Privacy Policy

Your photos are personal. So is what you share with us about your goals and your skin. This Privacy Policy explains, in plain language, what we collect, how we use it, who we share it with, and the choices you have. If anything here is unclear, email hello@tryavori.com and we’ll explain it directly.

This Policy is part of and incorporated into our Terms of Service.

Information you provide directly

• Account information: name, email, date of birth, gender, ethnicity self-identification, and password.
• Photos: the photos you submit for analysis (typically 6 face photos plus skin close-ups).
• Questionnaire responses: your goals, lifestyle, treatment history, comfort levels, and any optional context you provide.
• Payment information: payment-method details are collected and processed by Stripe. We do not store full card numbers on our servers.
• Support communications: messages you send to our support team.

Information collected automatically

• Usage data: pages viewed, features used, approximate session duration, referring pages, UTM parameters.
• Device data: device type, operating system, browser, language, IP address (which we hash for storage).
• Cookies and similar technologies: see the Cookies section below.

We use your information to:

• Generate, deliver, and update your personalized report.
• Operate the Service (login, payment, support, account management).
• Improve the quality, accuracy, and personalization of our analysis methodology.
• Communicate with you about your account, your report, and product updates.
• Prevent fraud, abuse, and security incidents.
• Comply with our legal obligations.

We do not use your photos to train general-purpose models for other companies, and we do not sell your personal information.

Your photos and questionnaire responses are processed by our automated analysis methodology and reviewed by our internal team to produce your report. By submitting them, you consent to this processing for the purpose of delivering and improving the Service. You can withdraw this consent at any time by deleting your account; once an account is deleted, we stop processing your data and proceed with deletion as described in Section 7.

Biometric data and inferred attributes. Our analysis derives biometric measurements (facial landmark coordinates) and inferred attributes (skin tone, hair texture, facial proportions, apparent age range, descriptive ethnicity context) from your photos. These are biometric data and special-category data under the Illinois Biometric Information Privacy Act (BIPA) and Article 9 of the EU General Data Protection Regulation (GDPR), and we collect them only with your explicit, separate consent given on the photo-upload screen (recorded with a timestamp and version string in intakes.biometric_consent_at). You can revoke this consent and have these derivations deleted by deleting your account. We do not sell biometric data, share it with advertisers, or use it for any purpose other than producing and improving the analysis you requested.

Named third-party processors used during analysis.Photos and intake context are sent to Google (Gemini 2.5 Pro vision and reasoning), Anthropic (Claude Sonnet for synthesis), and OpenAI (gpt-image renderers for the visual mockups). All three operate under written data-processing terms and offer no-training postures for API traffic. We do not consent to your data being used for model training.

We share your information only with the following categories of recipients:

• Service providers: hosting and infrastructure (Vercel, Supabase), payment processing (Stripe), email delivery, analytics (Vercel Analytics, Google Analytics 4, Meta), and automated analysis providers (Google Gemini, Anthropic Claude, OpenAI). Each operates under a written data-processing agreement and is permitted to use your data only to provide services to us.
• Legal and safety: when required by law, subpoena, court order, or to protect the rights, property, or safety of Avori, our users, or the public.
• Business transfers: if Avori is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

We do not share your photos with advertisers.

We use cookies and similar technologies to keep you logged in, remember preferences, measure how the site is used, and (with your consent) measure marketing performance.

• Strictly necessary: required for login, payments, and core security. Always on.
• Analytics: aggregate usage measurement (Vercel Analytics, Google Analytics 4). Honored according to your consent choice.
• Marketing: Meta Pixel, Google Ads tags, and similar conversion-measurement tools. Honored according to your consent choice and Google Consent Mode v2 signals.

You can adjust analytics and marketing cookie preferences at any time using the consent banner or via your browser settings.

We use commercially reasonable safeguards to protect your information:

• Encryption in transit (TLS) and at rest.
• Access controls scoped to least privilege.
• Photos served via short-lived signed URLs, not public links.
• Rate limiting and abuse detection on sensitive endpoints.
• Routine review of access logs and security configuration.

No system is perfectly secure. If we become aware of a breach that affects your information, we will notify you and the appropriate regulators in accordance with applicable law.

We retain your account and report data while your account is active and for up to two (2) years after your last activity, after which we delete or anonymize it unless a longer retention period is required by law (for example, tax or accounting records).

You can delete your account and all personal information at any time from the Settings page in your dashboard, which immediately purges your photos, questionnaire responses, derived biometric data, and account record. You can also email hello@tryavori.com if you prefer. Some information may be retained in encrypted backups for up to 7 days before being fully purged. We retain no anonymized aggregate that can be re-linked to you.

Depending on where you live, you may have the following rights regarding your personal information:

• Access: request a copy of the information we hold about you.
• Correction: ask us to correct information that is inaccurate.
• Deletion: ask us to delete your information.
• Portability: receive your information in a portable format.
• Objection or restriction: object to or restrict certain processing.
• Withdraw consent: at any time where processing relies on consent.
• Opt-out of sale or sharing: we do not sell or share your personal information for cross-context behavioral advertising outside what you have consented to via the cookie banner.
• Non-discrimination: exercising your rights will not result in discriminatory treatment.

To exercise any of these rights, email hello@tryavori.com. If you are in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data-protection authority.

Avori operates from the United States, and our service providers may process information in the United States and other jurisdictions. Where required, we use standard contractual clauses or other lawful transfer mechanisms to protect your information.

The Service is not intended for anyone under 18. We do not knowingly collect information from children under 18. If you believe a child has provided information to us, contact hello@tryavori.com and we will delete it.

We may update this Policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes will be communicated by email or via a prominent notice in the Service.

Questions about your privacy or this Policy? Email hello@tryavori.com.