Privacy Policy

This Policy applies to:

• Stylist users who sign in to the Service and use it to provide hairstyle consultation to their salon customers.
• Customers (data subjects) whose photographs are uploaded by stylists for the purpose of receiving an AI hairstyle simulation or analysis. Customers do not access the Service directly; they interact with it through the stylist who is using the Service on their behalf.

Where this Policy distinguishes between "you" and "the customer", "you" refers to the stylist account holder.

Information you provide directly:

• Account profile data from your OAuth provider (Google or GitHub): email address, public display name, public profile image. We do not receive or store your OAuth password.
• Customer photographs you upload for hairstyle simulation or analysis.
• Optional reference photographs (built-in templates or photographs you upload to demonstrate a desired style).
• If enabled by your administrator, an API key you provide for the third-party AI service used in "bring-your-own-key" mode.

Information collected automatically:

• Authentication session cookies (encrypted JWT) used to keep you signed in.
• Generation request metadata: timestamp, request id, model tier requested, model token usage, estimated cost, success / error status. We do not log the contents of your prompts beyond what is necessary to reproduce or audit a request.
• Standard server-level information automatically transmitted by your browser (IP address, user agent, referrer) used for security, abuse prevention, and aggregate usage analysis.

We use the information described above to:

• Authenticate you and maintain your session.
• Send the customer photo and prompt to a third-party AI service in order to fulfil your generation request, and return the generated image to you.
• Enforce account state (pending / active / disabled), monthly quota, and per-account model permissions configured by an administrator.
• Maintain a log of your generation history so administrators can support billing, troubleshoot issues, and detect abuse.
• Maintain operational security, prevent fraud, and respond to legal process where required.
• Communicate with you about material changes to the Service, this Policy, or our Terms of Service.

We do not use customer photographs, your reference uploads, your API key, or your generation history to train or fine-tune any AI model.

Where the EU General Data Protection Regulation (GDPR) or the UK GDPR applies, we rely on the following legal bases:

• Performance of a contract: to provide the Service you requested.
• Legitimate interests: to maintain security, prevent abuse, and improve the Service in non-intrusive ways.
• Consent: for the customer's photograph, the stylist confirms (on the customer's behalf) that the customer has consented to the processing described in this Policy. Customers may withdraw consent at any time by contacting the stylist or KOKO directly.
• Compliance with a legal obligation: where applicable.

We do not sell your personal information. We share it only as follows:

• Third-party AI service: customer photographs, reference photographs, and the generation prompt are transmitted to an AI service provider so the requested image can be produced. The provider acts as a sub-processor and handles data under its own published policies.
• Infrastructure providers: we use a hosted database and storage platform (Supabase / AWS) to persist account and generation data, and a hosting platform to run the application. These vendors process data on our behalf under a data-processing agreement.
• Administrator of your account: a salon or operator administrator can see your account state, generation history, monthly quota usage, and the masked fingerprint of your stored API key (last four characters only). The administrator cannot view the full plaintext of your API key.
• Legal authorities: when required by valid legal process, court order, or to defend legal claims.
• Successor entity: in the event of a merger, acquisition, or asset sale, your information may be transferred subject to the same protections described in this Policy.

Customer photographs receive specific protection because they constitute personal data and, in certain jurisdictions, biometric data:

• Customer photographs are retained in our storage for a maximum of 7 days, after which a scheduled job permanently deletes them.
• Generated images (output of the simulation or analysis) are retained as the stylist's working deliverable and are not subject to the 7-day deletion.
• Customer photographs are not used to train the AI model, are not shared with any third party other than as described in Section 5, and are not displayed publicly.
• A customer who wishes to have their photograph deleted earlier than the scheduled 7-day window may request deletion through the stylist or directly via the contact email below. We will action verified requests as soon as reasonably practicable.

If your account is in bring-your-own-key mode, you may store an API key for a third-party AI service. We protect this key as follows:

• Plaintext is held only momentarily in server memory during submission and is encrypted using PostgreSQL pgcrypto symmetric encryption before persistence.
• The decryption passphrase is stored in a separate vault accessible only to server-side code that needs it to authenticate AI requests on your behalf.
• Neither you nor the platform administrator can read the plaintext key. You can verify your stored key by viewing the masked last four characters (e.g. ****abcd).
• You can delete your stored key at any time from the in-product settings page. An administrator can also force deletion (for example, if compromise is suspected). After deletion you will need to paste a fresh key to resume generation.

• Customer photographs: up to 7 days, then permanently deleted.
• Generated images: retained as long as your account exists, unless you request deletion.
• Account data and generation history: retained as long as your account is active, plus a reasonable archival period after deletion for legal, accounting, and abuse-prevention purposes (typically 12 months).
• Encrypted API keys: retained until you or the administrator deletes them.
• Server logs: retained for up to 90 days unless required longer for incident response or legal process.

Subject to applicable law, you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Request deletion of your account and associated data.
• Request a portable copy of your data in machine-readable form.
• Object to or restrict certain processing activities.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with the data-protection authority of your country or place of work.

To exercise these rights, please contact us using the email address in Section 14. We will respond as soon as reasonably practicable.

• We use first-party authentication cookies that are strictly necessary to keep you signed in. These are encrypted and contain no advertising identifiers.
• We do not use third-party advertising cookies, cross-site tracking, or behavioural analytics tied to a personal identifier.
• We may use aggregate, non-identifying server-side metrics (e.g. requests per minute) to monitor performance.

Our infrastructure providers and the third-party AI service we integrate with may store and process data outside your country of residence (typically in the United States). When data is transferred internationally, we rely on safeguards such as standard contractual clauses or equivalent mechanisms required by applicable law.

We apply technical and organisational measures designed to protect your information against unauthorised access, alteration, disclosure, and destruction. These include transport-level encryption (HTTPS) for all data in transit, encryption at rest for stored API keys, role-based access to the administration interface, and authentication via OAuth providers we do not manage credentials for. No method of transmission or storage is 100% secure; in the event of a data incident affecting your information we will notify affected users without undue delay where required by law.

The Service is not directed to children under the age of 13 (or under 16 in the EEA / UK). We do not knowingly collect personal information from children. If a stylist uploads a photograph of a minor, the stylist confirms (on behalf of the minor's parent or guardian) that consent has been obtained. If we learn we have inadvertently received personal information of a child without proper consent, we will delete it promptly.

For privacy-related questions, requests to exercise your rights, or to report a data-protection concern, please contact us at bergio777@gmail.com. We aim to respond as soon as reasonably practicable.

We may revise this Privacy Policy from time to time. The revision date at the top of this page reflects the most recent update. Material changes affecting your rights will be communicated via email or through a prominent notice in the Service. Your continued use of the Service after the effective date of revised terms constitutes acceptance of those revisions.