Privacy policy

Applicable law: Swiss nFADP (Federal Act on Data Protection, in force 1 September 2023) and EU GDPR (Regulation (EU) 2016/679)

This Privacy Policy explains how Twelve Seven Skincare AG ("Twelve Seven", "we", "us", or "our") collects, uses, shares, and protects the personal data of customers and visitors, with particular focus on individuals in Switzerland and the European Economic Area ("EEA"). It also explains, in full, how we handle the facial photographs and skin data you may choose to provide if you use our optional AI skin analysis feature, which is powered by our technology partner Haut.AI.

Our online store and website are hosted and operated on the Shopify platform. This means that Shopify Inc. and its affiliates are involved in the processing of some of your personal data. Section 4.1 below explains this in detail.

We have written this Policy in plain language. Legal cross-references (GDPR and nFADP articles) appear in brackets for transparency. If you have any questions, please contact us at ciao@twelveseven.com.

Table of Contents

1. Controller and Contact Details

The data controller responsible for your personal data is:

Twelve Seven Skincare is incorporated and established in Switzerland. Swiss law (the nFADP) is our primary data protection regime. Where we offer goods or services to customers in the EEA, the GDPR applies to that processing in addition to the nFADP.

1.1 EU Representative (Article 27 GDPR)

Because we are established in Switzerland (outside the EU) but offer products to individuals in the EEA, we have appointed an EU Representative under Article 27 GDPR:

1.2 Data Protection Contact

For any privacy-related questions, requests, or concerns, please email ciao@twelveseven.com with the subject line "Privacy". We aim to respond within five business days.

2. Personal Data We Collect

We collect the following categories of personal data, depending on how you interact with us:

2.1 Information You Provide Directly

• Account data: your name, email address, password (stored in hashed form), and date of birth where required.
• Order and shipping data: billing address, delivery address, telephone number, and purchase history.
• Payment data: payment method and last four digits of your card or account. Full payment details are processed directly and securely by our payment service providers via Shopify Payments. We do not store complete card numbers.
• Customer service data: the content of your communications with us, including emails, live chat, returns and complaints, and any photographs or skin information you choose to share when seeking advice.
• Marketing preferences: your consent status for newsletters, promotional emails, and SMS communications.
• Reviews and user-generated content: any name, photograph, or text you submit when reviewing our products.

2.2 Information Collected Automatically

• Device and browser data: IP address, device identifiers, browser type and version, operating system, and language settings.
• Usage and transaction data: pages visited, products viewed, items added to your cart or wishlist, purchase history, time spent on site, referring URLs, and click and scroll behaviour.
• Cookie and similar technology data: please see Section 9 for full details.

2.3 Information from Third Parties

• Shopify platform: as described in Section 4.1, Shopify may collect and share certain data about your interactions with our store and, in some circumstances, across the broader Shopify merchant network.
• Social login: if you choose to log in using Google, Apple, Facebook, or a similar service, we receive your name, email address, profile picture, and any other data you authorise that provider to share.
• Analytics and advertising networks: aggregated audience and campaign performance data.
• Fraud prevention services: risk scores and fraud signals to protect you and us.

2.4 Biometric and Skin Data — AI Skin Analysis Tool

If, and only if, you choose to use our optional AI skin analysis tool (described in full in Section 8), we will additionally collect:

• a facial photograph that you upload or capture through our website;
• skin parameters derived from that photograph by artificial intelligence, such as signs of UV damage, pigmentation, hydration levels, and fine lines; and
• a simulated image generated by the AI showing how your skin may appear in approximately ten years without adequate sun protection.

Under the GDPR, facial images processed to analyse unique characteristics may constitute biometric data and a "special category" of personal data (Article 9(1) GDPR). Under the nFADP, this is sensitive personal data (Article 5(c) nFADP). We process this data only with your explicit, separate consent.

You are never required to use the AI skin analysis tool. You can browse, shop, and use every other feature of our website without providing any photograph.

3. Why We Use Your Data and Our Legal Basis

We may only process your personal data when we have a valid legal basis. The table below sets out our main processing purposes and the corresponding legal basis under the GDPR and nFADP.

Where we rely on 'legitimate interests', we have carried out a balancing test and concluded that our interests do not override your rights and freedoms. You can request further information by contacting us.

Where we rely on 'consent', you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

4. Who We Share Your Data With

We share your personal data only with trusted partners, and only to the extent necessary. We require all third-party processors to enter into a data processing agreement providing appropriate guarantees in line with Article 28 GDPR and Article 9 nFADP.

We do not sell your personal data. We do not share your facial photograph or skin analysis results with anyone other than Haut.AI OÜ as described in Section 8.

4.1 Our Relationship with Shopify

Our store is built and hosted on the Shopify platform. This means Shopify Inc. (headquartered in Ottawa, Canada, with EU operations through Shopify International Limited, Dublin, Ireland) is involved in processing your personal data in two distinct ways:

• As our data processor: Shopify processes your data on our instructions to provide us with the store platform, payment infrastructure, order management, and related services. In this capacity, Shopify acts under our direction and is bound by a data processing agreement with us.
• As an independent data controller: Shopify also processes certain data for its own purposes, independently of our instructions. These purposes include:
  • operating and improving the Shopify platform across all merchants;
  • fraud detection, security, and abuse prevention using signals gathered from activity across the broader Shopify merchant network;
  • Shopify's own analytics, machine learning, and product development; and
  • personalised advertising features that Shopify may offer based on your interactions with our store and with other Shopify-powered stores.

When Shopify acts as an independent controller, Shopify is responsible for its own processing and for responding to your data rights requests relating to that processing. We cannot control or be responsible for how Shopify uses your data for these independent purposes.

Your rights with Shopify:

To learn more about how Shopify uses your personal data and to exercise your rights in relation to Shopify's own processing, please visit:

• Shopify Consumer Privacy Policy: https://www.shopify.com/legal/privacy
• Shopify Privacy Portal: https://privacy.shopify.com

4.2 Business and Marketing Partners — Targeted Advertising

With your consent (via our cookie banner), we share data with advertising and social media partners to show you relevant ads on our website and on third-party platforms such as Meta (Facebook/Instagram) and Google. This may include data about your browsing behaviour, products you have viewed or purchased, and — through Shopify's advertising features — aggregated behavioural data based on your interactions with other Shopify merchants.

You have the right to opt out of this targeted advertising at any time by:

• updating your preferences in our Cookie Settings (footer of the website);
• using the Shopify Privacy Portal at https://privacy.shopify.com to manage Shopify-specific cross-merchant advertising; or
• adjusting the privacy settings in your browser or device.

Each marketing and advertising partner processes your data in accordance with their own privacy policies. We recommend reviewing those policies for full details.

5. International Data Transfers

We are established in Switzerland and most processing takes place in Switzerland and the EEA. Some of our service providers, including Shopify and certain advertising and analytics platforms, are located in Canada or the United States.

• EEA → Switzerland: the European Commission has recognised Switzerland as providing an adequate level of data protection. No additional safeguards are required.
• Switzerland → EEA: the Swiss Federal Council recognises EEA countries as providing an adequate level of data protection.
• Shopify (Canada): Canada has been recognised by the European Commission as providing an adequate level of data protection for commercial organisations covered by PIPEDA.
• Transfers to other countries (including the USA): we ensure adequate protection through adequacy decisions, Standard Contractual Clauses ("SCCs") approved by the European Commission (with Swiss adaptations recognised by the FDPIC), and supplementary technical and organisational measures following a transfer impact assessment.
• AI skin analysis — Haut.AI OÜ (Estonia, EEA): your photograph and skin data remain within the EEA and are covered by the Swiss Federal Council's adequacy recognition.

You may request a copy of the relevant transfer safeguards by contacting us at ciao@twelveseven.com.

6. Your Rights

Subject to applicable law, you have the following rights in relation to your personal data:

• Right of access: to obtain confirmation that we are processing your data and to receive a copy of it.
• Right to rectification: to have inaccurate or incomplete data corrected.
• Right to erasure: to have your data deleted in certain circumstances.
• Right to restriction: to limit how we use your data while a complaint is being resolved.
• Right to data portability: to receive your data in a structured, machine-readable format and to request that we transmit it to another controller.
• Right to object: to object to processing based on legitimate interests, including profiling for direct marketing. We will stop that processing unless we can demonstrate compelling legitimate grounds.
• Right to opt out of targeted advertising: you may direct us not to share your information with advertising partners for the purpose of targeted advertising. See Section 4.2.
• Right to withdraw consent: at any time where processing is based on consent, including consent for the AI skin analysis tool and marketing communications. Withdrawal does not affect the lawfulness of prior processing.
• Right not to be subject to automated decisions: not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. See Section 10.

To exercise any of these rights, please contact us at ciao@twelveseven.com with the subject line "Data Rights Request". We will respond within one month (extendable by two further months for complex requests). We may ask you to verify your identity.

6.1 Authorised Agents

You may designate an authorised agent to submit a rights request on your behalf. We will require the agent to provide written proof of your authorisation, and we may ask you to confirm your identity directly with us before processing the request.

6.2 Rights Relating to Shopify's Processing

For data processed by Shopify acting as an independent controller (see Section 4.1), you should exercise your rights directly with Shopify via the Shopify Privacy Portal at https://privacy.shopify.com. We are not able to action rights requests that relate to Shopify's independent processing.

6.3 Right to Lodge a Complaint

If you believe our processing infringes data protection law, you have the right to lodge a complaint with the competent supervisory authority:

• In Switzerland: the Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch.
• In the EEA: the supervisory authority of your country of residence, place of work, or place of the alleged infringement. A directory is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

We would always appreciate the opportunity to address your concerns first — please contact us before escalating to a supervisory authority.

7. Data Retention

We retain your personal data only for as long as is necessary for the purposes described in this Policy, or as required or permitted by applicable law.

How long Shopify retains data it processes as an independent controller is governed by Shopify's own retention policies, available at https://www.shopify.com/legal/privacy.

When the applicable retention period expires, we securely delete or anonymise your personal data.

8. AI Skin Analysis Tool — Full Details

We offer an optional AI-powered skin analysis tool. This section explains everything you need to know before deciding whether to use it.

8.1 What the Tool Does

The AI skin analysis tool allows you to take or upload a photograph of your face. Our technology partner, Haut.AI OÜ ("Haut.AI"), then uses artificial intelligence to:

• analyse visible characteristics of your skin, including signs of UV damage, pigmentation, fine lines, hydration, skin tone, and skin type;
• estimate your skin age based on the photograph; and
• generate a simulated image showing how your skin may appear in approximately ten years if you do not use adequate sun protection.

The tool is for informational and educational purposes only. It is not a medical device and does not provide a medical diagnosis.

8.2 About Haut.AI — Our Technology Partner

The AI skin analysis is provided by Haut.AI OÜ, incorporated in Estonia (EU), registry code 14494738, Telliskivi 60a/8, 10412 Tallinn, Estonia. Contact: privacy@haut.ai.

Haut.AI operates in two distinct capacities in relation to your data:

• As our data processor: when Haut.AI processes your photograph and generates skin analysis results on our behalf and on our instructions, they act as our processor and may not use your data for their own purposes.
• As an independent data controller (limited purposes): Haut.AI may also act as a separate, independent controller to improve and develop their AI technology using anonymised images. This requires a separate, additional consent from you, which we describe in Section 8.5.

8.3 The Tool Is Entirely Optional

You are never required to use the AI skin analysis tool. Refusing to use the tool has no effect on your account, your orders, your access to subscription pricing, or any other interaction with us.

8.4 Data We Collect Through the Tool

• Your facial photograph (uploaded or captured through your device camera).
• Derived skin metrics: skin tone, hydration, signs of UV damage, pigmentation, estimated skin age, and skin condition score.
• A simulated "10-year" image generated by the AI.
• Technical metadata: session identifier and timestamp.

The tool does not collect medical diagnoses. Haut.AI may derive an estimate of your perceived age and other characteristics (such as gender) as part of the skin analysis. These are analytical estimates for skincare purposes only.

8.5 Your Consents — What You Are Agreeing To

Before the tool is activated, you will be shown a dedicated consent screen with two separate consents:

• Consent 1 — Skin Analysis (required to use the tool): you consent to Twelve Seven and Haut.AI processing your facial photograph and deriving skin metrics and a simulated image as described in this section.
• Consent 2 — AI Improvement (optional, separate): Haut.AI may separately ask whether you are willing to allow your anonymised photographs to be used to improve and train their AI models. If you give this consent, Haut.AI will anonymise your photographs (a process that cannot be reversed) before using them for research and development. This is entirely independent of the skin analysis consent and of your interactions with Twelve Seven.

Neither consent is pre-ticked. You must actively confirm each consent. You may grant Consent 1 without granting Consent 2.

8.6 How Your Data Is Shared — and How It Is Not

Your photograph and derived data are transmitted securely (TLS encryption) to Haut.AI's servers in Estonia. Haut.AI:

• processes your data only to provide the skin analysis service on our behalf;
• may not use your personal photograph for AI training without your separate Consent 2;
• may not share your photograph or derived skin data with any other party; and
• is contractually bound to delete your personal data in accordance with the retention periods below.

We do not share your photograph, skin metrics, or simulated image with advertisers, social media platforms, data brokers, insurers, or any other party. Your image will not appear in our marketing materials without your further specific written consent.

8.7 Storage and Location

Your photograph, skin metrics, and simulated image are stored on infrastructure within the EEA. Transfers from Switzerland to Estonia (EU) are covered by the Swiss Federal Council's adequacy recognition.

If you are logged into a Twelve Seven account when you use the tool, your results will be saved so that you can track changes over time. If you use the tool as a guest, data is retained only for the duration of your browser session unless you specifically request that we save it.

8.8 Retention and Deletion

We retain your photograph, skin metrics, and simulated image for 12 months from the date you last used the tool, or until you request deletion — whichever is sooner.

You can delete your skin analysis data at any time:

• From your account settings using the "Delete my skin analysis data" option.
• By emailing ciao@twelveseven.com with the subject line "Delete Skin Analysis Data".

Deletion is permanent and irreversible. We will instruct Haut.AI to delete your personal data from their systems within 30 days.

If you previously granted Consent 2 (AI improvement) and your photographs have already been anonymised, withdrawing that consent cannot reverse the anonymisation or remove the anonymised images from the AI model, as they can no longer be connected to you. However, Haut.AI will cease any further personal data processing for this purpose.

8.9 Profiling

The skin analysis tool involves automated profiling (Article 4(4) GDPR; Article 5(f) nFADP). It does not produce any decision with legal or similarly significant effects on you. You retain all rights in Section 6 in relation to this processing, including the right to request human review by contacting us.

8.10 Children

The AI skin analysis tool is intended for adults aged 18 and over. We do not knowingly collect photographs or skin data from individuals under 18. If you believe a child has used the tool, please contact us immediately.

9. Cookies and Similar Technologies

We use cookies, pixels, and similar technologies to operate our website, remember your preferences, measure the performance of our marketing, and — with your consent — show you personalised advertising.

Non-essential cookies are placed only after you give consent through our cookie banner. You can withdraw or update your consent at any time using the "Cookie Settings" link in our website footer, or via the Shopify Privacy Portal at https://privacy.shopify.com for Shopify-specific preferences.

A full list of cookies, including names, providers, purposes, and lifespans, is available through our Cookie Settings panel.

10. Automated Decision-Making

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing (Article 22 GDPR; Article 21 nFADP).

We use limited automated profiling for the following purposes, none of which has legal or similarly significant effects on you:

• Personalised product recommendations based on your purchase and browsing history.
• Marketing segmentation to send you offers we think will be relevant.
• The AI skin analysis tool described in Section 8.

You may object to any of these activities at any time. See Section 6.

11. Third-Party Websites and Links

Our website may contain links to third-party websites, apps, or online platforms that are not operated or controlled by us. If you follow a link to any such site, you should review their privacy policy, security practices, and terms and conditions independently. We do not guarantee or take responsibility for the privacy or security of third-party sites, including the accuracy or completeness of any information found on them.

Our inclusion of a link does not imply any endorsement of the linked site, its content, or its operators, except where we have explicitly stated otherwise.

Information you share on public or semi-public venues (for example, via social media integrations on our website) may become visible to other users of those platforms and may be subject to those platforms' own terms and privacy policies.

12. Children

Our products and website are directed at adults. We do not knowingly collect personal data from children under the age of 16 (or the applicable age of digital consent in your country of residence, if higher). If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at ciao@twelveseven.com and we will delete the relevant information.

The AI skin analysis tool requires users to be at least 18 years old. See Section 8.10. We do not knowingly sell or share the personal data of individuals under the age of 16.

13. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, disclosure, or destruction. Our measures include:

• Encryption of data in transit (TLS/HTTPS) and at rest.
• Access controls on a need-to-know basis with role-based permissions.
• Secure and monitored cloud hosting within the EEA (via the Shopify platform).
• Regular security assessments.
• Data processing agreements and confidentiality obligations with all processors.
• Staff training on data protection.
• Heightened safeguards for the AI skin analysis tool given the sensitive nature of the data.

No method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a personal data breach likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours where feasible (Article 33 GDPR; Article 24 nFADP) and inform affected individuals where required.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top shows when it was last revised. For material changes — particularly any change affecting the AI skin analysis tool, the Shopify relationship, or the handling of sensitive data — we will provide prominent notice (for example, by email to registered account holders and/or a banner on our website) and, where required by law, obtain fresh consent.

15. Governing Law

This Privacy Policy is governed by Swiss law. The application of mandatory data protection rules of your country of residence — including the GDPR for EEA residents — is not affected.

16. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our processing of your personal data:

This Privacy Policy was prepared in compliance with EU Regulation (EU) 2016/679 (GDPR) and the Swiss Federal Act on Data Protection (nFADP, in force 1 September 2023). It should be reviewed by qualified data protection counsel before final publication.