Privacy Policy
Last updated: January 2026
Sima Labs (“Sima Labs”, “we”) respects your privacy. This Privacy Policy explains how your personal data is collected, processed, stored, transferred and protected when you use the SİMA service at simalabs.app. It is written to reflect the EU General Data Protection Regulation (GDPR) and, for California residents, the CCPA/CPRA (see Section 11).
1. Data controller
The data controller is Sima Labs. For privacy requests, contact support@simalabs.app. Our postal address is listed on the Contact page. Where required, our EU representative and/or Data Protection Officer details will be added here before launch.
2. Personal data we process
Identity & contact data: your mobile phone number (SMS authentication). Special-category data (biometric): the face photos you upload and the facial measurements and analysis results derived from them — a special category of personal data under GDPR Art. 9 and sensitive personal information under the CPRA. Security data: sign-in, session and consent records, timestamps and technical logs. Subscription/billing data: subscription status and invoice records (we do not store your payment-card details — see Section 6). Usage analytics: which screens you view and where you are in the flow — anonymous and cookieless by default, not linked to your identity.
Your facial measurements are computed in your browser; the raw photo is processed only for analysis and image generation (see Section 6).
3. Purposes of processing
We process your data to create your account and authenticate you via SMS, run the facial analysis, prepare a personal aesthetic assessment and surgery-free improvement suggestions, generate potential-look images, manage your subscription, keep the service secure and meet legal obligations.
4. Legal bases
Your phone number is processed on the basis of contract performance (GDPR Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)). Your face photos and derived measurements are special-category data processed only on the basis of your explicit consent (Art. 9(2)(a)). Without consent the analysis cannot be provided; you may withdraw consent at any time.
5. Retention
Your face photos and derived biometric measurements are kept only for as long as the analysis requires and are permanently deleted without undue delay when you withdraw consent or delete your account. Billing records are retained for the periods required by applicable tax law. At the end of the applicable period, data is deleted, destroyed or anonymized. You can request deletion of all your data from your account at any time.
6. Sharing and international transfers
To provide the service, your data is shared — only as necessary and with appropriate safeguards — with the processors below. Some are located outside your country; such transfers rely on an appropriate transfer mechanism (e.g. Standard Contractual Clauses) and/or your explicit consent:
- Supabase — database, encrypted file storage and authentication: account, phone number, face photos, questionnaire and analysis records.
- Vercel — application hosting and technical logs.
- Anthropic (Claude) — your front face photo and measurements are processed to generate the report text and detect beard status (USA).
- Google (Gemini) — your face photo is processed as input to generate potential-look images (USA).
- PostHog — anonymous product-usage analytics, hosted on EU servers.
- Paddle — payment and billing. As merchant of record, Paddle processes your card details; Sima Labs never sees or stores them.
- SMS provider — delivery of a verification code to your phone via our authentication provider (Supabase).
7. Data security
Data is transmitted over encrypted (TLS) connections; photos are held in private storage with row-level access control, so each user can access only their own data. We apply administrative and technical safeguards against unauthorized access.
8. Cookies
We use only strictly necessary cookies (session tokens and language preference). Usage analytics runs cookieless and anonymous by default. Only if you tick the optional analytics/communications consent are your usage events linked to your account, which stores a persistent identifier in your browser. We use no marketing cookies.
9. Your rights (GDPR)
You have the rights of access, rectification, erasure, restriction, objection and data portability, the right to withdraw consent at any time, and the right not to be subject to a solely automated decision producing legal or similarly significant effects. You may lodge a complaint with your local supervisory authority.
10. Automated processing
The analysis produces informational aesthetic scores and suggestions. It has no legal or similarly significant effect on you and is not a medical or diagnostic decision.
11. California (CCPA/CPRA)
California residents have the right to know, delete and correct their personal information and to limit the use and disclosure of sensitive personal information. We do not sell or share your personal information for cross-context behavioral advertising. To exercise these rights, contact support@simalabs.app.
12. Contact
Send privacy requests to support@simalabs.app. We respond within the period required by applicable law.