GDPR Compliance

1. Overview of GDPR Compliance

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that gives EU residents greater control over their personal data. LooksMaxxing fully complies with GDPR requirements.

2. Lawful Basis for Processing

Under GDPR Article 6, we process your personal data based on the following lawful grounds:

2.1 Consent (Article 6(1)(a))

• Processing facial images for AI analysis
• Sending marketing communications (where applicable)
• Using cookies and tracking technologies
• Sharing data with third-party analytics services

You can withdraw consent at any time through app settings or by contacting us.

2.2 Contract Performance (Article 6(1)(b))

• Creating and managing your account
• Providing facial analysis services
• Delivering personalized recommendations
• Managing subscriptions and payments

2.3 Legitimate Interests (Article 6(1)(f))

• Improving our AI algorithms and services
• Fraud prevention and security
• App performance monitoring and optimization
• Customer support and issue resolution

2.4 Legal Obligation (Article 6(1)(c))

• Complying with tax and accounting requirements
• Responding to legal requests from authorities
• Meeting regulatory obligations

3. Your GDPR Rights

As a data subject under GDPR, you have the following rights:

4. How to Exercise Your Rights

4.1 In-App Controls

• Go to Settings > Privacy & Data
• Access Download My Data for data portability
• Use Delete My Account for erasure
• Manage Consent Settings for marketing and analytics

4.2 Contact Our DPO

For any data protection inquiries or to exercise your rights:

4.3 Verification Process

To protect your privacy, we will verify your identity before processing requests:

• Confirm your registered email address
• May require additional verification for sensitive requests
• Third-party requests require proof of authorization

5. Data Processing Activities

5.1 Categories of Data Processed

5.2 Special Category Data

⚠️ Important: Facial images are considered biometric data under GDPR Article 9 (special category data). We process this sensitive data only with your explicit consent and implement enhanced security measures.

6. International Data Transfers

6.1 Data Transfer Mechanisms

Your data may be transferred outside the EEA. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs): EU Commission-approved contracts with data processors
• Adequacy Decisions: Transfers to countries with adequate data protection (e.g., UK, Switzerland)
• Binding Corporate Rules: For intra-group transfers
• Your Consent: Where applicable, with clear information about transfer risks

6.2 Third-Country Transfers

• Cloud storage providers (with SCCs)
• Analytics services (with appropriate safeguards)
• AI processing infrastructure (encrypted and protected)

7. Data Retention

7.1 Retention Periods

7.2 Deletion Process

• Account deletion: 30 days (recovery period)
• Permanent deletion: 60 days from request
• Backup deletion: 90 days (including backups)
• Legal hold exceptions: As required by law

8. Data Security Measures

8.1 Technical Safeguards

• AES-256 encryption for data at rest
• TLS 1.3 encryption for data in transit
• Multi-factor authentication (MFA) options
• Regular security audits and penetration testing
• Automated backup and disaster recovery
• Access controls and role-based permissions

8.2 Organizational Safeguards

• Employee training on data protection
• Confidentiality agreements with staff and contractors
• Data Protection Impact Assessments (DPIAs)
• Regular compliance audits
• Incident response procedures

8.3 Data Breach Notification

In the event of a personal data breach:

• Supervisory Authority: Notified within 72 hours
• Affected Users: Notified without undue delay if high risk
• Notification Includes: Nature of breach, likely consequences, measures taken
• Documentation: All breaches documented for regulatory review

9. Children's Data

• We do not knowingly process data of children under 16 (GDPR age threshold)
• Parental consent required for users aged 13-15 (where service is available)
• Age verification mechanisms in place
• Immediate deletion upon discovery of underage user

10. Automated Decision-Making

10.1 AI-Powered Analysis

LooksMaxxing uses automated processing (AI algorithms) to analyze facial features. Under GDPR Article 22:

• You have the right to not be subject to solely automated decision-making with legal or significant effects
• Our AI analysis is for informational purposes and does not make legally binding decisions
• You can request human review of AI-generated results
• You can contest and obtain explanation of automated decisions

10.2 Profiling

• We use profiling to provide personalized recommendations
• Profiling is based on your explicit consent and facial data
• You can opt-out of personalized recommendations while still using core features

11. Cookies and Tracking

11.1 Cookie Policy

We use minimal cookies in compliance with ePrivacy Directive:

• Strictly Necessary: Essential for app functionality (no consent required)
• Analytics Cookies: Understand usage patterns (consent required)
• Preference Cookies: Remember your settings (consent required)

11.2 Managing Cookies

• Cookie consent banner on first visit
• Granular consent options available
• Consent withdrawal anytime in settings
• No tracking before consent given

12. Supervisory Authority

You have the right to lodge a complaint with your local Data Protection Authority if you believe we have violated GDPR:

13. Updates to GDPR Compliance

• We regularly review and update our GDPR compliance measures
• Material changes will be communicated via email and in-app notifications
• Continued use after notification constitutes acceptance
• Significant changes may require renewed consent

14. Contact Information