Privacy Policy
Summary: Tan AI collects minimal data to provide personalized tanning guidance. We do not sell your data. We do not require account creation. You can request deletion of your data at any time.
1. Who We Are
Tan AI ("we," "us," or "our") operates the Tan AI mobile application (the "App") available on the Apple App Store and Google Play Store, and the website at usetanai.com (the "Website"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App and Website.
For privacy-related inquiries, contact us at: help@usetanai.com
2. Information We Collect
2.1 Information You Provide
- Tanning Preferences: Your tanning goals, skin sensitivity, burn frequency, budget, diet preferences, and whether you have moles or tattoos. This information is provided during onboarding and used to personalize your experience.
- Name (optional): You may provide your first name for a personalized experience. This is entirely optional.
- Photos (optional): If you choose to use our skin analysis feature, you may provide a photo via your camera or photo library. Photos are processed for skin type analysis and stored locally on your device.
- Chat Messages: When using the AI assistant, your messages and questions are sent to our servers to generate responses.
- Voice Input (optional): If you use voice input, audio is transcribed on-device using Apple Speech Recognition and the transcribed text is sent to our server. We do not store audio recordings.
- Feedback: Any feedback you voluntarily submit through the App.
2.2 Information Collected Automatically
- Device Information: Device model, operating system version, app version, locale/language, and timezone.
- Anonymous Identifier: A randomly generated anonymous ID used to associate your preferences and usage data. This ID is not linked to any personal identity.
- Location Data: When you grant location permission, we collect your approximate location (latitude/longitude) solely to provide accurate UV index and weather data for your area.
- Usage Data: App usage patterns including screen views, feature interactions, and session information.
- Push Notification Token: If you enable notifications, we receive your device's push notification token to deliver UV alerts and tanning reminders.
2.3 Information We Do Not Collect
- Email addresses (no account system)
- Phone numbers
- Real names (unless voluntarily provided)
- Contacts or address book
- Health or fitness data from HealthKit/Google Fit
- Financial or payment card information (handled entirely by Apple/Google)
- Social media accounts
2.4 Face Data and Skin Photo Analysis
Our skin analysis feature allows you to take or upload a photo of your face to determine your skin type (Fitzpatrick scale), skin undertone, and related visual characteristics. This section explains exactly how face data is handled:
- What we collect: A photo of your face, used solely to extract skin characteristics (skin type, undertone, and sensitivity indicators). We do not collect facial geometry, face mesh data, facial recognition identifiers, or any biometric data used for user identification or authentication.
- How it is processed: The photo is sent from your device to our server (Hetzner, Germany, EU) as a base64-encoded image held in volatile memory. Our server immediately forwards it to the Google Gemini API for visual analysis. The photo is never written to disk or saved to any database on our server.
- Third-party processing: Google Gemini receives the photo solely for the purpose of extracting skin characteristics. Google does not retain API inputs beyond the immediate processing window, does not use the data for model training, and does not subject it to human review (see Google Gemini API Terms).
- Retention period: The photo exists in server memory only for the duration of the API call (typically a few seconds). Once Google Gemini returns the analysis, the photo is immediately and permanently discarded. We do not store, cache, or back up the original photo on our servers or any cloud storage.
- What is stored after analysis: Only the text-based analysis results (e.g., "Fitzpatrick Type III," "warm undertone") are retained. These results are stored locally on your device and are not stored in any server-side database.
- Consent: Before any photo is taken or uploaded, you must grant camera or photo library permission via the standard iOS/Android system prompt. Additionally, you must accept AI data processing consent during onboarding before using this feature.
3. How We Use Your Information
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Generate personalized tanning routines | Preferences, skin type, location, weather | Contract performance |
| Provide UV index and weather data | Location | Contract performance |
| AI chat assistant responses | Chat messages, user context | Contract performance |
| Skin type analysis | Photos (processed, not stored on server) | Explicit consent |
| Send UV and tanning reminders | Push token, location | Consent |
| Improve App performance and features | Usage data, device info | Legitimate interest |
| Manage subscriptions | Anonymous ID, purchase status | Contract performance |
| Measure advertising effectiveness | App events (install, subscription) | Legitimate interest |
4. Third-Party Services
We use the following third-party services to operate the App. Each service receives only the minimum data necessary for its function. For detailed information about how we use AI services specifically, see our AI Data Processing page.
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Google Firebase | Analytics, crash reporting | Device info, usage events | Link |
| RevenueCat | Subscription management | Anonymous ID, purchase status | Link |
| PostHog | Session replay (text inputs masked) | Screen recordings, device info | Link |
| TikTok Business SDK | Ad attribution (install tracking) | App events, device identifiers | Link |
| Apple WeatherKit | UV index and weather data | Location coordinates | Link |
| Google Gemini AI | AI chat responses, skin analysis | Chat context, photos (for analysis) | Link |
5. Data Storage and Security
5.1 Where Your Data Is Stored
- On your device: Your preferences, chat history, tanning routines, and skin photos are primarily stored locally on your device.
- On our servers: Chat messages (for generating AI responses), UV notification subscriptions, and anonymized analytics are stored on our servers hosted in the European Union (Hetzner, Germany).
- Third-party servers: Analytics data is processed by Firebase (Google Cloud), RevenueCat, PostHog, and TikTok as described above.
5.2 Security Measures
We implement appropriate technical and organizational measures to protect your data, including:
- Encrypted data transmission (HTTPS/TLS) for all communications
- HMAC request authentication between the App and our servers
- Server access restricted behind VPN (Tailscale)
- Regular security audits and software updates
- Minimal data collection principle — we only collect what is necessary
5.3 Data Retention
- On-device data: Retained until you delete the App or clear its data.
- Server-side chat data: Retained for up to 12 months, then automatically deleted.
- Analytics data: Retained for up to 24 months in aggregated form.
- Photos submitted for analysis: Processed in real-time and not persistently stored on our servers.
6. Your Rights
6.1 Rights Under GDPR (European Economic Area)
If you are in the EEA, you have the following rights under the General Data Protection Regulation:
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate personal data.
- Right to Erasure ("Right to Be Forgotten"): Request deletion of your personal data.
- Right to Restrict Processing: Request that we limit how we use your data.
- Right to Data Portability: Receive your data in a structured, machine-readable format.
- Right to Object: Object to processing based on legitimate interest, including direct marketing.
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
- Right to Lodge a Complaint: File a complaint with your local data protection authority.
6.2 Rights Under CCPA (California)
If you are a California resident, you have the right to:
- Know what personal information is collected, used, and shared.
- Request deletion of your personal information.
- Opt out of the "sale" of personal information. We do not sell personal information.
- Non-discrimination for exercising your privacy rights.
6.3 Rights Under UK GDPR
If you are a UK resident, you have equivalent rights to those outlined in the GDPR section above. Our legal basis for processing remains the same.
6.4 How to Exercise Your Rights
To exercise any of these rights, contact us at help@usetanai.com. We will respond within 30 days (or the timeframe required by applicable law). To verify your identity, we may ask for your anonymous device ID (found in the App's settings).
6.5 Data Deletion
You can delete your data at any time:
- On-device data: Delete the App to remove all locally stored data.
- Server-side data: Email us at help@usetanai.com with your anonymous device ID, and we will delete all associated server-side data within 30 days.
7. Children's Privacy
Tan AI is not directed at children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us at help@usetanai.com and we will promptly delete it.
8. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including Germany (our server location) and the United States (where some third-party services operate). When transferring data outside the EEA, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Your explicit consent for specific transfers
9. Cookies and Tracking (Website)
Our website at usetanai.com uses Umami Analytics, a privacy-focused, cookie-free analytics tool. Umami:
- Does not use cookies
- Does not collect personal data
- Does not track users across websites
- Collects only anonymous pageview and session data
- Is self-hosted on our own servers in the EU
We do not use any other tracking cookies, advertising cookies, or third-party tracking scripts on our website.
10. Do Not Track
We honor Do Not Track (DNT) browser signals. When DNT is enabled, our website analytics tool (Umami) automatically respects this preference.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on this page with a new "Last updated" date
- Displaying a notice within the App for significant changes
Your continued use of the App after changes are posted constitutes acceptance of the updated policy.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: help@usetanai.com
- Website: usetanai.com