lookslablookslab

Legal

Privacy Policy

Last updated: 15 May 2026

This page explains, in plain English, what LooksLab does with your photos and personal data. If anything here is unclear or seems out of step with how the product actually behaves, please write to us at privacy@lookslab.app and we will fix it.

Where each step runs

Landmark detection runs inside your browser using Google’s MediaPipe Tasks Vision model. The model files are downloaded to your device once and then run locally on each scan. Your photo is not sent to our scoring endpoint.

Scoring runs on our server (a Supabase Edge Function). The scoring request contains only the landmark coordinates and your selected gender, never the photo itself. The composite scores and per-metric breakdown are computed from those coordinates.

Photo storage

Photos are uploaded to a private Supabase Storage bucket as part of the scan flow, so you can revisit your scan and we can render the annotated front and side views. This happens for both anonymous and signed-in sessions. Anonymous users are issued a session-bound Supabase identity so their scans are scoped to that identity. Signed-in users get scans scoped to their Google account. In both cases, row-level security ensures only your session or account can read your photos.

You can delete any scan at any time from the My Scans page, and deletion removes the underlying storage objects, not just a reference to them. We do not train any model on your photos.

What we collect

If you sign in with Google we receive your email address and a Google account identifier, which we use to create your LooksLab account. We do not request any other Google scopes. We do not read your Gmail, Drive, or calendar.

For scans you save, we store the numeric measurements, the composite scores, the timestamps, and the photos themselves. For paid accounts we store payment metadata returned by Stripe, including the last four digits of the card and the date of purchase. We do not store full card numbers; payment information is handled by Stripe under their own security model.

Analytics and error tracking

We use PostHog for product analytics. PostHog records anonymized interaction events such as which buttons were clicked and which steps of the scan flow were completed. Where a user is signed in, events are associated with that user’s account so we can understand product use over time.

We use Sentry for error tracking. When the app throws an exception, Sentry records a stack trace and the page where it happened so we can fix the bug. Where possible, error reports are stripped of personally identifying information before they leave your browser.

Cookies and local storage

We use a small number of first-party cookies and similar local storage entries. The most important ones are the Supabase auth session, which keeps you signed in across page loads, and the PostHog session identifier, which links events from the same visit. We do not use third-party advertising cookies and we do not sell your data.

Deleting your data

Each scan you save can be deleted individually from the My Scans page. Deleting a scan removes the stored photos, measurements, and score record from our database. There is no soft delete or grace period.

If you want to delete your account entirely, write to privacy@lookslab.app from the email address tied to the account and we will remove the account, all stored scans, and any associated profile data within seven days.

Third parties we rely on

LooksLab depends on a small number of vendors. Supabase provides authentication, database, and photo storage. Stripe processes payments and stores card information under PCI compliance. PostHog hosts product analytics. Sentry hosts error tracking. Google provides the OAuth identity layer when you sign in with a Google account. Each vendor processes only the data necessary for its function and is bound by its own published privacy terms.

Children

LooksLab is not directed at children under the age of 16 and we do not knowingly collect data from anyone under 16. If you are a parent or guardian and you believe your child has used LooksLab and uploaded a photo, write to privacy@lookslab.app and we will remove the account and any associated data.

Changes to this policy

If we update this policy in a way that materially changes how we handle data, we will note the change at the top of this page and, for substantial changes, notify signed-in users by email. The most recent version is always the one published here, with the updated date at the top.

Contact

Questions, complaints, and data requests all go to the same address: privacy@lookslab.app. A human reads it.