vf:2604.0001v3 · [cs.SE] · § B privacy
vastflow.kz
return to paper appendix b — privacy · last updated 16 may 2026

Privacy.

This Privacy Policy describes what data the mobile applications published by VAST FLOW ("we", "our", "us") collect, how that data is processed, and the third-party services with which it is shared. It applies to every application we publish on the Apple App Store and Google Play, including applications that capture photographs of your face, skin, hair, scalp, body, product labels, or documents, and applications that perform on-device or server-side analysis of that imagery. We do not name individual applications in this policy because the same rules apply to all of them; where a particular feature is only present in some applications, that is noted in the relevant section.

B.1Summary

For readers in a hurry:

  • We do not collect your name, email, phone number, or address.
  • We identify your device using a randomly generated anonymous identifier (a UUID). This identifier cannot be linked back to you personally.
  • Some of our applications send images you capture (face, skin, hair, scalp, body area, product labels, documents) to third-party AI services to generate the analysis result or virtual try-on preview you requested. The providers are OpenAI, accessed through the API gateway OpenRouter, used for textual analyses; and Perfect Corp (operator of the YouCam platform), used for AI-driven visual try-on and image-feature detection (for example, virtual hair, beard, makeup, eyewear, nail, or accessory try-on, and hair-type, scalp, skin, or body-attribute detection). No image is transmitted until you explicitly tap a consent button on an in-app screen that names the providers and lists what is sent.
  • None of these providers uses your data to train AI models. Images are not stored on our servers in persistent form and are not retained by the providers beyond the limited windows described in §B.5.
  • We do not track you across other applications or websites. We do not use the Apple Advertising Identifier (IDFA). We do not sell data. We do not share data with data brokers or advertising networks.

The remainder of this document explains each of these points in the detail required by Apple App Store Review Guidelines 5.1.1 and 5.1.2 and by the privacy laws of the European Union (GDPR), the United Kingdom, California (CCPA/CPRA), and Kazakhstan.

B.2Information we collect

Our applications collect the following categories of data. Whether a given category is collected depends on which application you are using and which features you choose to use.

B.2.1 Device information

When you first launch an application, a random universally unique identifier (UUID) is generated on your device and stored in local app storage. This UUID is sent with every request to our servers so that we can attach your subscription status, free-tier quota, and analysis history to your device without knowing who you are. We also record the platform (iOS or Android), the application version, and the operating-system major version. We do not collect your IMEI, MAC address, Apple Advertising Identifier (IDFA), or Google Advertising ID.

B.2.2 Images you capture

When you choose to use a feature that requires a photograph — for example, a skin analysis, a hair or scalp scan, a body-area scan, an ingredient-label scan, a document scan, or any equivalent imaging feature — the application accesses your camera or photo library only after you have granted the corresponding iOS or Android permission. The captured image is then either (a) processed entirely on your device using on-device computer vision (see §B.4), or (b) transmitted to our backend and forwarded to a third-party AI service for analysis (see §B.5), depending on the feature. No image is uploaded in the background or without an explicit user action.

B.2.3 Profile data you provide

Several of our applications include a short quiz or onboarding form in which you provide information such as skin type, hair type, scalp condition, age range, goals, dietary preferences, or analogous attributes. This data is supplied voluntarily by you, is stored locally on your device, and is included in analysis requests so that the result is personalised. You can edit or delete this profile at any time from within the application.

B.2.4 Analysis history

Results returned to you by the application (textual analyses, recommendations, scores) are stored locally on your device so you can review them later. Unless explicitly stated by a particular feature, results are not stored on our servers in a form linked to you. Deleting the application erases this local history.

B.2.5 Usage data and diagnostics

Where an application includes analytics, anonymous usage statistics (which screens were viewed, how long sessions lasted, how often features were used) and crash and error reports are collected through Firebase Analytics and Firebase Crashlytics, operated by Google LLC. These reports contain technical context (stack trace, device model, OS version, anonymous installation ID) but never contain images, photographs, or the contents of analysis results. Applications that do not include analytics do not transmit this data at all.

B.2.6 Subscription and purchase data

If you purchase a subscription or one-time unlock, the purchase is processed by Apple (App Store) or Google (Play Store) using their own payment systems. We do not see your credit-card number, billing address, or App Store / Google account email. We receive only the validated receipt and entitlement status, which we manage through RevenueCat, Inc. (revenuecat.com), a third-party subscription-management platform. RevenueCat stores your anonymous device UUID together with the entitlement status; it does not receive images, profile data, or analysis results.

B.3How we use the data we collect

We use the data described in §B.2 only for the purposes listed here:

  • To deliver the feature you requested at the moment you requested it (for example: to generate a skincare analysis when you submit a selfie, or to extract ingredient names when you scan a product label).
  • To save your subscription status and free-tier quota so you do not have to log in.
  • To save your profile and analysis history locally on your device so you can review past results.
  • To diagnose crashes and operational errors using aggregated, anonymised reports.
  • To monitor aggregate usage so we can decide which features to improve.
  • To prevent abuse — for example, automated scripts attempting to exhaust free-tier quota or extract data from third-party AI providers via our endpoints.
  • To comply with applicable law where we are obliged to retain or disclose information.

We do not use your data for advertising, retargeting, ad measurement, audience building, lookalike modelling, profiling for marketing, or any form of cross-application tracking. We do not sell or rent your data. We do not hand your data to data brokers.

B.4On-device processing

Some features are designed to run entirely on your device and never transmit your image. The most common example is optical character recognition (OCR) used to read text from a product label or document: the camera frame is processed by an on-device OCR engine (such as Apple's Vision framework on iOS, Google ML Kit on Android, or an equivalent library), the extracted text is returned, and the original image is discarded from memory. The image itself is not uploaded. If a downstream feature subsequently sends the extracted text to a third-party AI service for further analysis (for example, to evaluate the ingredient list), that step is covered by §B.5 and is gated by the consent flow described there.

B.5Third-party AI processing

This is the single most important section of this policy and is written to satisfy Apple App Store Review Guidelines 5.1.1(i) and 5.1.2(i) in full.

B.5.1 The providers

Our applications use the following third-party AI processors. Which providers a given application uses depends on the features that application offers; many applications use only one of them.

(a) OpenAI, via OpenRouter. To produce AI-generated textual outputs — skin assessments, hair- or scalp-condition assessments, ingredient evaluations, compatibility checks, document or label interpretations, and analogous analyses — our applications send selected user data to OpenAI, LLC, the operator of the GPT family of large language and vision models (openai.com). Requests are routed through OpenRouter, Inc., an API gateway (openrouter.ai) that selects and forwards the request to the appropriate OpenAI model on our behalf. Both companies are based in the United States and operate as our processors under their published API and privacy terms.

(b) Perfect Corp (YouCam). To produce AI-driven visual outputs — virtual try-on previews and image-feature detection — our applications send selected user data to Perfect Mobile Corp. and its affiliates (collectively "Perfect Corp"), the operator of the YouCam suite of computer-vision and augmented-reality APIs (perfectcorp.com, yce.perfectcorp.com). Depending on the application and the feature you use, Perfect Corp may be used for: virtual hairstyle, hair-color, beard, eyebrow, makeup, eyewear, jewellery, headwear, nail, or accessory try-on; rendering of edited preview imagery composed of the original photograph with the virtual element applied; and detection of attributes such as hair type, hair length, hair frizziness, scalp condition, skin condition, body shape, or facial attributes. Perfect Corp operates as our processor under its published API terms and privacy policy.

B.5.2 What data is sent

The exact payload depends on which feature you are using, but is always limited to what the feature requires and never includes data you did not knowingly provide. The categories are:

  • Images you captured — the selfie, scalp photograph, body-area photograph, ingredient-label photograph, document photograph, or other photograph you took in order to use the feature. Images are sent only for features that explicitly require visual analysis.
  • Profile data you provided — for example, skin type, hair type, age range, declared concerns, goals — used to personalise the analysis.
  • Extracted text — for features that performed on-device OCR (see §B.4), the extracted text (for example, an ingredient list or a document body) is sent so the AI can analyse it.
  • The textual prompt our application constructs to instruct the model on what to produce.

We do not send your device UUID, your email, your phone number, your IP address, your location, your contacts, your photo-library inventory, or any data you did not knowingly provide.

B.5.3 Consent before any transmission

Before any image or personal datum is transmitted to a third-party AI service for the first time in a given application, the application displays an in-app consent screen that (i) names the third-party AI providers used by that application (one or more of OpenAI, OpenRouter, and Perfect Corp), (ii) lists what will be sent, (iii) states that no data will be used to train AI models, and (iv) requires you to tap an affirmative "Continue" action. No transmission occurs until you tap that action. You may revoke this consent at any time from the application's settings; revoking consent disables features that require third-party AI processing but does not affect the rest of the application.

B.5.4 How the providers handle your data

  • All transmissions are made over encrypted HTTPS (TLS 1.2 or higher).
  • OpenRouter is a stateless API gateway and, per its privacy policy (openrouter.ai/privacy), does not use customer inputs to train AI models and does not retain prompt or image content beyond the duration required to route the request.
  • OpenAI, per its API data-usage policy (openai.com/policies/api-data-usage-policies), does not use API inputs or outputs to train its models. API inputs may be retained for up to thirty (30) days solely for abuse, safety, and security monitoring, after which they are permanently deleted. We use the OpenAI API under this default no-training policy.
  • Perfect Corp, per its API terms and privacy policy (perfectcorp.com/business/privacy), processes the imagery we submit only to compute the requested visual try-on or detection result. Perfect Corp does not use our API inputs to train its AI models without our written consent, which we have not given. Input imagery is processed for the duration required to generate the result and is held by Perfect Corp only for the limited period necessary to deliver the result and conduct routine abuse and security monitoring, after which it is deleted in accordance with Perfect Corp's published retention practices. Generated preview imagery is made available to us through short-lived signed URLs (typically valid for two hours).
  • None of these providers receives your name, email, device UUID, IP-based location, contacts, or any other identifier we hold about you. They cannot link the content of a request to you personally.
  • We have reviewed the published privacy policies and API data-usage terms of all three providers and consider them to provide protections substantively equivalent to those described in this policy, as required by Apple App Store Review Guideline 5.1.1.

B.5.5 Our own handling

On our servers, requests are forwarded to the relevant AI provider in real time. The original photograph you submitted exists in our process memory for the few seconds required to forward the request and return the response, after which it is discarded; it is not written to a database, not written to a file system, and not backed up. Where a feature relies on Perfect Corp and the provider returns the result via a short-lived signed URL, we may briefly stage the generated preview imagery (the rendered try-on or detection output, not your original photograph) in our own object storage so that the preview remains accessible to you after the provider's URL expires; such preview imagery is associated only with your anonymous device UUID, is deleted automatically after a retention window not exceeding ninety (90) days, and can be deleted earlier by deleting the result from within the application or by using the "Delete My Data" control where the application provides one. Operational logs used for service monitoring are retained for up to ninety (90) days and contain no image content and no prompt content.

B.6Biometric and image data — guideline 5.1.1(i)

Where our applications capture images of a person — most commonly the face during a skin analysis, but also the scalp, hands, or other body areas — Apple App Store Review Guideline 5.1.1(i) imposes specific disclosure requirements. We address each of the required points below.

B.6.1 Whether image data is retained

The original photograph you submit is not retained on our servers. It is held in transient request memory only for the few seconds required to forward the request to the third-party AI service and return the response; it is never written to a database, never written to a file system, and never backed up. Where a feature produces generated preview imagery (for example, a virtual try-on rendering returned by Perfect Corp), we may briefly stage that generated preview in our own object storage so that it remains accessible to you after the provider's short-lived URL expires, as described in §B.5.5. Such preview imagery is associated only with your anonymous device UUID, is deleted automatically after a retention window not exceeding ninety (90) days, and may be deleted earlier by deleting the result from within the application or by using the "Delete My Data" control where the application provides one. On your device, the original photograph and any results you have viewed are stored in the application's private sandbox so you can review your own history and can be deleted at any time from within the application.

B.6.2 Purpose of processing

The sole purpose of image processing is to generate the analysis result, virtual try-on preview, or attribute-detection result that you requested at that moment. Images are not used for identification, for biometric authentication, for advertising, for analytics, for model training, or for any other purpose.

To produce a virtual try-on preview (for example, to place a virtual hairstyle, hair colour, beard, makeup look, pair of eyewear, or other virtual element on your photograph), our processor Perfect Corp must locate the relevant facial or body landmarks in your image — for example, the outline of the hairline, the position of the lips, or the orientation of the head — so that the virtual element is rendered in the correct position. The landmark coordinates derived in this process are used only to render the preview you requested and are not used to recognise you, to match you against any database, to identify you across sessions or applications, or to construct a biometric identifier of you. We do not create, store, export, or share facial-recognition templates, face embeddings, hair-geometry templates, voice prints, gait data, or any other persistent biometric identifier derived from your image. Landmark data exists only for the duration required to render the result and is not retained as a stand-alone artefact.

B.6.3 Duration of storage and why

On our servers: the original photograph is not stored, as described in §B.6.1; generated preview imagery may be briefly staged in our object storage for up to ninety (90) days so that you can re-view it after the provider's signed URL expires, then auto-deleted. On your device: stored locally inside the application sandbox until you delete the result, uninstall the application, or — where the application provides a "Delete My Data" control — use that control. At our third-party AI providers: at OpenAI, up to thirty days for abuse and safety monitoring, after which the data is permanently deleted, per the OpenAI API data-usage policy; at Perfect Corp, only for the limited period required to compute and deliver the result and to conduct routine abuse and security monitoring, after which the data is deleted in accordance with Perfect Corp's published retention practices. Generated preview imagery returned by Perfect Corp is delivered via short-lived signed URLs (typically two hours).

B.6.4 Third parties with which image data is shared

Image data is shared only with the third-party AI providers required by the feature you are using. Those providers are: OpenRouter (the API gateway), OpenAI (the AI model provider that performs textual analysis), and Perfect Corp (the AI provider that performs visual try-on and image-feature detection). Which of these receives your image depends on the feature: a textual skin or hair assessment goes only to OpenAI via OpenRouter; a virtual try-on or visual detection goes only to Perfect Corp; in some applications a single user action may invoke both. No other third party receives image data. We do not share image data with advertisers, analytics providers, data brokers, social networks, or any other category of recipient.

B.6.5 Reasons for sharing image data with those third parties

Image data is shared with these providers for the single purpose of producing the analysis result, virtual try-on preview, or attribute-detection result you requested. The third-party AI vision and try-on models are, at present, the only practical means of generating the kind of outputs our applications offer, and the result cannot be produced without sending the image to the model. We do not share image data for any other purpose.

B.6.6 Third-party retention practices

Restated for clarity: OpenRouter is a stateless gateway and does not retain image content; OpenAI may retain image inputs for up to thirty days solely for abuse and safety monitoring and does not use them to train models, after which the data is permanently deleted; Perfect Corp retains image inputs only for the limited period required to compute and deliver the result and to conduct routine abuse and security monitoring, does not use our API inputs to train its AI models without our written consent, and deletes the data thereafter in accordance with its published retention practices. All three providers are bound by their published privacy policies and by their API data-usage terms, which extend protections substantively equivalent to those in this policy.

B.7Data sharing — closed list

We share your data only with the parties listed below, only for the purposes listed, and only in the categories listed.

  • OpenAI, LLC (openai.com) — to perform AI analysis. Receives: image data, profile data, extracted text, prompt. Does not receive: device UUID, contact details, location, advertising identifier.
  • OpenRouter, Inc. (openrouter.ai) — to route API requests to OpenAI on our behalf. Receives the same content as OpenAI; acts as a stateless transport.
  • Perfect Mobile Corp. and affiliates (Perfect Corp / YouCam) (perfectcorp.com) — to perform AI-driven virtual try-on (hair, beard, makeup, eyewear, jewellery, headwear, nail, or accessory try-on) and image-feature detection (such as hair type, hair length, hair frizziness, scalp, skin, body-shape, or facial-attribute detection). Receives: image data and, where required by the specific feature, accompanying profile data, extracted text, or prompt. Does not receive: device UUID, contact details, location, or advertising identifier.
  • RevenueCat, Inc. (revenuecat.com) — to manage subscription state. Receives: device UUID, platform, anonymised purchase events. Does not receive: images, profile data, or analysis results.
  • Google LLC (Firebase Analytics & Crashlytics) — to record anonymised usage statistics and crash reports. Receives: anonymous installation ID, screen names, event names, crash stack traces, device model, OS version. Does not receive: images, profile data, analysis results, prompts, or your device UUID.
  • Apple Inc. and Google LLC in their capacity as the operators of the App Store and Google Play — for purchase processing. We do not receive your full payment information from them.
  • Hetzner Online GmbH — our infrastructure provider.
  • Law-enforcement and regulatory authorities — only where we are compelled to disclose by a binding legal order, and only to the extent that order requires.

We do not share your data with: advertisers, advertising networks, data brokers, marketing-data exchanges, social-graph providers, retargeting platforms, or any party whose purpose is to combine our data with data from other applications or websites.

B.8Tracking — guideline 5.1.2(i) and App Tracking Transparency

Apple defines "tracking" as the linking of data collected about you in our application with third-party data for advertising purposes, or the sharing of data with a data broker. Under that definition, our applications do not track you. Specifically, as of the date of this policy:

  • We do not collect or read the Apple Advertising Identifier (IDFA) or the Google Advertising ID.
  • We do not embed any advertising-network SDK (no Meta Audience Network, no AdMob, no AppLovin, no IronSource, no Unity Ads, no Mintegral, no comparable SDK).
  • We do not embed any attribution SDK that links our data with third-party data sets (no AppsFlyer, no Adjust, no Branch, no Singular, no Kochava).
  • We do not sell, license, or transfer data to data brokers.
  • We do not combine the data we hold about you in one of our applications with data held about you in any other application, on any website, or by any third party.

Because we do not track, our applications do not present the App Tracking Transparency permission prompt on iOS. If the App Privacy labels for a specific application in App Store Connect appear to indicate tracking, that is an error in the label rather than in the application's behaviour, and we will correct the label.

B.9Data retention

Retention windows by category of data:

  • Original photographs you submit: not retained on our servers; held in transient memory only during the active request. On your device: until you delete the result or uninstall the application.
  • Generated preview imagery returned by AI providers (try-on renderings, detection outputs): may be briefly staged in our object storage for up to ninety (90) days so that the preview remains accessible after the provider's short-lived URL expires, then auto-deleted; deletable earlier from within the application.
  • Profile data you provide: stored locally on your device only; not stored on our servers in a form linked to you. Deletable from within the application.
  • Analysis results: stored locally on your device only.
  • Device UUID and subscription state: retained for as long as the application is installed and for ninety days after the last activity, after which the record is deleted.
  • Request logs (no image, no prompt content): retained for ninety days, after which they are deleted.
  • Crash and analytics records (Firebase): retained per Google's defaults — generally up to fourteen months for analytics and ninety days for crash reports — and not linked to your device UUID.
  • At OpenAI: API inputs and outputs may be retained for up to thirty days solely for abuse monitoring, after which they are permanently deleted, per OpenAI's API data-usage policy.
  • At OpenRouter: not retained beyond the duration of the request.
  • At Perfect Corp: retained only for the limited period required to compute and deliver the result and to conduct routine abuse and security monitoring, after which the data is deleted in accordance with Perfect Corp's published retention practices. Generated preview imagery is delivered via short-lived signed URLs (typically two hours).

B.10Security

  • All network traffic between our applications and our servers, and between our servers and third-party processors, is encrypted in transit using TLS 1.2 or higher.
  • Authentication relies on short-lived bearer tokens whose validity windows are kept to the minimum necessary for the user experience.
  • Sensitive material stored on your device (authentication tokens, locally cached credentials) is held in the platform's secure storage — iOS Keychain on Apple devices, Android Keystore on Android devices.
  • Our backend runs in a managed cloud environment with role-based administrative access and audit logging.
  • No system can be made entirely secure against every conceivable attack. If we discover a breach affecting your data we will notify you and the relevant authorities as required by applicable law.

B.11Your rights

Regardless of where you are located, you have the right to:

  • Access the data we hold about you. Most of this data is already visible to you inside the application; for anything that is not, write to the contact address in §B.15.
  • Correct inaccurate data — you can edit your profile from within the application.
  • Delete your data. Where an application includes a "Delete My Data" control in its settings, using it erases all data associated with your device from our servers. You can also request deletion at any time by writing to the contact address in §B.15 and we will action the request within thirty days. Uninstalling the application erases all locally stored data on your device.
  • Withdraw consent to third-party AI processing at any time. The application will continue to function in features that do not require AI processing.
  • Lodge a complaint with a data-protection authority. In the European Union and the United Kingdom, this is your national supervisory authority; in California, it is the California Privacy Protection Agency; in Kazakhstan, it is the Ministry of Digital Development, Innovation and Aerospace Industry.

Residents of the European Economic Area, the United Kingdom, and Switzerland additionally have the rights granted by the General Data Protection Regulation and its UK equivalent (data portability, restriction of processing, objection to processing). Residents of California additionally have the rights granted by the CCPA/CPRA (the right to know, the right to delete, the right to opt out of sale — which is not applicable here, since we do not sell — and the right to non-discrimination).

B.12International data transfers

Our backend is hosted in the European Union. Our third-party AI providers (OpenAI, OpenRouter, Perfect Corp) and certain platform providers (Google Firebase, RevenueCat) process data outside the European Economic Area, including in the United States and in other jurisdictions in which they or their data-centre subprocessors operate. Where data is transferred outside the European Economic Area or the United Kingdom, the transfer relies on appropriate transfer mechanisms, including the European Commission's Standard Contractual Clauses, an applicable adequacy decision, or the EU-U.S. Data Privacy Framework where the recipient is certified.

B.13Children's privacy

Our applications are not directed to children under the age of thirteen, and we do not knowingly collect personal information from children under thirteen. Several of our applications are rated 17+ in the App Store because they discuss adult skincare, haircare, or wellness topics. If you believe a child under thirteen has provided us with personal information, write to the address in §B.15 and we will delete it promptly.

B.14Changes to this policy

We may update this Privacy Policy from time to time, in particular when we add new features, when we change a third-party processor, or when applicable law changes. Material changes will be announced inside the affected applications and on this page, and the "last updated" date in the header will be revised. Your continued use of our applications after the announcement constitutes acceptance of the updated policy; if you do not accept it, you may stop using the application and delete your data as described in §B.11.

B.15Contact

Questions about this Privacy Policy, requests to exercise your rights, and notices of suspected breaches should be addressed to: