Privacy Policy

Last updated: 22 March 2026
This Privacy Policy explains how LIOT Ltd ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the SKŌR mobile application and website (collectively, the "Service"). We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller responsible for your personal data is:

If you have any questions about how we handle your data or wish to exercise your rights, please contact us at hello@joinskor.com.

2. What Data We Collect

We collect the following categories of personal data when you use SKŌR:

2.1 Account Data

• Email address (if you create an account)
• Apple ID (where you sign in with Apple)
• Display name or username (optional)
• Password (stored as a cryptographic hash — we never store your plaintext password)
• Age verification confirmation (you must confirm you are 18 or over)
• Subscription status and billing reference (we do not store full payment card details)
• Push notification token (where you opt in to notifications)

2.2 Biometric and Photographic Data

• Face photographs submitted for Face SKŌR analysis
• Body photographs submitted for Body SKŌR analysis
• Derived scores and metrics generated from each scan (e.g. Acne score, Muscle Tone score)
• Historical scan data and progress timelines

2.5 Habit and Journal Data

When you use the Journal feature, we collect:

• Skincare products logged (including product name, category, and AM/PM timing)
• Workout sessions (type, duration, and optional intensity)
• GLP-1 medication information including medication name, dose, symptoms experienced, and optional body weight entries
• Freeform notes

2.6 Usage and Technical Data

• Device type, operating system, and app version
• App usage events (screens viewed, features used) — collected anonymously
• Crash logs and error reports
• IP address (used for security and fraud prevention; not linked to scan data)

2.7 Data We Do NOT Collect

• We do not collect your precise location unless you explicitly grant permission for a feature that requires it
• We do not access your contacts, microphone, or camera roll outside of the scan feature
• We do not collect health records, medical diagnoses, or NHS data

3. How We Use Your Data

3.1 To Provide the Service

Your photos are transmitted securely to our AI processing pipeline where scan metrics are computed. The resulting scores are returned to your device and stored so you can track your progress over time. We rely on your explicit consent (UK GDPR Art. 9(2)(a)) as the lawful basis for processing biometric data.

3.2 AI Processing of Camera and Photographic Data

What the camera captures

When you initiate a Face SKŌR or Body SKŌR scan, SKŌR uses your device camera to capture a photograph. The camera is accessed only when you actively tap the scan button — we do not access your camera in the background, passively, or without your interaction.

The photograph captured contains your face or body, as applicable to the scan type you have selected. No audio is recorded. No video stream is retained — only the still image captured at the moment of scan.

What is processed

The photograph is transmitted over an encrypted connection (TLS 1.2 or higher) to our AI processing pipeline, where it is analysed by third-party AI vision models:

• Face SKŌR — analysed by OpenAI (GPT-4o Vision). The model examines visual features of your facial skin including texture, tone, clarity, and visible structural features to generate scores across six metrics: Acne, Pigmentation, Redness, Pores, Eye Bags, and Firmness.
• Body SKŌR — analysed by Google (Gemini 2.0 Flash). The model examines body silhouette, posture, and visible musculature to generate scores across four metrics: Muscle Tone, Posture, Symmetry, and Body Composition.
• GLP-1 Progress Mode — uses the same Face SKŌR and Body SKŌR analysis pipeline, with scores presented specifically in the context of tracking physical transformation during GLP-1 medication use.

Neither OpenAI nor Google uses your photographs to train, fine-tune, or improve their AI models under our data processing agreements with those providers. Images are processed for the sole purpose of returning your SKŌR results.

What is stored

Your scan photographs are stored in encrypted cloud storage (Cloudflare R2, EEA-located) under a randomised identifier. They are not indexed, publicly accessible, or linked to your name in any external system. Full details of storage, retention, and deletion are in Sections 4 and 7 of this policy.

Derived scores and metrics (e.g. your Acne score of 84) are stored separately from the photographs and are retained as part of your progress history for as long as your account is active.

Your consent

Processing of facial and body photographs constitutes processing of biometric data, which is special category personal data under UK GDPR Article 9. We process this data only on the basis of your explicit consent (Article 9(2)(a)), which you provide by:

1. Creating an account and accepting these terms
2. Actively initiating each individual scan by tapping the scan button

You may withdraw your consent at any time by deleting your account (Settings → Account → Delete Account). Withdrawal of consent will result in deletion of your scan photographs from our systems within 30 days. It does not affect the lawfulness of processing carried out before withdrawal.

What we do not do

• We do not use facial recognition to identify you or any other person
• We do not share your photographs with any party other than the AI processors named above
• We do not use your photographs for advertising, profiling, or any purpose other than generating your SKŌR results
• We do not process photographs of anyone other than the account holder — our Terms of Service prohibit uploading photos of other people
• We do not process photographs of anyone under 18

3.3 Health and Wellness Data

GLP-1 medication data

If you use the GLP-1 Journal feature, you may log medication name (e.g. Mounjaro, Wegovy, Ozempic), dose, injection date, side effects experienced, and body weight. This constitutes special category health data under UK GDPR Article 9. We process it only with your explicit consent, solely for the purpose of providing you with your progress tracking timeline within the app. You may delete individual log entries or all GLP-1 data at any time from within the app.

Skincare and workout data

Skincare product logs and workout sessions are personal data but do not constitute special category data. They are used only to power your SKŌR Journal and habit-correlation features.

SKŌR is not a medical device

SKŌR scores and metrics are generated by AI image analysis. They are personal wellness tracking tools, not clinical assessments. They are not validated medical devices under UK or EU medical device regulations (MDR/IVDR) and should not be used as a basis for medical decisions. See the Medical Disclaimer in our Terms of Service for full details.

3.4 Subscription and Billing

We use your email address and subscription status to manage your account, process payments via RevenueCat and the Apple App Store, and send transactional emails (via SendGrid) such as receipts and renewal reminders. The lawful basis is performance of a contract (UK GDPR Art. 6(1)(b)).

3.5 Communications

We will only send marketing emails if you have opted in. You can unsubscribe at any time via the link in any marketing email or by contacting us. Transactional emails (receipts, account security) cannot be opted out of while your account is active.

4. How We Store Your Data

4.1 Photo Storage — Cloudflare R2

Your scan photographs are stored in Cloudflare R2 object storage, a zero-egress cloud storage service operated by Cloudflare, Inc. All files are:

• Encrypted at rest using AES-256
• Transmitted exclusively over TLS 1.2+ encrypted connections
• Stored under a randomised, non-guessable identifier that is not linked to your name or email in any public-facing system
• Accessible only to authorised LIOT Ltd systems — no public URLs are generated for your photos
• Stored in data centres located within the European Economic Area (EEA)

4.2 Scan Scores and Account Data

Derived scan scores, metrics, and account data are stored in a managed database hosted on infrastructure located within the UK or EEA. All data is backed up daily and access is restricted to authorised personnel under the principle of least privilege.

4.3 Data Retention

• Scan photos: Retained for as long as your account is active, plus 30 days after account deletion to allow recovery
• Scan scores and metrics: Retained for as long as your account is active
• Account data: Retained for 90 days after account deletion, then permanently erased
• Billing records: Retained for 7 years as required by UK tax law
• Anonymised analytics: May be retained indefinitely as they cannot be linked to you

5. Data Sharing

We share data with the following third-party processors, all of whom act on our instructions under data processing agreements:

• Cloudflare R2 — encrypted storage of photographs and scan data
• Neon (PostgreSQL) — secure database hosting for account, scan, and habit data
• OpenAI — AI analysis of facial photographs for Face SKŌR (receives facial images)
• Google (Gemini) — AI analysis of body photographs for Body SKŌR (receives body images)
• RevenueCat — subscription and in-app purchase management (receives user ID and subscription status)
• SendGrid (Twilio) — transactional email delivery (receives email address only)
• Sentry — anonymised error and crash reporting for app stability (no personal data beyond session identifiers)
• Expo (Expo Application Services) — app build, distribution, and push notification delivery (receives push notification tokens)
• Apple — app distribution and payment processing via the App Store

We also share data in the following limited circumstances:

• Legal obligation: If required by law, court order, or regulatory authority (e.g. the ICO)
• Business transfer: In the event of a merger or acquisition, your data will be transferred only with equivalent privacy protections in place and you will be notified in advance

6. Your Rights Under UK GDPR

As a data subject under UK GDPR, you have the following rights:

Right of Access

You can request a copy of all personal data we hold about you. We will respond within 30 days.

Right to Rectification

You can ask us to correct inaccurate data or complete incomplete data.

Right to Erasure ("Right to Be Forgotten")

You can request deletion of your personal data. See Section 7 below for details on data deletion.

Right to Restriction

You can ask us to restrict processing of your data in certain circumstances (e.g. if you contest its accuracy).

Right to Data Portability

You can request your scan data and account data in a machine-readable format (JSON or CSV).

Right to Object

You can object to processing based on legitimate interests. You can withdraw consent for biometric processing at any time, though this will prevent you from using the core scan features.

Right to Withdraw Consent

Where we rely on consent (particularly for biometric data), you can withdraw it at any time by deleting your account or contacting us. Withdrawal does not affect the lawfulness of prior processing.

Right to Lodge a Complaint

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk · Phone: 0303 123 1113

7. Data Deletion

You can permanently delete all of your data — including scan photos, scores, and account information — in two ways:

• In-app: Go to Settings → Account → Delete Account. This initiates immediate deletion of your scan photos from Cloudflare R2 and queues full account deletion within 30 days.
• By email: Send a deletion request to hello@joinskor.com with the subject line "Data Deletion Request". We will confirm deletion within 14 days.

After deletion, your scan photos are permanently removed from Cloudflare R2 and cannot be recovered. Anonymised, non-identifiable analytics data (e.g. aggregate scan counts) may be retained. Billing records are retained for the legally required period of 7 years.

8. Children and Age Restriction

SKŌR is intended for users aged 18 and over only. We do not knowingly collect personal data from anyone under 18. If we become aware that a user is under 18, we will immediately suspend their account and delete all associated data. If you believe a minor has used SKŌR, please contact us at hello@joinskor.com.

9. Cookies and Tracking

Our website (joinskor.com) uses a minimal number of cookies:

• Strictly necessary cookies: Required for the website to function (e.g. session management). No consent required.
• Analytics cookies: Used to understand how visitors use our website (aggregated, anonymised). These are only set with your consent via our cookie banner.

The SKŌR mobile app does not use cookies. It may use device identifiers for analytics purposes in accordance with your device's privacy settings (e.g. App Tracking Transparency on iOS).

10. International Data Transfers

We aim to process and store all personal data within the UK and EEA. Where we use third-party service providers that may process data outside these regions (e.g. Cloudflare's edge network), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO or the European Commission.

11. Security

We implement industry-standard security measures including:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for all data at rest
• Role-based access controls and least-privilege principles
• Regular security audits and penetration testing
• Incident response procedures meeting ICO notification requirements

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify you without undue delay.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email (if you have an account) and by posting a notice in the app. Continued use of SKŌR after the effective date constitutes acceptance of the updated policy.

13. Contact Us

For any privacy-related queries, data access requests, or complaints, please contact: