Data Privacy & Protection Policy

Oyster Technologies Ltd ("Oyster Skin", "we", "us", or "our") is committed to protecting your privacy and ensuring the responsible use of your personal data. This Privacy Notice explains how we collect, use, disclose, and safeguard your information when you use our products, services, websites, and mobile applications.

We comply with Nigeria Data Protection Act (NDPA 2023), are in review for the General Data Protection Regulation (GDPR), the Rwanda Data Protection and Privacy Law Nº 058/2021 and other relevant data protection frameworks.

If you have questions, please contact our Data Protection Officer (DPO):

data@oysterskin.com

We collect and process the following categories of personal data:

1.1 General & Account Information

• Full name, email address, phone number.
• Age range, gender, and location (if provided).
• Account login credentials and subscription status.

1.2 Biometric & Skin Data

• Images of your face and/or skin, captured through our AI-powered skin scan.
• Derived attributes, such as:
  • Skin type (oily, dry, combination)
  • Skin tone and color
  • Skin concerns (acne, pigmentation, wrinkles, fine lines, dryness, uneven texture)
  • Perceived age and facial features
• Dermatologist or esthetician consultation notes (if provided).

1.3 Lifestyle & Routine Data

• Skincare goals and preferences.
• Diet and lifestyle logs (water intake, sleep patterns, supplements, etc., if shared).
• Routine adherence data (tracking consistency with recommendations).

1.4 E-Commerce & Transaction Data

• Products browsed, recommended, added to cart, or purchased.
• Payment confirmations and billing details (processed via secure third parties like Stripe & Paystack).
• Delivery information for order fulfillment.

1.5 Engagement & Community Data

• Reviews, comments, and ratings submitted on products.
• Shared skincare routines, before/after images, and community contributions (if you choose to publish).
• Gamification data (points, badges, milestones).

1.6 Technical & Usage Data

• Device information
• Log data, session identifiers, crash reports, and app usage statistics.
• Cookies and similar technologies (see our Cookie Policy).

We process your personal data for the following purposes and legal bases:

1. Service delivery: To perform skin scans, generate routines, and provide personalized recommendations (contractual necessity – Art. 6(1)(b) GDPR).
2. E-commerce: To process payments, fulfill orders, and manage deliveries (contractual necessity).
3. Personalization: To adapt skincare advice to your goals, routine, and environment (consent/legitimate interest).
4. AI model improvement: To train and improve our algorithms using anonymized/aggregated skin data (consent for initial capture; anonymized data thereafter is no longer personal data).
5. Customer support: To respond to inquiries, troubleshoot, and resolve complaints (legitimate interest).
6. Analytics & product development: To understand usage patterns and enhance our services (legitimate interest).
7. Marketing: To send offers, newsletters, and product updates (consent).
8. Regulatory compliance: To comply with tax, accounting, or legal obligations (legal requirement).
9. Fraud prevention & security: To detect misuse, prevent fraudulent activity, and maintain platform integrity (legitimate interest).

We do not sell personal data. We may share your data with:

• Vendors & Fulfillment Partners: dermatologists, skincare brands, and logistics providers to fulfill your orders or provide expert consultations.
• Technology Providers: secure hosting (AWS), payment processors (Stripe, Paystack), customer support platforms, and analytics providers.
• Regulatory Authorities: if required by law, regulation, or legal proceedings.
• Corporate Transactions: in the event of a merger, acquisition, or restructuring.

All third-party processors must comply with Oyster's Data Policy and enter into binding data protection agreements.

• Data may be processed outside Rwanda, including in the EU and US.
• Transfers are safeguarded using Standard Contractual Clauses (SCCs), GDPR equivalence, and Rwanda-approved mechanisms.
• We only work with cloud providers and vendors who meet global security standards (ISO 27001, SOC 2, GDPR compliance).

• Skin scan images: Retained for up to 24 months, unless you request deletion earlier or consent to longer retention.
• Account & transaction data: Retained while you have an active account or as required by law (e.g., accounting/tax purposes).
• Anonymized data: Retained indefinitely for research, AI training, and statistical analysis.

You have the following rights under Rwanda Law Nº 058/2021 and GDPR:

• Right to access: Request a copy of your personal data.
• Right to correction: Rectify inaccurate or incomplete data.
• Right to erasure: Request deletion of personal data ("right to be forgotten").
• Right to restriction: Limit how we process your data.
• Right to portability: Receive your data in a structured, machine-readable format.
• Right to object: Opt out of certain processing activities, including marketing.
• Right to withdraw consent: Withdraw consent at any time (without affecting past lawful processing).
• Right to human review: Request human oversight of AI-driven recommendations.

Requests can be sent to data@oysterskin.ai. We will respond within statutory timelines.

We implement comprehensive security measures to protect your personal data, including:

• End-to-end encryption for data in transit and at rest
• Regular security audits and penetration testing
• Multi-factor authentication and access controls
• Employee training on data protection and security protocols
• Incident response procedures for data breaches

Our services are not directed to children under 16. If we become aware that data has been collected from a child without parental consent, we will delete it immediately.

We may update this Privacy Notice periodically to reflect legal, technical, or business changes. Updates will be posted on our website, and in cases of material changes, we will notify users directly.

Oyster Technologies Ltd

data@oysterskin.com ; legal@oysterskin.com