Skip to content

Privacy Policy

Last updated: June 16, 2026

Last updated: 2026-06-16

1. Data Controller

Halil Ertekin (trading as 2Run) [Belgian address β€” to confirm] BTW BE 1038.480.317 β€” KBO 1038.480.317 Email: halil@ertekin.me

For privacy questions or data subject requests: halil@ertekin.me

2. What Data We Collect

Personal data you provide - Account information: email address, name, password (hashed) - Profile data: preferred language, skin concerns, preferences

Data collected automatically - Usage data: pages visited, features used, timestamps - Device data: device type, operating system, app version - Technical data: IP address (for security/fraud prevention)

Special category data (GDPR Art. 9) - Face images β€” uploaded for AI skin analysis. This is biometric data processed with your explicit consent. Images are retained for 30 days, then permanently deleted.

Payment data - We do not store card numbers β€” handled by Stripe, Apple App Store, Google Play (PCI-DSS certified).

3. How We Use Your Data

| Purpose | Legal basis (GDPR) | Data | |---|---|---| | Provide AI skin analysis | Contract (Art. 6(1)(b)) + explicit consent (Art. 9) for face images | Account, face images | | Personalized skincare recommendations | Contract + consent | Analysis results, preferences | | Account management | Contract | Email, name | | Send transactional emails | Contract | Email | | Marketing emails | Consent (Art. 6(1)(a)) β€” opt-in, unsubscribe anytime | Email | | Prevent fraud and abuse | Legitimate interest (Art. 6(1)(f)) | IP, usage data | | Improve our service | Legitimate interest | Aggregated/anonymized usage |

4. AI Providers and International Transfers

Your face images are processed by AI providers for skin analysis. Transfers outside the EEA (notably USA) are protected by:

  • Standard Contractual Clauses (SCC) β€” Commission Decision 2021/914
  • Transfer Impact Assessment (TIA) β€” available on request
  • Supplementary measures (Schrems II compliance)

AI providers (see Subprocessors): - OpenAI (USA) β€” vision analysis β€” SCC + DPA - Anthropic (USA) β€” vision analysis β€” SCC + DPA - Groq (USA) β€” AI inference - OpenRouter (USA) β€” AI routing

Training opt-out: Your data is not used to train AI models. Provider agreements confirm zero retention for training.

5. Data Retention

| Data category | Retention | Basis | |---|---|---| | Face images | 30 days, then permanently deleted | Data minimization | | Analysis results | Until account deletion + 30 days | Contract | | Account data | Until deletion request + 30-day grace | GDPR Art. 17 | | Invoices/financial | 7 years | Belgian tax law (Art. 29 WIB) | | Access logs | 12 months | Security | | Marketing consent | Duration of consent + 3 years | Proof of consent |

6. Your Rights (GDPR)

| Right | Article | How | |---|---|---| | Access | Art. 15 | "Export my data" in account settings | | Rectification | Art. 16 | Edit profile or email support | | Erasure | Art. 17 | "Delete account" in settings β€” 30-day grace, then permanent | | Restriction | Art. 18 | Email halil@ertekin.me | | Portability | Art. 20 | JSON/CSV export via account settings | | Object | Art. 21 | Email halil@ertekin.me or opt-out in settings | | Withdraw consent | Art. 7(3) | As easy as giving consent β€” settings | | Automated decisions | Art. 22 | AI results are informational, not medical advice β€” human review available on request |

Response time: Within 30 days. No fee, except manifestly unfounded requests.

7. Cookies

We use CookieYes consent management. See categories in the cookie banner. Strictly necessary cookies exempt; analytics/marketing require opt-in.

8. Security

  • AES-256 encryption at rest, TLS 1.2+ in transit
  • Passwords hashed with bcrypt
  • Server: Hetzner (Germany, EU residency)
  • Secret management: encrypted vault + macOS Keychain
  • Regular security audits

9. Children

Service is not directed at children under 16 (Belgium). We do not knowingly process their data.

10. Changes

We may update this policy. Material changes notified 30 days in advance via email.

11. Contact & Complaints

Data Controller: Halil Ertekin (2Run) β€” halil@ertekin.me

Right to lodge a complaint with the Belgian DPA: - Gebruikersondersteuning.be (Belgian Data Protection Authority) - Address: Drukpersstraat 35, 1000 Brussels

12. Related

  • Terms of Use
  • Subprocessors
  • Refund Policy