Privacy Policy

Last updated: May 20, 2026

1. Introduction

CosmetCheck ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our cosmetic compliance checking service.

We comply with the General Data Protection Regulation (GDPR) for users in the European Union, the Lei Geral de Proteção de Dados (LGPD) for users in Brazil, and the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) for users in Mexico.

2. Data We Collect

2.1 Product Information

We collect product information that you voluntarily submit for compliance checking, including:

  • Product names and descriptions
  • Ingredient lists
  • Target markets (e.g., Brazil, Mexico)

2.2 Account Information

When you create an account, we collect:

  • Email address
  • Name (optional)
  • Subscription tier and usage data

2.3 Technical Data

We automatically collect certain technical information, including IP addresses, browser type, and device information, for security and analytics purposes.

2.4 AI-Generated Content

When you use our AI Listing generation feature, the product information you provide (name, ingredients, benefits) is sent to our AI service provider (DeepSeek) for processing.

  • No Training: DeepSeek does NOT use your input data to train their AI models. Your product information is processed only for the purpose of generating your listing.
  • Processing Only: Data is sent to DeepSeek's API for inference only and is not retained for model training purposes by DeepSeek.
  • Output Ownership: AI outputs are generated by us based on your input. You retain full ownership of both your input and the generated content.
  • AI-generated content may be used for your commercial purposes, but you bear compliance responsibility
  • Data Minimization: We send only the minimum product information necessary to generate compliant listings.

2.5 Payment Data

Payment information is processed by Stripe. We do not store complete credit card numbers. Stripe handles your payment data according to their privacy policy.

3. How We Use Your Data

We use your data to:

  • Provide cosmetic compliance checking services
  • Generate AI-powered listings in Portuguese and Spanish
  • Process payments and manage subscriptions
  • Improve our regulatory database and detection accuracy
  • Communicate service updates and regulatory changes
  • Prevent fraud and abuse

4. Lawful Basis for Processing

We process your personal data based on the following lawful bases, depending on your jurisdiction:

Processing ActivityGDPR (EU)LGPD (Brazil)LFPDPPP (Mexico)
Account registrationConsent (Art. 6(1)(a))Consent (Art. 11)Consent (Art. 8)
Compliance checkingLegitimate Interest (Art. 6(1)(f))Legitimate Interest (Art. 10)Legitimate Interest (Art. 17)
AI Listing generationConsent (Art. 6(1)(a))Consent (Art. 11)Consent (Art. 8)
Payment processingContract Performance (Art. 6(1)(b))Contract Performance (Art. 7)Contract Performance (Art. 17)
Analytics & securityLegitimate Interest (Art. 6(1)(f))Legitimate Interest (Art. 10)Legitimate Interest (Art. 17)
Marketing communicationsConsent (Art. 6(1)(a))Consent (Art. 11)Consent (Art. 8)

You have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

5. Data Storage and Security

All data is transmitted using TLS encryption and stored in secure, SOC 2-compliant data centers. We use Supabase for database hosting with Row Level Security (RLS) enabled.

We do not sell your data to third parties. Product information is used solely for compliance checking purposes.

6. Your Rights

Under GDPR, LGPD, and LFPDPPP, you have the right to:

  • Access your personal data — Request a copy of all data we hold about you
  • Correct inaccurate data — Request correction of incorrect or incomplete data
  • Delete your data (right to erasure) — Request permanent deletion of your personal data
  • Export your data (data portability) — Download your data in JSON or CSV format
  • Withdraw consent at any time for processing based on consent
  • Object to data processing — Opt out of specific processing activities

How to Export Your Data: Navigate to Account Settings → Privacy → Export My Data. Your data export will be generated and emailed to your registered address within 72 hours. Alternatively, email privacy@cosmetcheck.com with subject "Data Export Request".

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy. The specific retention periods are:

Data CategoryRetention PeriodDeletion Method
Account data (email, name)Until account deletion + 30 daysAutomated deletion
Product compliance dataUntil account deletion + 90 daysAutomated deletion
AI-generated contentUntil account deletion (on-demand)User-requested deletion
Payment & billing records7 years (legal requirement)Secure archival
Analytics & logs12 monthsAutomated rotation
Session & authentication tokens30 days of inactivityAutomated expiration
Marketing consent recordsUntil consent withdrawalUser-requested deletion

Account Deletion: You can delete your account at any time via Account Settings → Privacy → Delete Account, or by emailing privacy@cosmetcheck.com. We will process deletion requests within 30 days.

After account deletion, certain data may be retained for legal compliance (e.g., tax records for 7 years under Brazilian law).

8. Contact Us

For privacy-related questions or to exercise your rights, please contact us at:

Email: privacy@cosmetcheck.com

Privacy Policy | CosmetCheck