Back

Looksmax Studio

Privacy Policy

Last updated: 20 May 2026

This Privacy Policy explains what data Looksmax Studio collects, why we collect it, how we use it, and the rights you have over it. The app is operated by Aylan Apps (“we”, “us”, “our”). By creating an account or using the app you accept this policy.

If anything here is unclear, email support@aylanapps.com.

1. What Looksmax Studio is

Looksmax Studio is an AI-powered self-improvement and aesthetic-coaching app for adult men. You upload photos, an audio sample, or a video clip; our backend sends them to Google Gemini for analysis; we return scores and recommendations for face, body, hair, teeth, voice, style, and posture. It is not a medical device, dating app, or rating service for other people. See the Cosmetic Disclaimer for details.

2. Data we collect

2.1 Account data

  • Email address (mandatory for full accounts; anonymous accounts use a device-derived synthetic ID).
  • Hashed password (or sign-in token from Apple / Google when those options are enabled).
  • Username.

2.2 Onboarding / personalisation

  • Age band, glow-up goals, body goal, optional skin and hair type.
  • Time-zone (used for quiet-hours scheduling of notifications).

2.3 Scans

  • Photos you submit (face, body, hair, teeth, style, posture).
  • Audio recordings you submit (voice scan, up to 10 seconds).
  • The structured analysis Gemini returns (overall score, sub-scores, summary, recommendations, capture-quality flags).

2.4 Device + abuse-prevention signals

  • A per-install random identifier (install_id).
  • A hashed device fingerprint (brand / model / OS, hashed locally before upload).
  • Platform-stable identifiers used only for fraud prevention:
    • iOS: DCDevice attestation token (Apple).
    • Android: AppSetId (Google Play Services).
  • IP address of register / login requests, retained for 30 days for abuse investigation.

2.5 Usage analytics

  • Screen views, button taps, scan submissions, subscription events.
  • Crash reports (anonymised stack traces via Firebase Crashlytics).

2.6 Push tokens

Your FCM device token, registered when you allow notifications. We use it only to send the notifications you've enabled.

3. How we use the data

We use the data to:

  • Run the AI analysis you requested (contract basis).
  • Build your 30-day glow-up plan (contract).
  • Send the notifications you enabled (consent).
  • Detect duplicate-account / refund abuse (legitimate interest).
  • Fix crashes and performance issues (legitimate interest).
  • Improve the product via aggregated, de-identified usage trends (legitimate interest).

We never:

  • Sell your data.
  • Share scans with advertisers.
  • Use your photos to train external models.
  • Make your scans public.

4. Third parties we share data with

We share the minimum necessary data with vetted infrastructure providers:

  • Google Cloud / Gemini API — scan media + prompt, for AI analysis.
  • Firebase (Google) — crash + analytics, FCM push tokens.
  • Render — backend hosting.
  • RevenueCat — subscription receipts.
  • Apple / Google App Stores — purchase + restore receipts.

We do not transfer your data to other third parties for their own use.

5. Where data is stored and for how long

  • Servers are hosted in Oregon (USA) via Render and Google Cloud.
  • Media (photos / voice recordings) is encrypted at rest in Firebase Storage.
  • Database is encrypted at rest; passwords stored as salted hashes.
  • We retain your data while your account is active.
  • Anonymous accounts that are never converted are deleted after 180 days of inactivity.
  • If you delete your account, all personal data is removed within 30 days, except where law requires us to keep records.

6. Children

Looksmax Studio is intended for users 17 and older. We do not knowingly collect data from children under 13. If you believe a child has created an account, email us — we will delete the account and associated data.

7. Your rights

You can, at any time:

  • Access: in-app under Settings → Account → Export, or email support.
  • Correct: Settings → Profile → Edit.
  • Delete: Settings → Account → Delete account.
  • Restrict / object: contact support.
  • Withdraw consent for analytics: Settings → Notifications → Analytics off.
  • Portability: contact support for a JSON export.

EU / UK users may also lodge a complaint with their local data protection authority.

8. Cookies and similar

The mobile app does not use cookies. The companion website (aylan-apps.com) uses only essential cookies.

9. Security

  • All API calls go over HTTPS / TLS 1.2+.
  • JWT access tokens are short-lived (30 minutes); refresh tokens stored in the device keychain.
  • Apple DCDevice and Google AppSetId gate registration against abuse.
  • Backend has IP-based and device-based rate limiting.

Report security issues to support@aylanapps.com — we acknowledge within 72 hours.

10. Changes to this policy

We update this policy when our practices change. Material changes trigger an in-app notice. Continued use after the change means you accept the updated policy.

11. Contact

Email: support@aylanapps.com

For deletion-only requests: Settings → Account → Delete account, or email with subject “Delete my account”.

← Back to legal information