Privacy Policy

Last updated: March 2026

1. Controller

Maxim Fröhlich
Mollstr. 27
68165 Mannheim
Germany

Email: [email protected]

A data protection officer is not required under Art. 37 GDPR in conjunction with § 38 BDSG (German Federal Data Protection Act).

Legal Notice: legal.curlify.cc/legal-notice

2. Overview

Curlify is a mobile app for analyzing hair care products and ingredients using the Curly Girl Method. This Privacy Policy informs you about the personal data we collect when using the app, how we process it, and your rights under Art. 13 GDPR.

3. Data We Collect and Why

3.0 App Infrastructure and Server Logs

Each time the app connects to our servers, data is automatically transmitted and temporarily stored in log files for technical reasons. This includes:

IP address of your device
Date and time of the request
Operating system and device type (e.g. iOS 17, Android 14)
Type of request (e.g. API endpoint)
Amount of data transferred
Error codes and status messages

This data is processed exclusively for technical purposes and automatically deleted after a maximum of 7 days, unless required to investigate security incidents.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring the stability, security, and troubleshooting of the infrastructure, particularly protection against DDoS attacks and analysis of technical malfunctions.

3.1 Account Data (Registration & Login)

When you register and log in, we collect:

Data	Source	Purpose
Email address	Google / Apple	Identification, account access
Display name	Google / Apple (optional)	Personalization
Unique User ID (UUID)	Supabase Auth	Database association

Legal basis: Art. 6(1)(b) GDPR (performance of a contract)

3.2 Hair Profile

After registration, you may voluntarily create a hair profile. We store:

Curl pattern (e.g. wavy, curly, coily)
Strand thickness (fine, medium, coarse)
Hair density (low, medium, high)
Porosity (low, normal, high)
Scalp oiliness (dry, normal, oily)
Whether hair is chemically treated/color-treated
Sensitive scalp (yes/no)
Preferred method (e.g. Strict Curly Girl)
Climate zone
Hair goals

Legal basis: Art. 6(1)(b) GDPR (performance of a contract)

Classification note: Hair characteristics such as curl pattern, porosity, and density are cosmetic/aesthetic attributes and not health data within the meaning of Art. 9 GDPR. However, characteristics such as "scalp oiliness", "sensitive scalp", and "chemically treated" could be classified by supervisory authorities as health-related data. As a precaution, we rely subsidiarily on Art. 9(2)(a) GDPR for processing this data. For this purpose, a separate, explicit consent declaration for the hair profile is obtained during onboarding (e.g. checkbox with explicit consent text) that goes beyond mere data entry.

Withdrawal of consent (Art. 7(3) GDPR): You can withdraw your consent to process your hair profile at any time by removing the profile in the app under Settings → Profile → Delete Hair Profile. Withdrawal means that personalized product recommendations can no longer be provided – the core functionality of the app (analysis according to the Curly Girl Method) will effectively become unusable. Your account and other data (saved products, routines) remain unaffected.

3.3 Ingredient Scans (Image Recognition)

When you scan an ingredient list with your camera, the captured image is:

Temporarily transmitted as Base64 data to our backend server
Processed via the OpenRouter API (AI service) for text recognition
Not permanently stored, the image is discarded after processing

For quota management, we also store:

Number of successful scans per month
Number of unsuccessful scans per month

Legal basis: Art. 6(1)(b) GDPR (performance of a contract)

Camera access (TDDDG § 25): The scan function requires access to the device camera. This access only occurs upon active user initiative and is granted by the operating system (iOS / Android) through an explicit permission dialog. Without granted camera permission, the scan function is not available. Access is technically required for contract performance (§ 25(2) No. 2 TDDDG - German Telecommunications Telemedia Data Protection Act).

3.4 User-Added Products

Products you manually add are stored with:

Product name, brand, category
Associated ingredients

Legal basis: Art. 6(1)(b) GDPR

3.5 Saved Products (Wishlist)

We store which products from our database you have bookmarked as favorites.

Legal basis: Art. 6(1)(b) GDPR

3.6 Hair Care Routines

When you create and use routines, we store:

Routine name and description
Routine steps (cleansing, conditioning, styling, etc.) with associated products
Scheduled and completed routine events with date
Rating (1–5), notes

Legal basis: Art. 6(1)(b) GDPR

3.7 Daily Logs

The voluntarily completed daily log stores:

Date
Ratings (frizz, definition, dryness, scalp feel, shine, overall rating) on a scale of 1–5
Free-text notes

Legal basis: Art. 6(1)(b) GDPR

3.8 Product Views

We store internally which products you have viewed (timestamp + product ID) to improve the app and show you relevant content.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in improving product recommendations and app performance (e.g. displaying recently viewed products). The data is not used for advertising purposes; no meaningful behavioral profiles are created.

3.9 Premium Status & In-App Purchases

When you subscribe to Premium, your subscription status is synchronized with RevenueCat. We store:

Premium status (yes/no)
Timestamp of last status synchronization

Transaction and payment data are processed exclusively by RevenueCat and the respective app platforms. Apple Inc. (App Store) and Google LLC (Google Play) act as independent controllers within the meaning of Art. 4 No. 7 GDPR when processing in-app purchases – their processing of payment data is subject to their own privacy policies, not this declaration. We do not receive complete payment data from these platforms.

Legal basis: Art. 6(1)(b) GDPR

4. Third-Party Services and Data Transfers

Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR are in place with all service providers mentioned below who act as data processors.

4.0 Server Infrastructure

Curlify's backend server is hosted on OVH Cloud (Datacenter Gravelines / GRA, France). Processing therefore takes place within the EU. OVH is ISO 27001 certified.

Provider: OVH SAS, 2 rue Kellermann, 59100 Roubaix, France
Privacy: ovhcloud.com/en/personal-data-protection

4.1 Supabase (Authentication & Database)

We use Supabase as a backend-as-a-service for authentication and database hosting.

Provider: Supabase Inc., 970 Tasso St. #250, Palo Alto, CA 94301, USA
Privacy: supabase.com/privacy
Third-country transfer: Potentially to the USA; Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR, Implementing Decision (EU) 2021/914.

4.2 Google Sign-In

Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy: policies.google.com/privacy
Third-country transfer: USA; Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914 in place.

4.3 Apple Sign-In

Provider: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA
Privacy: apple.com/legal/privacy
Third-country transfer: USA; Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914 in place.

4.4 RevenueCat (In-App Purchases)

Provider: RevenueCat Inc., 633 Tasman Drive, San Jose, CA 95134, USA
Privacy: revenuecat.com/privacy
Data transmitted: Pseudonymized user ID (Supabase UUID), subscription status
Third-country transfer: USA; Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914 in place.

4.5 OpenRouter (AI Text Recognition)

When scanning ingredients, the captured image is temporarily forwarded via OpenRouter to an AI model to machine-read the displayed text (ingredient list) and convert it to a structured format. The image is transferred exclusively for this purpose and is not permanently stored by us or by OpenRouter.

Provider: OpenRouter Inc., USA
Privacy: openrouter.ai/privacy
Data processed: Image content (product back with ingredient list); no user photos, no biometric or health-related data
Third-country transfer: USA; Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914.
Data Processing Agreement: A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is in place. OpenRouter is SOC 2 Type II certified (as of July 2025).
Sub-processors: OpenRouter forwards requests to AI model providers (including Google LLC, OpenAI Inc., Anthropic PBC). Curlify does not have a direct DPA with these sub-processors; their involvement is covered by OpenRouter's own data protection obligations. The current sub-processor list is available at openrouter.ai/privacy.

4.6 Cloudflare R2 (Image Storage)

Product images in our database are stored in Cloudflare R2.

Provider: Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA
Privacy: cloudflare.com/privacypolicy
Third-country transfer: USA; Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914 in place.
Note: Only product images are stored – no user photos.

5. Retention Periods

Data Category	Retention Period
Log files (IP address, etc.)	Maximum 7 days (unless required for security incidents)
Account data	Until account deletion
Hair profile	Until account deletion
Routines & daily logs	Until account deletion or manual removal
Scan images	Not stored – immediately processed and discarded
Scan quota counters	Reset monthly
Product views	Until account deletion
Premium status	Until account deletion

Note on legal retention obligations: Deletion may be subject to legal retention obligations (e.g. §§ 238, 257 German Commercial Code, § 147 German Fiscal Code). Where such obligations exist, processing of the affected data will be restricted to the legally required retention. This particularly affects invoices and transaction records in connection with Premium subscriptions, which are stored by RevenueCat and the app platforms (Apple, Google) according to their own legal obligations.

6. Your Rights

As a data subject, you have the following rights:

Access (Art. 15 GDPR): You can request information about the data stored about you.
Rectification (Art. 16 GDPR): You can request correction of incorrect data.
Erasure (Art. 17 GDPR): You can request deletion of your data ("right to be forgotten"). Account deletion is available directly in the app under Settings → Delete Account.
Restriction of processing (Art. 18 GDPR)
Data portability (Art. 20 GDPR)
Objection (Art. 21 GDPR): Right to object when processing is based on legitimate interests – see separate notice below.
Withdrawal of consent (Art. 7(3) GDPR): Possible at any time with effect for the future.
Complaint to the competent data protection authority (Art. 77 GDPR). The competent authority is the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI BW), Lautenschlagerstraße 20, 70173 Stuttgart – baden-wuerttemberg.datenschutz.de.

To exercise these rights, please contact: [email protected]

⚠️ Special Notice – Right to Object (Art. 21(4) GDPR)

Insofar as we process personal data on the basis of legitimate interests (Art. 6(1)(f) GDPR) – in particular product views (Section 3.8) – you have the right to object to this processing at any time. Following an objection, this data will no longer be processed unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the assertion, exercise or defense of legal claims (Art. 21(1) GDPR).

Send objections to: [email protected]

7. Data Security

We implement technical and organizational measures to protect your data:

Encrypted data transmission via HTTPS/TLS
Access controls and Row-Level Security (RLS) in the database
JWT-based authentication (Supabase Auth)
Regular infrastructure security reviews

7a. Anonymous or Pseudonymous Use (TDDDG § 19(2))

Curlify requires registration with an email address via Google Sign-In or Apple Sign-In for core functions (personalized product analysis, storage of routines and favorites). Anonymous use without an account is not possible.

Processing is pseudonymous (assignment via UUID), but not anonymous, as the link with the email address enables identification. Registration is technically and functionally required in order to:

create personalized recommendations based on your hair profile,
synchronize your data across devices,
persistently store routines, favorites, and daily logs.

Guest use without registration is not currently implemented.

8. Automated Decision-Making and Profiling (Art. 13(2)(f) GDPR)

There is no automated decision-making within the meaning of Art. 22 GDPR that produces legal effects or similarly significantly affects you.

The app analyzes hair care product ingredients based on your hair profile and provides recommendations (e.g. "suitable", "caution", "avoid"). This involves technical profiling within the meaning of Art. 4 No. 4 GDPR (evaluation of personal characteristics to assess products). However, this profiling has no legally significant or similarly important effects within the meaning of Art. 22 GDPR, because:

no legally significant decisions are made,
the recommendations are purely informative in nature, and
you can ignore any recommendation or adjust your profile at any time.

Art. 22 GDPR (automated individual decision) therefore does not apply.

AI-assisted image recognition (Section 3.3, OpenRouter) is used exclusively for text recognition and matching to our ingredient database; personal data is not used for individual profiling.

9. Children

Curlify is not directed at persons under 16 years of age. The GDPR in conjunction with § 8 BDSG (German Federal Data Protection Act) sets the age limit for independent digital consent in Germany at 16 years. We do not knowingly collect data from persons under 16 years of age. If we become aware that a person under 16 years of age has created an account, the corresponding data will be deleted immediately.

10. Changes to This Privacy Policy

We reserve the right to adjust this Privacy Policy as necessary. The current version is always available in the app and on our website. In the event of material changes, we will inform you via the app.

11. Contact

For questions about data protection, please contact:

Maxim Fröhlich
Email: [email protected]