SkinnaliaSkinnalia

Legal document

Privacy Policy

Last updated: April 29, 2026

This Privacy Policy describes how MANAGEMENT FINANCE VALUE RESEARCH S.R.L. (also "MFVR" or "Skinnalia") collects, uses and protects personal data of users of the website www.skinnalia.comand of the Telegram Mini App / Web App "Skinnalia". Processing complies with Regulation (EU) 2016/679 ("GDPR") and Italian Legislative Decree 196/2003 as amended by D.Lgs. 101/2018.

1. Data Controller

MANAGEMENT FINANCE VALUE RESEARCH S.R.L.
Registered office: Via dei Mille 16, 80121 Naples (NA), Italy
VAT / Tax ID: 10651331216 β€” REA NA-1121664
PEC: mfvr@legalmail.it
Privacy contact: corporate@skinnalia.com

2. Categories of data we collect

  • Identity and contact data: name, email, phone number, shipping and billing address, language preference.
  • Account identifiers: Telegram ID, username, Supabase Auth user ID, session.
  • Face photos uploaded for the qualitative consultation and the advanced analysis, and the derived metadata (observations, scores, estimated biological skin age).
  • Usage data: pages visited, clicks, chatbot interactions, session duration, IP, user agent, referrer, payment events.
  • Payment data: handled entirely by Stripe (PCI DSS Level 1). Skinnalia only receives metadata (amount, last 4 digits of the card, brand, transaction ID) β€” never the full card number.
  • Skincare profile declared by the user: skin type, Fitzpatrick phototype, allergies, habits, goals.
  • Conversations with the AI consultant in the Telegram bot, with timestamp and context.

3. Purposes and legal bases

  1. Service delivery (skin analysis, AI advice, subscriptions, product shipping) β€” basis: contract performance (Art. 6(1)(b) GDPR). Without this data the service cannot be provided.
  2. Tax, accounting and legal compliance(invoicing, AML, VAT records) β€” basis: legal obligation (Art. 6(1)(c)).
  3. Service notifications (order confirmation, shipping status, payment reminders, password reset) β€” basis: contract performance.
  4. Direct marketing of similar products to existing customers β€” basis: legitimate interest(Art. 6(1)(f)) with right to object at any time.
  5. Newsletter, promotions, commercial messagingto non-customers β€” basis: explicit consent(Art. 6(1)(a)), revocable at any time.
  6. Aggregate analytics, service improvement, fraud prevention β€” basis: legitimate interest.

4. Face photo handling

Face photos you upload are used only to compute the qualitative consultation (free tier) and the advanced analysis (Pro). These are not biometric data within the meaning of Art. 9 GDPR β€” we don't identify users from the photo nor perform face recognition: the image is analysed by AI models (OpenAI / Anthropic) to describe aesthetic skin properties, and stored bound to your account so consecutive scans can be compared (cycle tracking).

You may request deletion at any time by emailingcorporate@skinnalia.com.

5. Recipients and processors

Data may be shared with the following service providers, all bound by a Data Processing Agreement (Art. 28 GDPR):

  • Vercel Inc. (USA) β€” application hosting, SCC + DPF
  • Supabase Inc. (USA / EU region) β€” database + auth + image storage, SCC + DPF
  • Stripe Inc. (Ireland / USA) β€” payments, PCI DSS Level 1 + SCC
  • OpenAI / Anthropic β€” AI models for skin consultation. API data is not used for training (zero retention)
  • Resend β€” transactional email and notifications
  • Telegram Messenger Inc. β€” bot + Mini App distribution
  • Google LLC β€” analytics (GA4 with IP anonymization); Google Sign-In on the web
  • Sentry β€” application error tracking
  • Logistics couriers for shipping (physical-treatment buyers)

Some providers are outside the EU: transfers happen under EU Commission-approved Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.

6. Retention

  • Account data: throughout the relationship + 12 months after deletion, unless otherwise requested.
  • Photos and analyses: until the user requests deletion.
  • Billing data: 10 years (Italian Civil Code art. 2220).
  • Technical and security logs: max 12 months.
  • Cookies: see Cookie Policy.

7. Your rights

At any time you may exercise the following rights (Art. 15-22 GDPR) by emailingcorporate@skinnalia.com:

  • Access and copy
  • Rectification
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Portability
  • Objection to processing
  • Withdrawal of consent (without affecting prior lawful processing)

You also have the right to lodge a complaint with the Italian Data Protection Authority(www.garanteprivacy.it).

8. Security

We adopt technical and organisational measures appropriate to the risk: TLS 1.2+ in transit, at-rest encryption on the database, role-based access control, two-factor authentication for staff, access logs, regular backups, DPAs with all providers.

9. Minors

The service is not directed to minors under 16. If you become aware of processing of a minor's data without parental consent, contact us β€” we'll delete it immediately.

10. Changes

We may update this Policy for legal or functional reasons. The "last updated" date is at the top. Material changes will be notified by email.