verify the quality of the cosmetic insights returned to you.
Sharing with third parties:
- Face data is transmitted to OpenAI's processing infrastructure for analysis. OpenAI acts as a data processor under a data processing agreement, processes the photograph transiently to generate the cosmetic insight, and is contractually prohibited from using the data for any other purpose, including training its models.
- Face data is not sold, rented, licensed or shared with advertisers, data brokers, social networks, insurers or any third party other than the processor described above.
- We may disclose face data only where required by law (for example, in response to a valid legal request) or to protect the rights and safety of our users.
Where face data is stored:
- Photographs and the associated cosmetic analysis are stored on Gigzy's secure cloud infrastructure (operated through enterprise cloud providers based in the European Union and/or the United States).
- Photographs are encrypted in transit (TLS 1.2+) and encrypted at rest using industry-standard symmetric encryption (AES-256).
- Access to stored photographs is restricted to a limited number of authorized Gigzy personnel and is subject to access controls, authentication and audit logging.
Retention period:
- Photographs and the associated cosmetic analysis are retained for as long as your account is active, plus a maximum of 24 months thereafter, so that the Services can continue to provide you with scan history and so that we can verify the quality of the analyses we delivered.
- You can request deletion of all of your photographs and analyses at any time by contacting support@gigzy.net. Upon a verified deletion request, the photographs and the associated analysis records will be deleted from active systems within 30 days; encrypted backups are deleted on a rolling basis according to our standard backup rotation (no longer than 90 days).
- You can also delete an individual scan from within the app at any time, which removes the photograph and analysis from your account and triggers deletion from our active storage.
Summary: Face data is collected only with your explicit action; used to generate the cosmetic insight you requested, to provide your scan history, and to verify the quality of those insights; stored encrypted on Gigzy's secure servers; shared only with our AI processor under a data processing agreement; never used for biometric identification, advertising, profiling or third-party AI / ML model training; and retained no longer than necessary for the purposes above. You can request deletion at any time.
c. Email and Communication Data
If you register or communicate with us, we may process:
- your email address;
- correspondence content and related metadata.
This data is used to:
- operate the Services;
- respond to inquiries;
- send service-related or marketing emails where consent is provided.
d. Subscription and Payment Data
The skinPulse application is offered on a paid subscription basis with a 3-day free trial for new users. Continued access to the Services requires an active subscription.
All payments and subscription transactions are processed exclusively by Apple (App Store) on iOS or Google (Google Play) on Android. Gigzy does not collect, receive or store your full payment card number, CVV, billing address or any direct payment instrument data.
From the platform stores we receive only:
- an anonymized purchase token or receipt;
- the subscription product identifier and renewal status;
- aggregated transaction events necessary to grant or revoke entitlements within the app.
Subscription entitlement management is performed using RevenueCat as a data processor on our behalf. The processing is limited to operating the subscription lifecycle (granting access, restoring purchases, detecting cancellations).
Your subscription auto-renews at the end of each billing period unless cancelled at least 24 hours before the end of the current period. You may manage or cancel your subscription at any time directly in your Apple ID or Google Play account settings.
3. Legal Basis for Processing
We process Personal Data under the following legal bases:
- Performance of a contract — to provide and operate the Services;
- Consent — for email communications and marketing;
- Legitimate interests — to secure, maintain and improve the Services;
- Legal obligations — where processing is required by law.
4. Automated Processing
The Services use automated processing to generate cosmetic and wellness insights.
The Services do not make automated decisions that produce legal or similarly significant effects on users.
5. Third-Party Processing and AI Services
Gigzy uses third-party service providers strictly as data processors. Each processor is contractually bound to use the data only for the purposes described in this Privacy Policy and to apply appropriate technical and organizational security measures.
- OpenAI — performs the AI-based visual analysis of facial photographs to produce cosmetic insights. OpenAI processes the photograph transiently to generate the analysis and is contractually prohibited from using it to train its models or for any purpose other than returning the analysis to us.
- Cloud hosting providers (Amazon Web Services / Google Cloud Platform) — host Gigzy's secure servers where photographs and cosmetic analyses are stored, encrypted at rest. Hosting providers act as infrastructure processors and have no access to the unencrypted content of stored data.
- RevenueCat — manages subscription entitlement state (granting access, restoring purchases, detecting cancellations). Receives anonymized purchase tokens and product identifiers; does not receive face data or full payment instrument data.
- Apple App Store / Google Play — process all subscription payments. Gigzy does not receive your full payment instrument details.
Third-party processors are contractually required to implement appropriate technical and organizational measures to protect Personal Data.
6. International Data Transfers
Personal Data may be processed outside your country of residence.
Israel is recognized by the European Commission as providing an adequate level of data protection.
Where international transfers occur, they are safeguarded through adequacy decisions or other lawful transfer mechanisms.
7. Data Retention
Gigzy applies strict data minimization principles.
- Facial images and face data: stored on Gigzy's secure servers, encrypted at rest, for as long as your account is active and for up to 24 months thereafter, so that the Services can provide your scan history and so that we can verify the quality of the analyses we delivered. Photographs are deleted within 30 days of a verified deletion request (and within 90 days from encrypted backups). See Section 2.1(b) for full details.
- Subscription metadata: retained for the duration of your subscription and for the period required to comply with tax, accounting and audit obligations.
- Usage and technical data: retained only for the period necessary to operate and improve the Services.
- Email and communication data: retained until you unsubscribe or request deletion, unless longer retention is required by law.
8. Your Rights
Subject to applicable law, you may have the right to:
- access your Personal Data and obtain a copy in a portable format;
- request correction of inaccurate Personal Data;
- request deletion of Personal Data;
- restrict or object to processing;
- withdraw consent at any time, without affecting the lawfulness of processing performed before withdrawal;
- opt out of any sale or sharing of Personal Data (we do not sell or share Personal Data — see Section 12.4);
- limit the use and disclosure of Sensitive Personal Information (see Section 12.5);
- lodge a complaint with a supervisory authority.
Requests may be sent to: support@gigzy.net. We will respond within the timeframes required by applicable law (see Section 12.7 for the specific timing applicable to California residents).
California residents have additional rights described in Section 12 (CCPA / CPRA).
9. Marketing Communications
You may receive emails from us if you have provided consent.
You may opt out at any time by:
- using the unsubscribe link included in emails; or
- contacting us at support@gigzy.net.
10. Information Security
We apply a defense-in-depth approach to protect Personal Data, including:
- Encryption of all data in transit using TLS 1.2 or higher;
- Encryption of facial photographs and analyses at rest using industry-standard symmetric encryption (AES-256);
- Strict, role-based access controls — only a limited number of authorized Gigzy personnel may access stored photographs, on a need-to-know basis, and only for the purposes described in Section 2.1(b);
- Authentication, audit logging and periodic access reviews on production systems;
- Hosting on enterprise-grade cloud providers (AWS / GCP) with SOC 2 / ISO 27001 attestations;
- Contractual security obligations imposed on every data processor we engage, including OpenAI and our hosting providers;
- Routine vulnerability monitoring of our backend infrastructure.
While no method of transmission or storage is completely secure, Gigzy commits to applying reasonable, industry-standard technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration or loss, and to notifying users and competent authorities of any qualifying personal data breach as required by applicable law.
11. Children and Age Restrictions
The Services are intended for users 16 years of age or older.
We do not knowingly collect Personal Data from individuals under 16.
If we learn that we have collected Personal Data from a person under 16 without verifiable parental consent, we will delete that information promptly. Parents or guardians who believe their child has provided us with Personal Data may contact support@gigzy.net to request deletion.
We do not sell or share the Personal Information of consumers we actually know are less than 16 years of age. For consumers between 13 and 16, sale or sharing would only occur with the consumer's affirmative opt-in; for consumers under 13, only with verifiable parental consent (the "right to opt-in"). In any case, Gigzy does not sell or share Personal Information for cross-context behavioral advertising.
12. Notice for California Residents (CCPA / CPRA)
This Section supplements the rest of this Privacy Policy and applies solely to visitors, users and others who reside in the State of California ("consumers" or "you") in connection with the use of our Services. We adopt this Section to comply with the California Consumer Privacy Act of 2018 ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), and other California privacy laws as in effect from time to time. Any terms defined in the CCPA or the CPRA have the same meaning when used in this Section.
12.1 Categories of Personal Information We Collect
In the preceding 12 months, we have collected the following categories of Personal Information from consumers:
- A. Identifiers — e.g., online identifier, IP address, email address, account name, device identifier. Collected: YES.
- B. Personal information categories under Cal. Civ. Code § 1798.80(e) — e.g., name, email address, account information. Collected: YES. We do not collect Social Security numbers, driver's license numbers, passport numbers, financial-account numbers, payment-card numbers, medical information or health-insurance information.
- C. Protected classification characteristics (age, race, religion, etc.). Collected: NO.
- D. Commercial information — e.g., subscription product purchased, renewal status, scan-usage history within the app. Collected: YES.
- E. Biometric information (faceprints, voiceprints, retina scans, etc., used to extract a template). Collected: NO. We process facial photographs only as raw images for cosmetic analysis, scan history and quality verification; we do not extract biometric templates or identifiers from them.
- F. Internet or other similar network activity — e.g., in-app interaction events, app crashes. Collected: YES.
- G. Geolocation data. Collected: NO. We do not collect precise geolocation.
- H. Sensory data (audio/visual). Collected: YES — limited to the photograph you actively submit for cosmetic analysis (image only). We do not record audio or video.
- I. Professional or employment-related information. Collected: NO.
- J. Non-public education information. Collected: NO.
- K. Inferences drawn from other Personal Information. Collected: NO. We do not build psychological, behavioral or commercial profiles of users.
- L. Sensitive Personal Information under the CPRA. Collected: LIMITED. The facial photograph you submit may, depending on interpretation, qualify as Sensitive Personal Information. We process it only to provide the Services you requested (cosmetic analysis, scan history and quality verification) and never to infer characteristics about you. You may exercise your right to limit our use of Sensitive Personal Information as described in Section 12.5.
12.2 Sources of Personal Information
We obtain Personal Information from the following categories of sources:
- Directly from you — when you sign up, submit a photograph, contact support or otherwise interact with the Services;
- Automatically through your interaction with the Services — usage events, device characteristics, IP address;
- From the Apple App Store and Google Play — anonymized purchase tokens and subscription state.
12.3 Business Purposes for Use of Personal Information
We use or disclose Personal Information for one or more of the following business purposes:
- To provide the Services you requested (generating cosmetic insights, returning analyses, maintaining your scan history);
- To verify the quality and accuracy of the AI-generated cosmetic insights by comparing photographs and analyses internally;
- To create, maintain and secure your account, including detecting fraudulent or abusive activity;
- To respond to your inquiries and support requests;
- To send service-related notices and, where you have opted in, marketing communications;
- To debug, test and improve the Services;
- To comply with legal obligations and respond to lawful government requests;
- To evaluate or conduct a merger, divestiture, restructuring, reorganization or other sale or transfer of some or all of our assets, in which Personal Information is among the assets transferred.
We will not collect additional categories of Personal Information or use the Personal Information collected for materially different, unrelated or incompatible purposes without first providing you notice.
12.4 Sharing of Personal Information / "Sale" Disclosure
In the preceding 12 months, we have disclosed the following categories of Personal Information for a business purpose, only to the data processors listed in Section 5: Identifiers; Cal. Civ. Code § 1798.80(e) information; Commercial information; Internet or similar network activity; Sensory data (the photograph itself).
We do not sell Personal Information. Specifically, in the preceding 12 months we have not sold, rented, released, disclosed, disseminated, made available, transferred or otherwise communicated, orally or in writing or by electronic or other means, any consumer's Personal Information to any third party for monetary or other valuable consideration as defined under Cal. Civ. Code § 1798.140.
We do not "share" Personal Information for cross-context behavioral advertising. We do not target advertising to you based on Personal Information obtained from your activity across other businesses, websites, applications or services.
12.5 Your CCPA / CPRA Rights
Subject to verification, California residents have the following rights:
- Right to Know / Access. You may request that we disclose the categories of Personal Information we have collected, the categories of sources, the business or commercial purposes, the categories of third parties with whom we have shared the information, and the specific pieces of Personal Information we have collected about you. Under the CPRA, you may request information beyond the 12-month period (for Personal Information collected on or after January 1, 2022), unless doing so proves impossible or would involve a disproportionate effort.
- Right to Data Portability. Upon request, we will provide your Personal Information in a readily usable, machine-readable format that allows you to transmit it to another entity without hindrance.
- Right to Correct. You may request that we correct inaccurate Personal Information about you. We will use commercially reasonable efforts to correct your Personal Information and direct our service providers to do the same.
- Right to Delete. You may request that we delete Personal Information we collected from you and retained, subject to the exceptions listed below.
- Right to Opt-Out of Sale and Sharing. Although we do not sell or share Personal Information for cross-context behavioral advertising, you may exercise this right at any time. The link is titled "Do Not Sell or Share My Personal Information" and is available at this address.
- Right to Limit the Use and Disclosure of Sensitive Personal Information. You may direct us to limit our use of your Sensitive Personal Information (including the facial photograph you submit) to the purposes that are necessary to perform the Services or to provide the goods reasonably expected by an average consumer who requests such Services. The link is titled "Limit the Use of My Sensitive Personal Information" and is available at this address.
- Right to Non-Discrimination. See Section 12.8.
We may deny a deletion request to the extent that retention is necessary to: (i) complete the transaction for which we collected the Personal Information or otherwise perform our contract with you; (ii) detect security incidents or protect against malicious, deceptive, fraudulent or illegal activity; (iii) debug to identify and repair errors; (iv) exercise free speech or another legal right; (v) comply with the California Electronic Communications Privacy Act; (vi) engage in public-interest scientific, historical or statistical research that adheres to applicable ethics and privacy laws (where you previously provided informed consent); (vii) enable solely internal uses reasonably aligned with your relationship with us; or (viii) comply with a legal obligation.
12.6 How to Exercise Your Rights
To exercise any of the rights described in Section 12.5, you (or your authorized representative) may submit a verifiable consumer request to us by emailing support@gigzy.net. You may also make a verifiable consumer request on behalf of your minor child.
You may make a verifiable consumer request for access or data portability twice within a 12-month period. The request must:
- provide sufficient information that allows us to reasonably verify that you are the person about whom we collected Personal Information, or that you are an authorized representative; and
- describe your request with sufficient detail that allows us to properly understand, evaluate and respond to it.
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm that the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.
12.7 Response Timing and Format
We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and the extension period in writing. If you have an account with us, we will deliver our written response to the registered email associated with the account; otherwise, we will deliver it by email or mail at your option. Our disclosures will cover the 12-month period preceding the request (or, where requested under the CPRA, an earlier period to the extent feasible).
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why and provide a cost estimate before completing your request.
12.8 Non-Discrimination
We will not discriminate against you for exercising any of your CCPA or CPRA rights. Unless permitted by the CCPA or CPRA, we will not:
- deny you use of the Services;
- charge you different prices or rates for the Services, including through granting discounts or other benefits, or imposing penalties;
- provide you a different level or quality of the Services;
- suggest that you may receive a different price, rate, level or quality of the Services.
Nothing in this Section prevents Gigzy from offering loyalty, rewards, premium features, discounts or club-card programs consistent with applicable law.
12.9 "Do Not Track" Disclosure
We are required to indicate whether we honor "Do Not Track" settings in your browser concerning targeted advertising. We adhere to the standards set out in this Privacy Policy and do not engage in cross-context behavioral advertising; we therefore do not separately monitor or respond to "Do Not Track" browser signals.
12.10 Authorized Agents
You may use an authorized agent to submit a request on your behalf. We will require the authorized agent to provide signed written permission from you to act on your behalf, and we may also require you to verify your own identity directly with us. We may deny a request from an authorized agent that does not submit proof of authorization.
12.11 California "Shine the Light" Law
California Civil Code Section 1798.83 (the "Shine the Light" law) permits California residents to request information regarding the disclosure of certain categories of personal information to third parties for the third parties' direct marketing purposes. Gigzy does not disclose Personal Information to third parties for their direct marketing purposes.
13. Third-Party Links
The Services may contain links to third-party websites or services. We are not responsible for the privacy practices of such third parties.
14. Governing Law and Jurisdiction
This Privacy Policy is governed by the laws of the State of Israel.
Exclusive jurisdiction is granted to the competent courts of Tel Aviv-Jaffa, Israel.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time.
Material changes will be communicated through the Services or via email.
16. Contact
For privacy-related questions or requests:
Gigzy Ltd
Email: support@gigzy.net
Israel