Privacy Policy

Studio Hair is operated from Poland (EU). For the purposes of GDPR, we are the data controller for personal data you provide when you use the service. Contact us anytime at contact@studiohair.app.

Account data: email address, display name, and (if you sign in with Google) a profile picture. Stored in Firebase Authentication, hosted in EU-region Google Cloud datacenters.

Selfie images: the photo you upload for AI hairstyle generation. Treated as biometric data under GDPR Article 4(14). Processed under explicit consent (Article 9(2)(a)) and deleted within 60 seconds of generation completing.

Generated hairstyle previews:the AI-generated images we create for you. Stored in your account at a per-user path, accessible only to you, and retained for approximately 180 days (6 months) from creation so you can re-download your Report, or until you delete your account (whichever is sooner). Auto-deletion runs on Google Cloud Storage's lifecycle sweeper, which can take up to 24 hours after eligibility to execute — so the actual deletion lands within the 180-181 day window.

Payment data: Stripe processes your card details directly — we never see or store them. We retain the transaction metadata (amount, date, tier) for 5 years to comply with Polish tax law.

Technical data: IP address (briefly, for App Check bot protection), timestamps of significant actions (signup, payment, generation, deletion). No third-party tracking cookies. No advertising cookies.

We use the following processors. Each operates under a Data Processing Addendum (DPA):

• Google (Firebase / Vertex AI): hosts our backend, database, and the AI models that analyze your selfie. Processing happens in Belgium (europe-west1). Google Cloud DPA.
• Stripe: processes payments. Stripe is GDPR- compliant and acts as both an independent controller and a processor depending on the activity. Stripe DPA.

Under GDPR you have the right to:

• Access: request a copy of all personal data we hold about you (Article 15).
• Erasure: request deletion of your account and all associated data (Article 17). Note: financial records may be retained in pseudonymized form (5-year tax obligation).
• Portability: receive your data in machine- readable format (Article 20).
• Withdraw consent: revoke your biometric data processing consent at any time. Future generations will require re-consent (Article 7(3)).
• Object: object to processing on legitimate- interest grounds (Article 21).
• Lodge a complaint: with your supervisory authority — for Polish residents, the UODO.

To exercise any of these rights, email contact@studiohair.app. We respond within 30 days.

• Selfie images: deleted within 60 seconds of generation
• Generated hairstyle previews: ≈180 days (6 months) from creation, then auto-deleted (GCS lifecycle sweeper, ±24h)
• Account data: until you delete your account
• Financial records (transactions, invoices): 5 years per Polish tax law, pseudonymized after account deletion via HMAC-SHA256 tombstone (the personal link is severed; aggregate financial records remain)

Studio Hair uses generative AI to create your hairstyle previews. Under the EU AI Act we are required to disclose this and label AI-generated content. See our AI Transparency page for details on the model used, decision logic, and your rights.

Studio Hair is not intended for users under 16. We do not knowingly collect selfies or account information from anyone under 16. If you believe a child has provided us with personal data, email contact@studiohair.app and we will delete the account and all associated data within 7 days.

Data subject requests (access, rectification, erasure, restriction, portability, objection) are acknowledged within 72 hours and fully actioned within 30 days, as required by GDPR Article 12(3). Cross-border processor coordination (e.g., Stripe US) may add 5–10 business days to erasure requests.

When we make material changes we will notify you by email and require re-consent for any expanded data processing. Minor updates (clarifications, typo fixes) will be announced via the “Last updated” date at the top of this page.