Privacy Policy

Last updated: May 7, 2026

Wahaj ("we", "our", "us") is an AI-powered skincare analysis app. This Privacy Policy explains how we collect, use, and protect your information when you use our mobile application. We comply with the Saudi Personal Data Protection Law (PDPL) and applicable international privacy standards.

1. Information We Collect

We collect the following types of information:

Account Information: Name, email address, and password when you create an account.
Profile Information: Age, gender, skin type, skin concerns, and lifestyle data (water intake, sleep hours, weight, height, smoking status, pregnancy status, prescription skincare, climate, dietary preferences, sunscreen habits) that you voluntarily provide during onboarding.
Face Photos: Photos you take or upload for skin analysis. These are processed by our AI system and may be saved to your skin journal if you choose.
Food Photos: Photos of meals you scan in the food analyzer. Processed for nutritional and skin-impact analysis.
Product Photos & Ingredient Lists: Photos of skincare or food product labels and the extracted ingredient text, used to assess compatibility with your skin profile.
Scan Results: AI-generated analysis data including skin scores, detected issues, recommended routines, and product feedback.
Subscription Data: When you subscribe to Premium, your purchase is processed through Apple App Store or Google Play and managed by RevenueCat. We receive subscription status, transaction IDs, and renewal events but do NOT receive your full payment card details.
Usage Data: App activity such as scan history, routine completion, daily check-ins, and hydration tracking.

2. How We Use Your Information

To provide personalized skin analysis using Google Gemini AI
To generate custom skincare routines and product recommendations
To analyze food and skincare products for skin compatibility
To track your skin health progress over time
To send verification emails and account-related communications
To process and manage subscription payments
To improve our AI analysis accuracy and app features

3. AI Processing

Your face photos, food photos, and product ingredient text are sent to our secure cloud server (Firebase Cloud Functions), which forwards them to Google Gemini AI models for analysis. The AI returns structured analysis (skin scores, detected issues, ingredient verdicts, food impact) which is stored in your account. Per Google's data processing terms, content sent to Gemini via the paid API is NOT used to train Google's AI models.

4. Data Storage & Security

Your data is stored in Google Firebase (Firestore and Firebase Storage), hosted in secure data centers.
Photos stored in your skin journal are accessible only to your authenticated account.
Passwords are hashed by Firebase Authentication and never stored in plain text.
API keys and sensitive credentials are stored in Firebase Secret Manager, not in the app code.
Firestore security rules ensure users can only access their own data.
All data transmission is encrypted in transit using HTTPS/TLS.

5. Third Parties We Share Data With

We do not sell your personal data. We share data only with the following service providers, each bound by their own data processing terms:

Third party	What they receive	Why
Google (Gemini API)	Face photos, age, gender, skin type, pregnancy status, prescription drug names, smoking status, climate, allergies, scan results, chat messages	AI skin analysis, product/food analysis, dermatologist chat
Google Firebase	All app data — auth, Firestore docs, Storage files, App Check telemetry	Backend hosting
RevenueCat	Firebase UID, purchase history, referral code, Apple/Google store identifier	Subscription management
Apple / Google (OAuth)	Email, name, OAuth ID token	Sign-in with Apple / Google
Open-Meteo	Approximate latitude/longitude (IP-derived)	Weather + UV index
GeoJS / ipwho.is	User IP address	Approximate location for weather
Open Beauty Facts / Open Food Facts	Product names and barcodes the user searches	Product database lookup
Apple App Attest / Google Play Integrity	Device attestation tokens	App Check (proves requests come from a real Wahaj install)
iHerb	No personal data is shared. Affiliate code only.	Product purchase referrals

Apple App Store and Google Play process all subscription payments. We never see or store your payment card information. Sub-processors that you sign in through (Apple / Google) only share what you explicitly authorize during the sign-in flow (email, name).

First-scan consent: Before your first skin scan, the app shows a one-time consent screen explicitly stating that your face photo and skin profile data will be sent to Google Gemini for AI analysis. You must tap Continue to proceed. Your consent timestamp is stored in your account and you can withdraw it at any time by deleting your account.

6. Your Rights

Under PDPL and applicable privacy laws, you have the right to:

Access your personal data stored in the app
Update or correct your profile information
Delete your scan history and journal entries
Delete your account and all associated data (see Delete Account)
Request a copy of your data in a portable format by emailing us
Withdraw consent for data processing at any time (effectively done by deleting your account)
File a complaint with the Saudi Data & AI Authority (SDAIA) if you believe your rights have been violated

7. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days. Subscription transaction records may be retained for up to 7 years to comply with tax and financial regulations. Anonymized, aggregated analytics data may be retained indefinitely.

Backups: For security and disaster-recovery purposes, our database provider (Google Firebase) retains automatic backups of our database for up to 7 days. After this period, deleted user data is permanently unrecoverable from any backup. Backup data is encrypted at rest, accessible only to authorized administrators, and is never used for any purpose other than restoring the live database in case of accidental loss or compromise.

8. Children's Privacy

Wahaj is not intended for children under 13 years of age, and certain features (subscriptions, skincare advice) require users to be 18 or older where local law requires parental consent. We do not knowingly collect personal information from children under 13. If you believe we have collected data from a child under 13, please contact us immediately and we will delete it.

9. International Data Transfers

Your data may be processed in countries outside Saudi Arabia, including the United States and the European Union, where our service providers (Google, RevenueCat) operate. These providers comply with applicable cross-border data transfer requirements and provide contractual safeguards for your data.

10. Third-Party Links

Our app may contain links to third-party websites (such as iHerb for product purchases). We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the app or by email. Your continued use of Wahaj after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or your data, contact us at:

Email: WahajApp@outlook.com
Website: wahaj.app