PRIVACY POLICY

1. INTRODUCTION

This Privacy Policy describes how Beard Grow ("we," "our," or "us") collects, uses, processes, and protects your personal information when you use our mobile application ("App"). Beard Grow is an AI-powered mobile application that provides personalized beard analysis and tailored care plans through advanced machine learning algorithms and computer vision technology.

We are committed to protecting your privacy and ensuring transparency in our data practices. This Privacy Policy complies with applicable privacy laws, including:

• General Data Protection Regulation (GDPR) - for users in the European Economic Area
• California Consumer Privacy Act (CCPA) - for California residents
• Personal Data Protection Act - for users in various jurisdictions
• Information Technology Act, 2000 - for users in India

2. INFORMATION WE COLLECT

2.1 Personal Information

We collect the following types of personal information to provide our services:

• Account Information: Name, email address, and unique user identifier when you create an account through Google Sign-In or Sign in with Apple
• Profile Information: Age, skin sensitivity details, beard care concerns, grooming goals, and current product usage collected through our comprehensive questionnaire
• Authentication Data: Secure authentication tokens and identifiers from third-party sign-in services
• Contact Information: Email address for account management, customer support, and important service communications

2.2 Visual Content and Biometric Data

We collect and process visual content for AI analysis purposes:

• Beard Photos: High-resolution images of your beard from multiple angles (front view, left profile, right profile, under chin) captured through our guided photo capture system
• Camera Data: Photos captured through our in-app camera feature with real-time guidance and quality validation
• Image Metadata: Technical information about captured photos, including timestamp, camera settings, image quality metrics, and device orientation
• Facial Analysis Data: Derived measurements and characteristics extracted from your photos for beard analysis (this constitutes biometric data under certain jurisdictions)
• Progress Images: Historical photos stored locally and in secure cloud storage for progress tracking and comparison analysis

2.3 Usage and Analytics Data

• App Usage: Detailed interaction data including screens visited, features used, time spent, user journey patterns, and feature adoption metrics
• Device Information: Device type, model, operating system version, app version, unique device identifiers, screen resolution, and hardware capabilities
• Performance Data: App performance metrics, crash reports, error logs, loading times, and system resource usage
• Preferences: Your customized settings, notification preferences, app configuration choices, and accessibility settings
• AI Processing Metrics: Analysis duration, model performance data, and processing success rates (anonymized)

2.4 Location Data

We may collect approximate location data through IP address geolocation for:

• Service optimization and localization of content
• Compliance with local regulations and legal requirements
• Fraud prevention and security monitoring
• Analytics and usage pattern analysis

2.5 Communication Data

• Support Communications: Information you provide when contacting our support team, including support tickets, chat logs, and feedback
• Feedback and Reviews: App store reviews, in-app feedback, ratings, and user-generated content
• Notifications: Delivery status, interaction data, and preferences for push notifications and in-app messages
• Legal Consent Records: Records of your consent to legal documents with timestamps and metadata for compliance purposes

2.6 Payment and Subscription Data

• Subscription Information: Subscription type, status, renewal dates, and product identifiers processed through Superwall and Apple/Google in-app purchases
• Transaction Records: Purchase events, subscription renewals, cancellations, and refund requests stored in Firebase for billing and fraud prevention
• Payment Validation: Purchase receipts validated through App Store/Play Store APIs (we do NOT collect or store your credit card information)
• Paywall Analytics: Paywall presentation events, user interactions, and conversion data for service optimization

3. HOW WE USE YOUR INFORMATION

3.1 Primary App Functions

• AI Analysis: Process your beard photos and questionnaire responses using Firebase AI and Google's Generative AI models to provide personalized analysis, recommendations, and insights
• Model Training: Use anonymized and aggregated data to train and improve our AI models, ensuring better accuracy and new feature development
• Care Plans: Generate customized beard care recommendations, product suggestions, and grooming routines based on your analysis results
• Reports: Create detailed beard health reports, progress tracking, and allow PDF generation and sharing functionality
• Progress Tracking: Monitor your beard health improvements over time using historical data and comparative analysis
• Snapshot Management: Create and manage major progress snapshots for long-term tracking (every 3 months)

3.2 Account Management and Security

• Create, maintain, and secure your user account using Firebase Authentication
• Authenticate your identity through Google Sign-In or Apple Sign-In
• Provide customer support and respond to inquiries promptly
• Process account deletion requests and data portability requests
• Detect and prevent fraudulent activities and security threats using Firebase App Check
• Track and manage legal consent for compliance purposes

3.3 App Improvement and Development

• Analyze usage patterns using Firebase Analytics to improve our services and user experience
• Develop new features, functionalities, and AI capabilities
• Optimize app performance, loading times, and user interface
• Conduct research and development for innovative beard care solutions
• Monitor app crashes and errors using Firebase Crashlytics for stability improvements
• A/B testing for feature improvements and user experience optimization

3.4 Communication and Engagement

• Send personalized push notifications using Firebase Messaging for care reminders and progress updates
• Provide customer support through multiple channels
• Send important service announcements and policy updates
• Respond to your questions, feedback, and feature requests
• Send educational content about beard care and grooming tips
• Notify users of legal document changes and consent requirements

3.5 Legal Compliance and Security

• Comply with legal obligations and regulatory requirements
• Protect against fraud, abuse, and security threats
• Enforce our Terms of Service and community guidelines
• Respond to legal requests, court orders, and law enforcement inquiries
• Conduct internal audits and security assessments
• Maintain consent records for GDPR and other privacy law compliance

4. LEGAL BASIS FOR PROCESSING (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data based on the following legal grounds under the GDPR:

• Consent (Article 6(1)(a) GDPR): Processing your photos, biometric data, and questionnaire responses for AI analysis. You can withdraw your consent at any time through the app settings or by contacting us at support@beardgrow.org.
• Contract Performance (Article 6(1)(b) GDPR): Providing our services as outlined in our Terms of Service, including account management and core app functionality
• Legitimate Interests (Article 6(1)(f) GDPR): App improvement, analytics, security monitoring, and fraud prevention. Our legitimate interests are balanced against your privacy rights
• Legal Obligation (Article 6(1)(c) GDPR): Compliance with applicable laws, regulations, and legal processes, including maintaining consent records

5. INFORMATION SHARING AND DISCLOSURE

5.1 Third-Party Service Providers

We share information with carefully selected third-party service providers who assist us in operating our App. Each provider is bound by strict data protection agreements:

• Firebase (Google LLC): Authentication data, questionnaire responses, photos, analysis results, and consent records for authentication services, database storage, AI processing, analytics, crashlytics, messaging, app check, and secure cloud storage. Firebase Privacy Policy
• Google Sign-In: Authentication data for secure sign-in services. Google Privacy Policy
• Apple Sign-In: Authentication data for secure sign-in services on iOS and macOS. Apple Privacy Policy
• Google AI Services: Beard photos and analysis data for AI processing using Google's Generative AI models through Firebase AI. Google AI Terms
• Superwall: User ID, subscription status, and paywall interaction data for in-app purchase management and subscription processing. Superwall Privacy Policy
• Cloud Storage Providers: Encrypted photos and analysis data for secure, redundant storage with enterprise-grade security

5.2 Legal Requirements and Law Enforcement

We may disclose your information if required by law or in good faith belief that such action is necessary:

• To respond to legal process, subpoenas, court orders, or legal requests
• To comply with regulatory investigations and government inquiries
• To protect our rights, property, safety, or that of our users
• To prevent fraud, illegal activities, or violations of our Terms of Service
• To respond to emergency situations involving potential harm

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections outlined in this policy. We will notify you via email and/or prominent notice in the App of any such change in ownership.

5.4 No Sale of Personal Data

6. DATA SECURITY

We implement comprehensive, industry-standard security measures to protect your information:

6.1 Technical Safeguards

• Encryption: All data is encrypted using AES-256 encryption both in transit (TLS 1.3) and at rest
• Access Controls: Multi-factor authentication, role-based access controls, and principle of least privilege
• Firebase Security: Leveraging Google's enterprise-grade security infrastructure with SOC 2 Type II compliance
• App Check: Using Firebase App Check to verify app authenticity and prevent unauthorized access
• Secure Development: Following OWASP security guidelines and secure coding practices
• Data Minimization: Collecting only necessary information for our services

6.2 Operational Safeguards

• Regular Security Audits: Quarterly security assessments and annual penetration testing by third-party security firms
• Vulnerability Management: Continuous monitoring and rapid response to security vulnerabilities
• Employee Training: Regular security awareness training for all team members
• Incident Response: Comprehensive incident response plan with 24/7 monitoring
• Backup and Recovery: Secure, encrypted backups with tested disaster recovery procedures
• Crashlytics Monitoring: Real-time monitoring of app crashes and security incidents

6.3 Physical Safeguards

• Secure data centers with biometric access controls
• 24/7 physical security monitoring
• Environmental controls and redundant power systems

7. DATA RETENTION

We retain your information for the minimum time necessary to provide our services and comply with legal obligations:

• Account Data: Retained while your account is active and for 30 days after account deletion to allow for account recovery
• Photos and Biometric Data: Current photos retained for analysis purposes and automatically deleted within 90 days of analysis completion. Historical snapshot photos retained for up to 3 years for progress tracking
• Analysis Results: Retained for 3 years to provide historical tracking and progress monitoring
• Usage and Analytics Data: Retained for up to 2 years for service improvement and analytics purposes
• Support Communications: Retained for 1 year for quality assurance and training purposes
• Consent Records: Retained for 7 years for legal compliance and audit purposes
• Crash Reports: Retained for 1 year for debugging and app improvement purposes
• Legal and Compliance Data: Retained as required by applicable laws and regulations

8. YOUR RIGHTS AND CHOICES

8.1 Access and Control

• Right to Access: View and download your personal data in a structured, machine-readable format
• Right to Rectification: Update or correct inaccurate or incomplete information
• Right to Erasure: Request deletion of your account and associated data ("right to be forgotten")
• Right to Data Portability: Export your data in a commonly used format for transfer to another service
• Right to Object: Object to processing of your data for direct marketing or legitimate interests
• Consent Management: View and manage your consent status for different types of data processing

8.2 Communication Preferences

• Manage notification settings within the app's settings menu
• Opt out of non-essential communications while maintaining account security notifications
• Control reminder frequencies, types, and timing
• Customize educational content preferences
• Manage push notification preferences through Firebase Messaging settings

8.3 GDPR Rights (EEA, UK, Switzerland Users)

• Right to Restrict Processing: Limit processing under certain circumstances
• Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing
• Right to Lodge a Complaint: File a complaint with your local data protection authority
• Right to be Informed: Receive clear information about how your data is processed

8.4 California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act:

• Right to Know: Detailed information about personal information collected, used, and shared
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of the sale of personal information (we do not sell personal information)
• Right to Non-Discrimination: Equal service and pricing regardless of exercising CCPA rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit: Limit the use of sensitive personal information

9. CHILDREN'S PRIVACY

If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us immediately at support@beardgrow.org. If we become aware that we have collected personal information from individuals under 18 without proper consent, we will take immediate steps to remove that information from our servers and terminate the associated account.

10. INTERNATIONAL DATA TRANSFERS

Your information may be transferred to and processed in countries other than your country of residence, including the United States and other countries where our service providers operate.

10.1 Safeguards for International Transfers

When we transfer personal data from the EEA, UK, or Switzerland to other countries, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): Approved by the European Commission for data transfers
• Adequacy Decisions: Transfers to countries with adequacy decisions from the European Commission
• Certification Schemes: Participation in recognized certification schemes and codes of conduct
• Binding Corporate Rules: For transfers within multinational organizations
• Google's Data Transfer Framework: Leveraging Google's compliance with international data transfer requirements for Firebase services

For users outside the EEA, we apply the same high standards of data protection to ensure your information is handled securely and in accordance with this Privacy Policy.

11. LOCAL STORAGE AND TRACKING

Our mobile App uses local storage and similar technologies to enhance your experience:

11.1 Types of Data Stored Locally

• User Preferences: App settings, theme preferences, and customization choices
• Authentication Status: Secure tokens to maintain your login session
• Cache Data: Temporary storage for improved performance and offline functionality
• Analytics Data: Usage patterns and performance metrics for app improvement
• Image Cache: Temporary storage of processed images for faster loading
• Consent Records: Local storage of consent status for compliance tracking

11.2 Managing Local Storage

You can control local storage through your device settings. However, disabling certain storage may affect app functionality, including:

• Requiring frequent re-authentication
• Loss of personalized settings
• Reduced app performance
• Limited offline functionality
• Loss of progress tracking data

12. THIRD-PARTY LINKS

Our App may contain links to third-party websites, services, or applications. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you visit or use.

12.1 Third-Party Services We Link To

• App stores (Google Play Store, Apple App Store)
• Social media platforms for sharing
• Customer support platforms
• Educational resources and beard care information
• Legal document hosting (for updated terms and policies)

13. UPDATES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

13.1 Notification of Changes

We will notify you of any material changes by:

• Posting the new Privacy Policy in the App with a prominent notice
• Sending you a push notification through Firebase Messaging
• Sending you an email notification to your registered email address
• Displaying a prominent notice in the App upon your next login
• Requiring re-acceptance for material changes that affect your rights

Your continued use of the App after any changes constitutes acceptance of the new Privacy Policy. If you do not agree to the updated policy, you should discontinue use of the App.

14. CONTACT INFORMATION

15. DISPUTE RESOLUTION

Any disputes arising from this Privacy Policy will be resolved through the following process:

1. Good Faith Negotiation: Initial attempt to resolve disputes through direct communication
2. Mediation: If negotiation fails, disputes will be submitted to mediation through a mutually agreed mediator
3. Arbitration: If mediation is unsuccessful, disputes will be resolved through binding arbitration under the Arbitration and Conciliation Act, 2015 of India
4. Jurisdiction: For non-arbitrable matters, the exclusive jurisdiction shall be the courts of Kannur, Kerala, India

15.1 EU Users - Data Protection Authority

EU users have the right to lodge a complaint with their local data protection authority if they believe their data protection rights have been violated.

16. MISCELLANEOUS

16.1 Entire Agreement

This Privacy Policy, together with our Terms of Service, constitutes the entire agreement between you and us regarding the privacy of your information.

16.2 Severability

If any provision of this Privacy Policy is found to be unenforceable or invalid, the remaining provisions will remain in full force and effect.

16.3 Governing Law

This Privacy Policy is governed by the laws of India and the state of Kerala, without regard to conflict of law principles.

16.4 Language

This Privacy Policy is written in English. In case of any translation, the English version shall prevail.