Privacy Policy

First name, last name, email address, and an encrypted (one-way hashed) representation of your password. If you sign in with Apple or Google, we receive your name and email from the provider.

Age (integer) and birth year only — we do not store your full date of birth. Gender (optional), city (optional), skin type, primary skin concerns, whether you use prescription skincare, and whether you use SPF daily.

When you complete a skin scan, we store the following derived data:

• Overall skin score
• Nine individual metric scores
• Perceived skin age estimate and range
• Eye area age estimate and range
• Skin type, concerns and severity
• Strengths
• Image quality and confidence score
• Prompt version (for our internal audit and quality assurance)
• Personalised protocols
• CELA's summary note
• Recommended rescan interval

The skin scores, metric scores and age estimates stored in Section 2.3 are derived from visible characteristics in your facial photograph. This data infers information about your physical condition and skin health. Under UK GDPR, data of this nature may constitute special category data under Article 9 (concerning data about health). We therefore process this data on the basis of your explicit consent given when you first use the skin analysis feature.

Note for the avoidance of doubt: we do not use facial recognition technology to identify you against external databases. The skin scoring process extracts numerical characteristics from your image and discards the image. A non-reversible face descriptor is stored solely to verify that the same person is scanning each time — it cannot be used to identify you in any external system.

When you use the Ingredient Scanner: scanned product name and brand, ingredient list, compatibility analysis, routine conflicts, compatibility score, CELA's recommendation, and scan timestamp. Photographs used for ingredient scanning are processed in real time and not retained.

Product ratings, protocol adherence (self-reported), free-text comments, and outcome data comparing scan scores over time.

Billing and delivery address and order details. Payment card data is handled exclusively by our payment processor (Shopify Payments) and is never stored on CellSync systems.

Screens visited, features used, scan timestamps, and session duration. Used in aggregate to improve the product.

Authentication provider, verification status, verification timestamps, login history, and CAPTCHA score from sign-up (used only for fraud prevention).

All consents granted or withdrawn, with timestamps and the policy version in force at the time. This audit trail is required to demonstrate lawful processing under UK GDPR.

Information about allergies, skin sensitivities, medical conditions and medications you take is treated as 'special category data' under UK GDPR Article 9. It is given extra legal protection because of its sensitivity. This section explains exactly what we collect, why, and the additional safeguards we apply.

Through the Allergy Capture feature in the CellSync mobile application, you can voluntarily provide information about:

• Known allergies — for example: fish allergy, marine ingredient allergy, fragrance sensitivity
• Skin sensitivities — for example: sensitivity to specific actives or ingredient categories
• Relevant medications — for example: photosensitising medications that may affect compatibility with light-based therapy
• Skin conditions you wish CELA to be aware of when making recommendations
• Medical considerations such as pregnancy, where this affects suitability of certain treatments

Each option is presented from a pre-defined, controlled vocabulary. You cannot enter free-text health information through this feature — this is intentional, to keep what we collect proportionate, accurate and meaningful.

The sole purpose of collecting this information is to ensure that the CELA agent and the broader CellSync platform never recommend a product, ingredient or protocol that is contraindicated for you. This is a safety filter, not a profiling exercise.

Because this is special category data, we rely on two cumulative legal bases:

• UK GDPR Article 6(1)(a) — your consent to process your personal data
• UK GDPR Article 9(2)(a) — your explicit consent to process special category data

You provide both forms of consent when you complete the Allergy Capture screen in the CellSync app. The act of saving your selections constitutes explicit consent. You are not required to provide this data; the feature is entirely optional, and the rest of the app remains usable without it.

We retain your allergy and health data for as long as your CellSync account is active, or until you withdraw consent, whichever is earlier. When you withdraw consent or close your account, this data is permanently deleted from our systems within 30 days, including from backups within 90 days.

You may withdraw consent at any time by editing or clearing your entries on the Allergies screen in the CellSync app, or by emailing privacy@cellsync.co.uk.

Withdrawal is immediate. It does not affect the lawfulness of processing carried out before withdrawal. After withdrawal, CELA will no longer have access to your allergy information, and product recommendations will revert to the standard model.

Necessary for performing our contract with you: account creation, order fulfilment, customer support, the skin analysis service.

Improving products, preventing fraud, security monitoring and anonymised analytics. We have carried out balancing assessments and concluded that our interests do not override your rights and freedoms in these contexts.

Maintaining consent records, retaining order and tax records as required by HMRC and Companies House, and responding to lawful information requests from regulators or law enforcement.

Marketing emails and SMS, and any non-essential cookies. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.

Required for processing derived skin and physiological data from skin scans and for processing allergies, skin sensitivities and other health data captured through the Allergy Capture feature.

• Your facial photographs (we do not retain them)
• Your password (we don't have it — only a one-way hash)
• Your allergy or health data — never shared for marketing, advertising or commercial purposes
• Your data with advertisers, data brokers or social media platforms for ad targeting

We may disclose personal data where legally required — for example, in response to a valid court order, a regulatory request from the Information Commissioner's Office (ICO), or in connection with the investigation of fraud or other illegal activity. We will not disclose data voluntarily where we are not legally compelled to do so.

You may ask us to confirm what personal data we hold about you, and to provide a copy in a structured, commonly-used electronic format.

You may ask us to correct inaccurate or incomplete data. Most account and profile fields can be edited yourself within the app.

You may ask us to delete your personal data, subject to limited exceptions for legal retention (e.g. HMRC accounting records). Note: facial photographs are not retained and therefore cannot be subject to a deletion request — they have already been discarded immediately after each scan.

You may ask us to restrict how we use your data while a query is being resolved.

You may ask us to export your data in a machine-readable format, or to transmit it to another controller.

You may object to processing based on legitimate interests or for direct marketing. We will stop the relevant processing unless we have compelling lawful grounds to continue.

CellSync uses AI for skin analysis and product recommendations. These outputs are advisory — they do not produce legal or similarly significant effects on you in the GDPR sense. You can override CELA's recommendations at any time, and human review is available on request via privacy@cellsync.co.uk.

Where processing is based on consent — including marketing, derived skin and physiological data, and allergy and health data — you can withdraw at any time. Withdrawal is straightforward through the Profile section of the app or by emailing privacy@cellsync.co.uk. Withdrawal does not require justification.

If you believe we have mishandled your data, you can complain to the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Helpline: 0303 123 1113

We would ask you to contact us first so that we have an opportunity to resolve the matter, but you are not required to do so.