Privacy Policy

• Trez AI helps you self-monitor hair-pulling habits. It is a wellness tool, not a medical device.
• We collect the information you give us (email, password, hair photos, mood entries, goals, notes) and basic device info.
• We use it to provide AI analysis, track your progress, send reminders, and improve the App.
• We do NOT sell your personal data.
• Your photos are considered sensitive and are only processed with your explicit, informed consent obtained before you take or upload your first scan.
• Third-party AI processors: hair scan photos you submit are transmitted to third-party AI service providers (currently OpenAI and Google, acting as our data processors) so they can return an analysis to you. They are contractually prohibited from using your data to train their models.
• Analytics: we use PostHog to collect anonymous usage data that helps us understand how the App is used and identify areas for improvement. PostHog assigns an anonymous ID to your device; this ID is not linked to your account or personal information.
• You can withdraw consent or delete your account at any time from within the App.

a) Information You Provide Directly

• Account Information: email address, password (stored hashed/encrypted), and any profile information you provide (e.g., date of birth, display name).
• Onboarding Responses: answers to onboarding questions such as age range, habit history, goals, and preferences.
• Hair Scan Photos: photos you capture or upload of your hair for AI analysis.
• Mood, Notes, and Journal Entries: self-reported wellness data, triggers, and reflections.
• Reviews and Feedback: any content you submit through in-app ratings or support channels.
• Consents: your explicit consent to process sensitive personal data and to share photos with third-party AI providers, plus any subsequent withdrawals.

b) Information Collected Automatically

• Device Information: device model, operating system, app version, language, and time zone.
• Usage Data: features used, screens viewed, scan timestamps, streaks, and aggregated interaction patterns.
• Analytics Data (PostHog): we use PostHog to collect anonymized product analytics — such as feature usage, screen flows, and interaction patterns — to help us improve the App. PostHog assigns a random anonymous ID to your device; this ID is not linked to your email, account, or any directly identifying personal information. You can opt out via your device settings or by contacting support.
• Log and Diagnostic Data: crash reports, error logs, and performance metrics.
• Push Notification Tokens: if you enable notifications.

c) Information from Third Parties

• Subscription Data: purchase status, subscription tier, and renewal information from Apple App Store, Google Play, and RevenueCat. We do NOT receive your payment card details.
• Authentication: if you sign in with Apple or a similar provider, we receive limited account identifiers (such as a stable user ID and, where you allow it, your email address).

Hair photos, information about hair-pulling behavior, and related wellness data may be considered "sensitive personal data" or "special category data" under laws such as the GDPR and CCPA/CPRA. We process this data only:

• With your explicit, informed consent, obtained on a dedicated consent screen before you can take or upload your first hair scan.
• For the limited purpose of providing the Service to you.
• Never for advertising, profiling for advertising, or sale to third parties.

You may withdraw your consent at any time from within Settings or by deleting your account. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

This section explains, in compliance with Apple App Review Guidelines 5.1.1(i) and 5.1.2(i), exactly how the App uses third-party AI services.

What data is sent

When you initiate a hair scan, the App transmits the following to a third-party AI service provider:

• The hair photo you captured or selected.
• A non-identifying prompt describing the analysis task (e.g., "estimate hair density and pulling severity").
• Basic technical metadata required for the request (request ID, timestamp).

We do NOT send your name, email address, password, contact list, location, device identifiers, or any other directly identifying personal information to AI providers as part of the scan request.

Who the data is sent to

Hair scan photos are processed by the following third-party AI service providers, acting as our data processors:

• OpenAI, L.L.C. — vision model used to analyze hair scan photos. See: https://openai.com/policies/privacy-policy
• Google LLC (Google AI / Gemini) — vision model used as a fallback or alternative provider. See: https://policies.google.com/privacy

These providers are bound by data processing agreements that:

• Restrict use of your data to providing the analysis back to us.
• Prohibit using your photos or prompts to train their foundation models.
• Require appropriate security and confidentiality safeguards.

When we ask for your permission

Before the App takes or uploads your first photo, you are shown a dedicated AI Data Consent screen that:

1. Describes what data will be sent (your hair photo).
2. Identifies who it will be sent to (OpenAI and Google, as our processors).
3. Explains the purpose (to generate your analysis).
4. Requires you to tap "I agree & continue" to proceed.

You cannot capture or upload a hair scan without first granting this consent. You can review or withdraw your consent at any time from Settings → Privacy → AI Data Consent.

What we do NOT do

• We do not use your identifiable photos to train general-purpose AI models.
• We do not sell your photos or analysis results.
• We do not share your photos with advertisers, data brokers, or analytics providers.

We use your information to:

• Create and manage your account.
• Provide the core Service: AI-powered hair scan analysis, progress tracking, streaks, badges, and personalized insights.
• Generate your "Trez score" and related recommendations.
• Send you relevant reminders, trial notifications, and product updates (you may opt out of non-essential notifications).
• Process subscriptions and free trials through third-party stores.
• Communicate with you about your account, policy updates, and support requests.
• Detect, investigate, and prevent fraud, abuse, or security incidents.
• Improve and debug the Service, including aggregate analytics.
• Comply with legal obligations and enforce our Terms.

If you are in the EEA or UK, we process your personal data under the following lawful bases:

• Consent: for processing of sensitive data (hair photos, wellness data), for sharing photos with third-party AI providers, and for push notifications.
• Contract: to provide the Service you have signed up for.
• Legitimate Interests: to improve and secure the Service, prevent fraud, and communicate with you about your account.
• Legal Obligation: to comply with applicable laws.

We do not sell your personal data. We share information only as described below:

a) Service Providers (Processors). We share information with trusted third parties who help us operate the Service, including:

• Supabase — authentication and database hosting.
• RevenueCat — subscription management.
• Cloud storage providers — for hosting photos and data.
• AI model providers (OpenAI, Google) — for processing hair scan images to return analysis results, as described in Section 4. Providers are contractually prohibited from using your data to train foundation models.
• PostHog — product analytics to understand feature usage, identify bugs, and improve the App. PostHog receives only anonymized interaction data tied to a randomly generated anonymous ID, not your name, email, or account details.
• Analytics and error reporting tools — to understand usage and detect bugs.
• Push notification providers (Apple Push Notification Service, Firebase Cloud Messaging).

b) App Stores. Apple and Google receive purchase and subscription information necessary to process transactions.

c) Legal and Safety. We may disclose information when required by law, court order, or to protect the rights, property, or safety of Trez AI, our users, or others.

d) Business Transfers. In the event of a merger, acquisition, or sale of assets, user information may be transferred, subject to equivalent privacy protections.

e) With Your Consent. We may share data in other ways with your explicit consent.

We confirm that any third party with whom we share personal data provides the same or equivalent level of protection required by this Policy and applicable law.

We retain your personal data for as long as your account is active or as needed to provide the Service. When you delete your account:

• Your identifiable personal data (email, profile, scans, notes, mood entries) is deleted or anonymized within 30 days.
• We may retain limited data longer where required by law (e.g., tax, accounting, fraud prevention) or in backup systems for a limited period.
• Aggregated and de-identified data may be retained indefinitely.

Subscription records are retained by the app stores and RevenueCat according to their retention policies. AI providers retain request data only as long as needed to deliver the response and per their data processing agreements with us.

We implement administrative, technical, and physical safeguards designed to protect your personal data, including:

• Encryption in transit (TLS) and at rest where supported by our providers.
• Authenticated API access with row-level security.
• Access controls and audit logging.
• Regular security reviews.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security.

Your information may be processed in countries other than your country of residence, including the United States and the European Economic Area. Where required, we rely on approved safeguards such as Standard Contractual Clauses to protect your data during international transfers.

The Service is available to users aged 13 and over. Users aged 13–17 require parental consent. If you believe a person under 13 has provided us data, please contact us and we will take steps to delete it.

Depending on your jurisdiction, you may have the following rights:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate or incomplete data.
• Deletion: request deletion of your personal data (also available in-app via "Delete Account").
• Portability: request a machine-readable copy of your data.
• Restriction/Objection: request limits on processing or object to processing based on legitimate interests.
• Withdraw Consent: withdraw consent for sensitive data processing or AI processing at any time.
• Lodge a Complaint: with your local data protection authority.

Residents of California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, and similar jurisdictions have additional rights, including the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising.

To exercise your rights, contact us at support@trezai.app with the subject line "Privacy". We will verify your identity before responding and will reply within the timeframe required by applicable law.

With your permission, we send push notifications related to scans, trials, streaks, and progress. You can disable notifications in your device settings at any time. We do not send third-party marketing messages.

The App requests access to your camera and/or photo library only when you initiate a scan or select a photo. Photos are uploaded to our processing pipeline only for the purpose of generating your analysis and are stored securely in your account.

When you submit a hair scan:

• The image is transmitted over an encrypted (TLS) connection to a third-party AI model provider (OpenAI or Google) acting as our processor.
• The provider returns an analysis (e.g., score, observations) which we store in your account.
• We contractually require providers not to use your data to train foundation models.
• AI outputs are estimates for self-monitoring and are not medical advice.
• You may withdraw your AI consent at any time from Settings, after which the App will not transmit further photos for analysis.

The App may contain links to third-party websites or services. We are not responsible for their privacy practices. We encourage you to read their privacy policies.

The Service uses automated AI analysis to produce scores and insights. These outputs do not have legal or similarly significant effects on you. You may contact us to request human review or to contest an output.

Some browsers send "Do Not Track" signals. Because there is no industry standard for responding, the App does not currently respond to these signals.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy in the App and, where appropriate, by email or in-app notice. The "Last updated" date at the top indicates when the policy was last revised. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

For questions, requests, or concerns about this Privacy Policy, your personal data, or our use of third-party AI services, contact:

• Email (subject: "Privacy"): support@trezai.app
• Website: https://trezai.app