How Stun protects your data
No ads, no data sales. Private uploads power recommendations, with optional on-device and cloud analysis for better results - and you control deletion.
01 What Stun does
Stun helps match you with beauty products using information you provide (like preferences and photos). Some features also use your device camera and Apple ARKit/TrueDepth to analyze your skin/face for cosmetic recommendations. We may use internal AI models and/or third-party AI model providers (such as OpenAI or Google) to evaluate inputs and generate recommendations. If you do not agree with this Privacy Policy, do not use the Services.
02 Information we collect
A. Information you provide
- Account: If you sign in with Apple, we receive an identifier and may receive your name/email (including Apple's private relay option).
- Photos you upload or save: Photos you choose to upload/save for timeline/history, progress tracking, backups (if enabled), and better suggestions, nothing is stored without your consent.
- Preferences: Skin concerns, goals, and other inputs you choose to provide.
- Support: Info you share when contacting support.
B. Face scanning (TrueDepth/ARKit) & biometric information
When you use face-scan features, Stun may process face geometry and related attributes derived from photos and/or TrueDepth/ARKit sensor data to generate cosmetic outputs (for example, skin attributes and recommendations). Depending on where you live, this may be considered biometric information.
- Not for identification: We do not use this data to identify you, verify your identity, or for law enforcement purposes.
- What we do not collect/store: We do not access Face ID templates stored on your device. We do not store raw TrueDepth/ARKit face-mesh, point-cloud, or depth-map data on our servers.
- What we may store: Photos you choose to upload/save and non-identifying outputs (e.g., skin attributes and recommendations) to provide history and improve results.
C. Automatically collected
- Device and app identifiers for security, account integrity, and functionality.
- Basic diagnostic data (e.g., crash information) to keep the app reliable.
- Network info: infrastructure providers may process IP addresses for security logging and abuse prevention.
D. Not collected today
- No phone number, contacts, or user-generated public content.
- No third-party advertising SDKs; no ads or targeted advertising profiles.
03 How we use information
- Provide and operate the app (sign-in, account management).
- Generate recommendations and personalization.
- Process photos and face-scan inputs on-device and/or in the cloud to produce cosmetic outputs and improve match accuracy.
- Maintain your private history/timeline and backups (where enabled).
- Customer support, security, and fraud prevention.
04 Photo and biometric-related analysis
- On-device analysis: Some processing may occur on your device using Apple frameworks (e.g., ARKit/TrueDepth) to generate cosmetic outputs.
- Cloud analysis (when used): Some features may process photos and/or derived attributes on our servers to provide recommendations and maintain your history/backups.
- Storage: Photos may be stored when you choose to upload/save them (e.g., timeline/history). Derived, non-identifying outputs may be stored to provide your results over time.
- What we don't store: Raw TrueDepth/ARKit face-mesh/point-cloud/depth-map data is not stored on our servers.
- No brand sharing: Your photos are not shared with brands/manufacturers for marketing.
- User control: You can delete photos and your account/data at any time, and you can manage camera permissions in iOS settings.
05 Legal bases for processing (GDPR/UK GDPR)
- Performance of a contract (to provide requested features).
- Consent (e.g., for photo uploads and face-scan/biometric processing where required).
- Legitimate interests (security, fraud prevention, and improving core functionality), balanced against your rights.
- Legal obligations (where applicable, such as responding to lawful requests).
- You can withdraw consent by disabling affected features and/or deleting photos/account.
06 Sharing and disclosure
We do not sell your personal information.
- Service providers: We use vendors to run the Services (e.g., Back4App/Parse for backend hosting and storage) under confidentiality and security obligations.
- AI/ML providers: We may use internal AI models and/or third-party AI service providers (such as OpenAI or Google) to help generate recommendations (for example, turning your inputs into product suggestions). They act as processors under contract and are not permitted to use your data for advertising.
- Payments: Apple (App Store) and RevenueCat may process subscriptions and transactions; we do not store card or payment details.
- Infrastructure and security: Providers may process network data (like IP addresses) for security logging and abuse prevention.
- Legal/safety: We may disclose information to comply with law, protect rights/safety, prevent fraud, or address security issues.
- Business transfers: Info may transfer during mergers, acquisitions, financing, reorganization, bankruptcy, or sale of assets.
07 Affiliate links (future)
No affiliate links today. If added, we will update this policy to explain any data sharing and opt-outs. Your data will not be shared.
08 Data retention
We keep your information for as long as needed to provide the Services and as described below:
- Photos and results: Kept until you delete them or delete your account. Deleted content is removed from active systems.
- Backups: Limited copies may remain in encrypted backups for a short period until overwritten.
- Legal and security: We may retain limited information as required for legal compliance, dispute resolution, and fraud/security.
09 International transfers
REAPPS, and our service providers may process data globally (including the U.S.). Where required, we rely on appropriate safeguards for international transfers (such as contractual protections).
10 Security
We use reasonable administrative, technical, and organizational measures. No method is 100% secure.
11 Children's privacy
Not directed to children under 13; we do not knowingly collect their data. If you believe a child has provided personal info, contact support@tinyworlds.app.
12 Your choices and rights
In-app controls: Delete uploaded photos and your account/data.
Permissions: You can manage camera access and related permissions in iOS settings. If you don't want face-scan processing, do not use those features.
GDPR/UK GDPR (EEA/UK/Switzerland): Access, correct, delete, restrict/object, portability, and the right to lodge a complaint with a data protection authority.
California (CCPA/CPRA): Know/access, delete, correct; opt out of "sale" or "sharing" (we do neither, including for cross-context behavioral advertising). Request via support@tinyworlds.app.
13 Contact (data controller)
Stun is operated by REAPPS. For privacy questions or requests, contact support@tinyworlds.app.
14 Changes to this policy
We may update this Privacy Policy from time to time. If changes are material, we will provide notice (for example, in-app). Continued use after the effective date means you accept the updated policy.