Privacy Policy

Privacy-first AI reports

Last updated: May 11, 2026

1. Controller

The controller responsible for My Beauty Report is modeleven IT GmbH, Kurt-Tichy-Gasse 12/2/15, 1100 Wien, Austria. Privacy requests can be sent to privacy@modeleven.com. No data protection officer has been appointed unless we state otherwise here.

2. What data we process

We process the data needed to create previews and deliver reports: uploaded or webcam-captured image, selected report language and variation, free preview email, generated preview and report content, checkout email, Stripe payment identifiers, report identifiers, consent and withdrawal-waiver records, technical request data, and support messages if you contact us.

We do not use the uploaded image for biometric identification and we do not try to identify you. The image is processed to generate a style-oriented facial aesthetics report.

3. Purposes and legal bases

We process your data to create the free preview, create the purchased report, process payment, provide download and email-based retrieval, prevent abuse, maintain security, answer support requests, and comply with legal obligations. The legal bases are contract performance, legitimate interests in operating and securing the service, legal obligations for tax/accounting records, and, where required for image analysis or special-category inferences, your explicit consent.

4. AI processing

Uploaded images and related prompt context may be sent to OpenAI API services to generate the free preview and paid report. The output is AI-assisted and may contain subjective or inaccurate observations. The service does not make decisions with legal or similarly significant effects about you.

5. Payments

Payments are handled by Stripe. Stripe processes payment, fraud prevention, checkout, and transaction data according to its own terms and privacy documentation. We store only the payment and checkout identifiers needed to confirm payment, retrieve reports, handle support, and meet accounting obligations.

6. Hosting and storage

The application is intended to be hosted in the European Union on Hetzner infrastructure. Hetzner operates EU data centre locations in Germany and Finland. Report images, report JSON, generated report metadata, and retrieval manifests are stored in EU-hosted S3-compatible object storage where configured.

7. Recipients and processors

Data may be processed by hosting and storage providers, Stripe for payment processing, OpenAI for report generation, and technical service providers used for monitoring, security, and support. We only share data where necessary for the service, legal obligations, security, or your request.

8. International transfers

Although hosting is intended to remain in the EU, Stripe and OpenAI may process data through entities or infrastructure outside the EU/EEA. Where this occurs, transfers should be covered by appropriate safeguards such as standard contractual clauses, data processing agreements, or other lawful transfer mechanisms.

9. Retention

Free preview uploads and unpaid draft uploads should be deleted on a short lifecycle, typically within 30 days. Paid reports and source images are retained to allow download and email-based retrieval, typically up to 12 months unless you request earlier deletion. Payment and accounting records may be retained for the statutory retention period required by law.

10. Your rights

Under the GDPR, you may have rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where processing is based on consent. You also have the right to lodge a complaint with a data protection supervisory authority. In Austria, the competent authority is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde), Barichgasse 40-42, 1030 Wien, dsb@dsb.gv.at.

11. Security

We use access controls, HTTPS in production, EU hosting, object storage isolation, minimal data collection, and limited report retrieval by checkout email. No online service can be guaranteed completely secure.

12. Cookies and analytics

We use self-hosted Matomo analytics at matomo.modeleven.com for essential service measurement, including page views and funnel events. This helps us understand whether the service works correctly and where customers encounter technical or product issues.

Marketing pixels from Meta and Google are optional. They are only loaded after you accept marketing cookies, and can measure page views, free score submissions, checkout starts, purchases, and report downloads for advertising attribution. If marketing cookies are accepted, free score leads and confirmed purchases may also be sent server-side to Meta for conversion measurement using limited identifiers such as hashed email and browser marketing identifiers where available. Matomo may receive a hashed email custom dimension for free score events when configured. You can change this choice through the Cookie settings link in the footer. Stripe Checkout and security tooling may use cookies or similar technologies necessary for payment, fraud prevention, and operation.

13. Children

The service is for adults only. Do not upload images of children or use the service if you are under 18.