Privacy Policy
Effective date: 20 May 2026 Last updated: 20 May 2026
This Privacy Policy explains how the LooksMax mobile application ("LooksMax", "the app", "we", "us", or "our") collects, uses, shares, and protects your information when you use the app. By using LooksMax you confirm that you have read this Policy. If you do not agree with it, do not use the app.
LooksMax is operated by Madni Aghadi (the "Operator"). You can contact us at any time at support@looksmaxapp.com.
1. Summary in plain English
- You use LooksMax under an anonymous device-bound session — we never ask for your email or phone number. You do choose a first name during onboarding so the app can address you personally; this stays tied to your anonymous session only.
- If you choose to contact us at support@looksmaxapp.com, your email address becomes known to us only for that support thread.
- We send the selfies you capture (front and side) to Google Gemini AI (provided by Google) accessed via OpenRouter so the AI can return a face-rating result. You explicitly consent to this transfer before your first scan.
- The selfies are stored on our encrypted private cloud storage (Cloudflare R2) so you can view your scan history later.
- Your scan results, routine completions, and subscription state are stored on our secure application backend (Convex).
- Local face-landmark detection runs entirely on your device using your phone's built-in face detection. Those landmarks never leave your phone.
- We do not sell your data, share it with advertisers, or use it to train AI models.
- You can delete all of your data at any time from inside the app (Settings → Delete Account) or by emailing support@looksmaxapp.com.
The rest of this document is the formal version.
2. Information we collect
We deliberately collect the minimum data needed to run the service.
2.1 You provide directly
| Data | When |
|---|---|
| First name you enter during onboarding | During onboarding |
| Two selfie images (front, side) | Each time you run a scan |
| Optional gender selection | During onboarding |
| Routine task completions | When you tap a task as complete |
| Custom routine tasks you add | When you add a task |
| Your email address | Only if you choose to email support@looksmaxapp.com |
2.2 We collect automatically
| Data | Purpose |
|---|---|
| Anonymous device identifier (random UUID stored in your device's Keychain) | Identify your session across app launches and reinstalls |
| Locale and language (read from device settings) | Render the app in your language |
| App version, OS version, device model | Diagnose crashes and compatibility issues |
| App-event timestamps (scan started, task completed, scan opened) | Service operation |
| Subscription receipts and entitlement state from Apple | Verify Pro access |
2.3 Data we do not collect
- We do not collect your phone number, government ID, or last name. The first name you enter during onboarding can be anything you choose (a nickname is fine) and is only used to personalise the app's UI.
- We do not collect your contacts, calendar, microphone audio, exact GPS location, or browsing history.
- We do not collect your email address unless you voluntarily contact us at support@looksmaxapp.com.
- We do not embed analytics SDKs that build advertising profiles.
- We do not use facial-recognition templates to identify who you are; the AI returns descriptive scores only.
3. How we use your information
We use your information to:
- Run your face-rating scan and return scores, labels, and a personalised routine.
- Show you your scan history.
- Generate and remember your daily routine and streak.
- Process and verify subscriptions (Pro).
- Diagnose crashes and improve the app.
- Comply with legal obligations.
We do not use your data for:
- Advertising or marketing profiles.
- Selling or sharing with data brokers.
- Training, fine-tuning, or evaluating AI models (ours or anyone else's).
- Identifying you to other LooksMax users.
4. The selfies: how AI processing works
This section satisfies Apple App Review Guideline 5.1.2(i) (third-party AI disclosure).
Face Data Collection and Use
- Data collected: Front and side selfie photos uploaded by the user.
- Sent to: Google Gemini 2.5 Flash Lite (a Google AI model) accessed via the OpenRouter API for facial analysis only. Photos are not used to train AI models per provider API terms.
- Purpose: Generate cosmetic feedback scores across 25+ facial metrics including jawline, symmetry, cheekbones, skin quality, and bone structure.
- Storage: Photos are encrypted and stored on Cloudflare R2 (a private bucket controlled by us).
- Retention: Photos remain stored until you delete your account from Settings → Delete Account, at which point all photos and scan history are permanently removed within 30 days.
- Sharing: We do not sell, share, or transfer face data to any other third parties beyond the AI provider listed above.
4.1 What happens to each selfie
- The image is captured locally on your device.
- On-device face detection computes face landmarks locally using your phone's built-in face detection. These landmarks never leave your device.
- The image, encoded as a base64 data URL, is sent over HTTPS to our backend.
- Our backend forwards the image to Google Gemini via OpenRouter for analysis.
- The model returns a JSON object containing scores and labels.
- Our backend returns the result to your app and persists the image (private) and the result for your scan history.
4.2 Retention
- Selfies and scan history: retained while your account is active. Deleted within 30 days of you tapping Settings → Delete Account (usually immediately).
- Anonymous device IDs and basic event logs: retained up to 12 months after your last app open, then automatically purged.
- Subscription receipts: retained for 7 years as required by tax and financial-reporting laws in some jurisdictions.
4.3 Training and re-use by third parties
- We do not use your selfies to train, fine-tune, or evaluate AI models.
- Google Gemini and OpenRouter's published terms state that API requests are not used to train models by default. We do not opt in to any training program.
- We will update this policy if our provider changes their terms.
4.4 Revoking AI consent
To stop AI data sharing entirely, delete the app from your device or delete your account from Settings → Delete Account. With the account deleted, no further data is sent to Google Gemini.
5. Third parties we share data with
Listed by company name so you know exactly where your data goes.
| Company | What they receive | Why |
|---|---|---|
| Google (via OpenRouter) | Selfie images + analysis prompt | Run face-rating AI inference via Google Gemini 2.5 Flash Lite |
| OpenRouter, Inc. | Selfie images (proxied to Google) | API gateway for AI provider access |
| Convex (Convex Inc.) | Anonymous user ID, scan results, routine state, subscription state | Application backend and database |
| Cloudflare (Cloudflare, Inc.) | Selfie images + result-card images (encrypted private bucket) | Encrypted private storage of your scan images on Cloudflare R2 |
| RevenueCat (RevenueCat, Inc.) | Anonymous user ID + App Store subscription receipts | Verify Pro entitlement |
| PostHog (PostHog, Inc.) | Anonymous event logs (no images, no PII): screens viewed, paywall events, scan started/completed counts, scores as numbers. Session replays have all images and text fields masked so faces and any typed content never leave your device. | Product analytics + masked session replay |
| Apple Inc. | Standard Apple IAP receipt | Process payment, deliver subscription |
On-device face detection runs locally on your phone using your operating system's built-in vision frameworks. Those frameworks never receive or transmit your data.
We never sell your personal information. We do not share it with advertising networks.
6. International data transfers
If you use LooksMax from outside the United States, your data will be transferred to the United States and other countries for processing as described in Section 5. We rely on Standard Contractual Clauses or the receiving party's published terms for these transfers where required by GDPR / UK GDPR.
7. Your rights
We give all users the same rights regardless of where they live.
You may:
- Access the data we hold about your session.
- Delete all your data via Settings → Delete Account in the app, or by emailing support@looksmaxapp.com.
- Object to processing where lawful.
- Complain to your local data protection authority (EU users: your national DPA; UK users: ICO; California users: California Privacy Protection Agency).
We aim to respond to all requests within 30 days.
7.1 Specific rights for EU / UK users (GDPR, UK GDPR)
- Identity of controller: Madni Aghadi, contactable at support@looksmaxapp.com.
- Lawful basis: Consent (selfie processing) and contract (delivery of the Pro subscription).
- Right to lodge a complaint: with your national supervisory authority.
- Automated decision-making: the AI returns scores. Those scores are informational only and do not produce legal or similarly significant effects on you.
7.2 Specific rights for California users (CCPA / CPRA)
- We do not sell or share your personal information.
- Categories of personal information we collect: photographs and visual content (selfies), identifiers (anonymous device ID), commercial information (subscription state), internet activity (app event logs), and inferences (scan scores).
- Right to know, right to delete, right to correct, right to limit use of sensitive personal information — all exercisable via support@looksmaxapp.com or in-app via Settings → Delete Account.
- We do not knowingly collect personal information from California consumers under 16.
8. Security
- All network traffic between the app and our backend services is encrypted in transit using TLS.
- Selfie images are stored in a private Cloudflare R2 bucket. Requests are gated by your session token; no public URLs are issued.
- Anonymous session tokens are stored in your device's secure storage (iOS Keychain).
- We do not store credit-card numbers or bank details — payments are handled entirely by Apple.
- No system is perfectly secure. If we discover a breach affecting your data, we will notify you and applicable authorities as required by law.
9. Children
LooksMax is not directed to children under 13. We do not knowingly collect data from minors under 13. If you believe a child under 13 has used the app, please contact support@looksmaxapp.com and we will delete any data on file.
10. Not medical or diagnostic
LooksMax provides entertainment-grade face-rating scores. The scores are not medical, dermatological, psychological, or cosmetic advice. They are not suitable for, and must not be used for, hiring, dating, lending, insurance, legal, or any other decision-making about an individual.
11. Changes to this Policy
We may update this Policy as the app evolves or laws change. Material changes (for example, a new AI provider, a new category of data, or a change to retention) will be presented to you as an in-app notice the next time you open the app.
The Effective date at the top of this document indicates the current version.
12. Contact
For any privacy question, data request, or complaint, write to:
— LooksMax / Madni Aghadi
