Privacy Policy — Uncoated

Uncoated is built on trust. We collect the minimum data needed to run the app and we do not sell your personal information to anyone, ever.

What We Collect

Email address

When you create an account, for sign-in only.

Apple ID / Google ID

If you sign in with Apple or Google, we receive only your name and email. We never receive your Apple/Google password.

Scan history

Synced to our servers for Pro subscribers. Free users' history stays on-device only.

Favorites & watchlist

Saved products and watched ingredients, synced across your devices.

Subscription status

Managed by RevenueCat (our payments provider) to unlock Pro features. We never see your payment card details.

Anonymous usage events

Basic analytics via PostHog (screens visited, scans completed). No personal identifiers attached.

IP address

Logged with API requests for abuse prevention. Retained for 30 days only, then permanently deleted.

Crash reports

Device type and OS version only, to fix bugs. Kept for 90 days.

We never collect: your real name, phone number, physical address, payment card data, location/GPS, contacts, photos (unless you voluntarily submit a product photo), health data, or any data about children under 13.

Legal Basis for Processing (GDPR)

If you are in the EU, UK, or EEA, we process your data under the following legal bases:

Contract performance — to provide the Uncoated service you signed up for (account, scan history sync, subscription features)
Legitimate interest — to prevent abuse, improve the app, and maintain security, balanced against your privacy rights
Consent — for optional analytics, which you can opt out of at any time in your device or app settings

How We Use Your Data

Your data is used only to operate Uncoated:

Authenticate your account and keep it secure
Sync your scan history, favorites, and watchlist across devices (Pro)
Gate Pro features based on your subscription status
Enforce scan limits and prevent abuse of our product scanning API
Understand how people use the app so we can improve it

We do not use your data for advertising, profiling, behavioral targeting, or selling to third parties. We will never sell, rent, or trade your personal information.

Third-Party Services

We share the minimum data necessary with a small number of trusted third-party services to operate the app:

Supabase (cloud infrastructure)

Secure database, authentication, and file storage. Data stored in the United States.

RevenueCat (payments)

Subscription management. Receives only your anonymous user ID and subscription status. Never receives your scan data, account history, or payment card details.

PostHog (analytics)

Anonymous usage events only. No personal identifiers. You may opt out at any time.

Apple / Google (auth)

Sign-in authentication only. We receive your email; they do not receive your Uncoated data.

Open Beauty Facts

Product ingredient and packaging data source (ODbL license). We do not send your personal data to OBF.

We do not share your personal data with any other third parties. We do not use third-party advertising SDKs, tracking pixels, or data brokers.

International Data Transfers

Uncoated's infrastructure is hosted in the United States. If you are located outside the US, your data will be transferred to and processed in the US. We rely on standard contractual clauses and our service providers' compliance certifications to ensure adequate data protection for international transfers.

Not Medical Advice

Uncoated does not claim any scientific or medical authority. Ingredient scores represent our opinion based on publicly available regulatory data — they are not a medical assessment of any product's effect on you personally. Do not use Uncoated as a substitute for advice from a healthcare professional, particularly if you have allergies, sensitivities, or medical conditions.

Data Accuracy & Freshness

Product formulations change. Uncoated shows a "last verified" date on every product so you know how current the data is. When data is older than 12 months, we show a warning and encourage you to verify with the physical label.

AI-inferred data is always labeled as such. Community-submitted corrections are reviewed before being applied. Uncoated does not independently test or verify product formulations.

Your Rights

Regardless of where you are in the world, you can:

Export a copy of all your data in a machine-readable format (JSON) from the Profile screen
Delete your account and all associated data permanently from the Profile screen
Opt out of analytics at any time

Additional rights for EU, UK, and EEA residents (GDPR)

Right of access — request a copy of all personal data we hold about you
Right to rectification — correct inaccurate personal data
Right to erasure — request deletion of your data (we respond within 30 days)
Right to data portability — receive your data in a structured, machine-readable format
Right to object — object to processing based on legitimate interest
Right to restrict processing — request we limit how we use your data

Additional rights for California residents (CCPA/CPRA)

Right to know — what personal information we collect, use, and disclose
Right to delete — request deletion of your personal information
Right to opt out of sale — we do not sell your personal information. We have never sold personal information and will never do so.
Right to non-discrimination — we will not treat you differently for exercising your rights

To exercise any of these rights, use the in-app Profile screen or email [email protected]. We will respond within 30 days.

Children's Privacy (COPPA)

Uncoated is not directed at children under 13 and is not designed for use by children. We do not knowingly collect personal information from anyone under 13. We do not use any mechanisms to verify age, as the app is a general-audience consumer information tool.

If you are a parent or guardian and believe a child under 13 has created an account or provided personal information, please email [email protected] and we will delete the account and all associated data within 72 hours.

How Long We Keep Your Data

Account data

Until you delete your account

Scan history (Pro)

Until deletion or 2 years of inactivity

Analytics events

12 months

IP addresses

30 days

Crash reports

90 days

Submitted corrections

Indefinitely (tied to product records, anonymized after account deletion)

When you delete your account, all personal data is permanently removed from our systems within 30 days. Product corrections you submitted are retained in anonymized form (not linked to your identity) to maintain data quality.

Data Security

We protect your data using industry-standard security measures including encryption in transit (TLS) and at rest, row-level security policies that prevent cross-user data access, and secure authentication via Supabase Auth. No system is 100% secure — if we discover a breach affecting your data, we will notify you within 72 hours as required by GDPR.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes through the app at least 30 days before they take effect. The "last updated" date at the top of this page will always reflect the most recent revision.

Contact

Questions about this policy or your data?

General inquiries: [email protected]
Privacy and data requests: [email protected]
Legal inquiries: [email protected]