Account data
- Email address, hashed password, Supabase UUID, and authentication provider.
- Optional Google Sign-In or Apple Sign-In identity data.
- Profile fields such as display name, hair type, treatment start date, Norwood scale, and plan tier.
Privacy Policy · Last updated May 17, 2026
How Folicle handles sensitive hair and scalp data.
Folicle is a hair-growth tracking app operated by Lungu Andrei Leonard, str. Randunelelor 63B, ap. 2, Romania. We process scalp photos, account data, treatment logs, AI analysis, and subscription data to provide the app. Privacy contact: [email protected].
Third parties
Processors and subprocessors
We use third-party services to run authentication, storage, AI features, subscriptions, analytics, builds, and payments. OpenAI is not used in production; Folicle currently uses Google Gemini for AI analysis and coaching.
| Service | Role | Data shared | Location | Policy |
|---|---|---|---|---|
| Supabase (Supabase Inc.) | Auth, Postgres database, Storage for photos, Edge Functions | Email, hashed password, user ID, profile, photos, logs, treatments, scores | United States / AWS infrastructure | Policy |
| Google Gemini API (Google LLC) | Photo progress analysis and AI Coach | Scalp photos, coach conversations, basic context such as Norwood stage, active treatments, recent scores | United States / global | Policy |
| Google Sign-In | Optional social login | Email, name, Google account ID | Google infrastructure | Policy |
| Apple Sign-In | Optional iOS social login | Email or private relay email, name when provided | Apple infrastructure | Policy |
| RevenueCat (RevenueCat Inc.) | Subscription management, restore purchases, webhook entitlements | Supabase user ID, email, subscription identifiers, entitlement status, purchase events | United States | Policy |
| Apple App Store / Google Play Billing | Subscription payment processing | Purchase identifiers, receipts, store transaction data | Apple / Google infrastructure | Policy |
| PostHog (PostHog Inc.) | Product analytics and app events | Supabase user ID, email, in-app events, device properties | European Union, hosted at eu.i.posthog.com | Policy |
| Expo / EAS (Expo / 650 Industries) | Build pipeline and over-the-air updates through Expo Updates | Device identifiers, app version, update channel, runtime version | United States | Policy |
Supabase Inc. is a United States processor. Where GDPR applies, Folicle relies on data processing terms and Standard Contractual Clauses for international transfers under GDPR Article 28 and Chapter V.
Data collected
What Folicle collects
User content
- Scalp photos and thumbnails stored in Supabase Storage under account-scoped paths.
- Photo sessions, timestamps, notes, lighting score, and photo metadata such as pose or angle.
- Treatments, doses, frequency, side effects, hair-wash notes, daily notes, goals, and milestones.
- AI Coach threads and messages, bug reports, progress report summaries, daily metrics, and AI usage counters.
Device and local data
- Camera is used for guided capture; preview frames are not uploaded, only photos you save or choose.
- Photo library access is used only for files you select.
- Motion sensors can help reproduce photo angle.
- Local notifications are used for reminders.
- AsyncStorage may cache app state and photos; SecureStore stores authentication tokens in Keychain or Keystore.
Legal basis
How we use data and the GDPR basis
Purposes and legal bases
- Operating the app, account login, sync, photo history, treatment tracking, reminders, and subscriptions: performance of a contract under GDPR Art. 6(1)(b).
- Processing sensitive hair, scalp, treatment, and health-related progress data: explicit consent under GDPR Art. 9(2)(a), alongside the app service basis under Art. 6(1)(b). You can withdraw consent at any time by deleting your account, requesting deletion, or contacting us.
- AI photo analysis, progress reports, and AI Coach: explicit consent for health-related data under GDPR Art. 9(2)(a), and performance of the app service under Art. 6(1)(b).
- Product analytics and app improvement through PostHog events: legitimate interests under GDPR Art. 6(1)(f). Session Replay is disabled, and you can object to this processing.
- Support, bug reports, security, abuse prevention, and service reliability: legitimate interests under GDPR Art. 6(1)(f).
- Payment records, tax, consumer-law, and legal compliance where applicable: legal obligation under GDPR Art. 6(1)(c).
- Marketing or optional communications, where used: consent under GDPR Art. 6(1)(a), withdrawable at any time.
AI and automation
Automated processing
AI-generated progress reports, Hair Score context, and AI Coach replies may be produced automatically from photos, notes, treatment context, and profile information you provide. They are informational only and do not produce legal or similarly significant effects on you under GDPR Art. 22.
Folicle does not use automated processing to approve credit, insurance, employment, healthcare access, or any legal status. Do not treat AI analysis as a diagnosis, prescription, or medical decision.
App permissions
Mobile permissions
Folicle asks only for permissions needed to capture progress, import chosen photos, reproduce angles, and send reminders.
iOS
- Camera
- Photo Library
- Motion
- Notifications, if enabled by the user
- Apple Sign-In, if selected
Android
- Camera
- Record audio permission may exist through camera libraries, but Folicle does not record audio
- Read/write external storage where required by OS version
- Vibrate, receive boot completed, exact alarm, and post notifications for reminders
- Google Sign-In, if selected
Your rights
Access, export, correction, and deletion
Available requests
- Access or export your data by contacting [email protected].
- Receive portable data where GDPR data portability applies.
- Delete your account and app data from inside Settings when the app is installed.
- Request deletion online at /delete-account if you already deleted the app.
- Request correction of inaccurate account or profile data.
- Withdraw consent for health-related processing or optional communications at any time.
- Object to or restrict processing where applicable under GDPR or similar privacy laws.
- Lodge a complaint with a supervisory authority. In Romania, this is the National Supervisory Authority for Personal Data Processing (ANSPDCP) at www.dataprotection.ro.
In-app deletion is available from Settings as “Delete account & data.” If you no longer have the app installed, use the public account deletion request page. The backend deletes account-owned Storage files and user records; deletion of the Supabase Auth user cascades through account-scoped database records where configured. PostHog is reset client-side on deletion; contact us if you also want identifiable analytics records removed from PostHog systems.
You also have the right to lodge a complaint with your local data protection supervisory authority. In Romania, this is the National Supervisory Authority for Personal Data Processing (ANSPDCP).
Retention
How long data is kept
Retention rules
- Active account data is kept while the account exists.
- Verified deletion requests are processed within 30 days. Once deletion is completed, account data, app database records, and Storage photos are deleted from active systems.
- Supabase database backups and point-in-time recovery logs may retain deleted records for approximately 7 days, depending on the project backup configuration.
- Bug reports are retained for up to 24 months for support, security, and product reliability, unless a shorter period is required by law or we no longer need them.
- Deletion request records may be retained for up to 24 months so we can prove the request was handled.
- RevenueCat, Apple, and Google may retain purchase records under their own legal and financial retention obligations.
Security
How Folicle protects data
No app can guarantee perfect security, but Folicle is designed around account-private access and server-side AI calls.
Access controls
- Supabase Postgres uses Row-Level Security so users can access only account-scoped data.
- Passwords are handled by Supabase Auth and are never stored by Folicle in plain text.
- Authentication tokens are stored through Keychain or Keystore via expo-secure-store.
Transport and AI
- Traffic uses HTTPS/TLS.
- Gemini API keys stay on the server or Edge Function side and are not shipped in the mobile client.
- Photo analysis requests are sent only for app features that need AI analysis.
Age limits
Children and minors
Folicle is intended for adults. We do not knowingly collect personal data from children. If you believe a minor created an account or submitted personal data, contact [email protected] and we will review and delete it where required.
Because Folicle deals with hair loss, scalp photos, treatments, and sensitive wellness information, users should be at least 18 years old, or old enough to consent to digital health and privacy processing in their jurisdiction.
Updates
Changes to this policy
We may update this Privacy Policy as Folicle, our vendors, or legal requirements change. We will notify users of material changes in the app or by email where appropriate.