Privacy Policy
Effective 15 January 2026 · Version 2026-01-15
1. Who we are
Arioon ("we", "us", "our") provides a skin analysis platform via API, embeddable SDK, and dashboard. This policy explains how we collect, use, share, and protect personal information when you visit our website, create an account, or use our services.
This policy is designed to comply with the EU General Data Protection Regulation (GDPR), South Africa's Protection of Personal Information Act (POPIA), and Nigeria's Data Protection Regulation (NDPR).
2. What we collect
2.1 Account information
- Name (first name, last name)
- Email address
- Company / organisation (optional)
- Country
- Phone number (optional)
- Use-case category
- Hashed password (we never store passwords in plain text)
2.2 Usage information
- API request metadata (timestamps, response codes, client IDs)
- Dashboard activity (pages visited, features used)
- Billing records (invoices, payment status)
2.3 Biometric data (face images)
When you or your end users submit a face image for analysis, we process it through our computer-vision and AI pipeline. Face images are special category personal data under GDPR Article 9 and require explicit consent before processing. We obtain that consent via the camera permission prompt and an in-product consent screen before any analysis takes place.
2.4 Cookies and similar technologies
See our Cookie Policy for details on what we set, why, and how to control it.
3. How we use it
- To provide the skin analysis service you requested
- To create and manage your account, authenticate you, and process billing
- To improve our detection methods (only on anonymised, aggregated data; never on individual identifiable images without explicit consent)
- To send you transactional emails (verification, password reset, invoices, analysis results)
- To send you marketing emails — only if you opt in, which you can withdraw at any time
- To detect and prevent fraud, abuse, or security incidents
- To meet legal obligations (tax records, regulatory reporting)
4. Legal bases (GDPR Article 6)
- Contract performance — to deliver the service you signed up for
- Legitimate interest — to operate, secure, and improve the platform
- Consent — for biometric processing and for marketing communications
- Legal obligation — for tax, accounting, and regulatory record-keeping
5. How long we keep it
- Account information: while your account is active, plus 7 years after account closure for accounting and tax records.
- Face images and analysis results: 30 days by default, then permanently deleted unless you have a longitudinal-tracking subscription that requires longer retention (in which case we tell you).
- Usage / billing records: 7 years.
- Marketing preferences: until you withdraw consent.
6. Who we share with
We share personal data with the third-party service providers ("sub-processors") that help us operate the platform. See the Sub-processors list for the current set, what each handles, and where they're located.
We never sell your data. We do not share data with advertisers or data brokers. Government or law-enforcement requests are honoured only when legally compelled, and we attempt to notify you unless prohibited by the request.
7. International transfers
Some sub-processors are located in the United States or European Union. Where personal data of EU, UK, or South African residents is transferred internationally, we rely on Standard Contractual Clauses or equivalent safeguards. Details in the Sub-processors page.
8. Your rights
Subject to local law, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate information
- Delete your data ("right to be forgotten")
- Restrict or object to processing
- Data portability — get your data in a machine-readable format
- Withdraw consent at any time (without affecting prior lawful processing)
- Lodge a complaint with your local data-protection authority
To exercise any of these rights, email privacy@arioon.com. We respond within 30 days (60 days for complex requests, with notification).
9. Security
We use industry-standard technical and organisational measures: TLS for all data in transit, encryption at rest in our database and object storage, principle-of-least-privilege access controls, hashed passwords (bcrypt cost 12), and separate internal authentication boundaries between client-facing and admin systems. Despite this, no system is 100% secure; we encourage strong, unique passwords and prompt reporting of suspected incidents.
10. Children
Arioon is not intended for children under 16 (under 13 in jurisdictions where lower minimum ages apply for digital services). We do not knowingly collect data from children. If you believe we have, please contact us so we can delete it.
11. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email (to account holders) and via a banner on the dashboard. The effective date at the top of this page reflects the current version.
12. Contact
Data Protection Officer: privacy@arioon.com
General inquiries: hello@arioon.com