Privacy

Privacy Policy

Effective July 15, 2026 · Last updated May 28, 2026

In short

Amorie helps you build a skincare routine that suits your skin. To do that we store the answers you give us, the routines we generate, and the feedback you share. We never sell your data, and you can delete your account — and everything tied to it — at any moment from inside the app.

Who we are

Amorie is built and operated by NovaSky Studio Ltd. ("NovaSky Studio", "we", "us"). We are the data controller for everything described in this policy.

Privacy questions go to privacy@amorieapp.com.

What we collect

We keep this list deliberately short. We only store what we need to give you a useful routine.

Account

Your email address, name, and authentication tokens. Managed through AWS Cognito.

Your skin profile

The answers you give in the skincare quiz: skin type, concerns, sensitivities, current routine, lifestyle context. You can review and change every answer.

Routines & recommendations

The morning and evening routines Amorie builds for you, the ingredients we suggest, and the reasoning behind each choice.

Feedback you share

Which products you've tried, how your skin reacted, and any notes you add. This is what lets your routine evolve with your skin.

Usage signals

How you move through the app — screens you open, taps, time spent — through Mixpanel. We use this to understand which features help and which need work.

Consent receipts

A record of which version of this policy you agreed to and when. Required by GDPR Article 7.

Why we use it

  • To build your routine. Your quiz answers and reactions feed the AI that designs your morning and evening rituals.
  • To keep your account safe. Email verification, password resets, and security alerts.
  • To improve the app. Aggregated usage signals tell us which steps users find clearest.
  • To send you the few transactional emails you'd expect. Welcome, account verification, password reset, weekly routine summary if you opt in.

Our legal basis under GDPR Article 6 is performance of the agreement with you (Art. 6(1)(b)) for the parts you need to use the app, and your explicit consent (Art. 6(1)(a)) for analytics and marketing communications. You can withdraw consent at any time.

Automated decisions

Amorie generates your routine using a multi-model AI synthesis (Google Gemini, OpenAI GPT-4o, xAI Grok) followed by a safety pass. Every recommendation comes with the reasoning we used to produce it, and you can override, ignore, or change any step. You always have the right to ask a human to review a decision — write to privacy@amorieapp.com.

Who we share data with

Infrastructure

Amazon Web Services (Frankfurt, eu-central-1) hosts the API, the database, and the email infrastructure. AWS is our data processor under a Data Processing Addendum.

AI providers

We send the prompt for your routine — the structured form of your quiz answers, without your name or email — to Google (Gemini), OpenAI (GPT-4o), and xAI (Grok). Each provider returns a recommendation; the final routine is the consensus among them. These providers process the request to generate the answer and do not train on it under the API agreements in force at the time of writing.

Analytics

Mixpanel receives anonymous-by-default usage events. Your email is used as a distinct identifier so we can recognise the same person across sessions; it can be wiped on request.

That's the full list.

We don't sell your data, share it with advertisers, or use it for any purpose not listed in this policy.

How long we keep it

  • Draft quiz sessions — 24 hours, then auto-deleted by DynamoDB TTL.
  • Completed routines, reactions, account data — for as long as your account is active.
  • Consent receipts — kept as long as required by GDPR Article 7 (typically the duration of the relationship plus the statute of limitations).
  • After account deletion — a single audit row with a one-way hash of your user id, proving the deletion happened. Nothing tying it to you remains.

Your rights

Under GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct anything that's wrong.
  • Delete your account and the data tied to it — from inside the app (Profile → Delete account) or by writing to us.
  • Restrict or object to specific processing.
  • Export your data in a machine-readable format.
  • Withdraw consent for analytics or communications at any time.

You also have the right to lodge a complaint with your local data protection authority. We hope you'd come to us first — privacy@amorieapp.com — but it's your right either way.

Children

Amorie is for people aged 16 and over. We don't knowingly collect data from anyone younger. If we learn that we have, we will delete it.

Security

Data in transit is encrypted with TLS. Data at rest in DynamoDB is encrypted with AWS-managed keys. Secrets live in AWS Secrets Manager with audit logging. Access to production systems is OIDC-only — no static credentials anywhere.

Changes to this policy

When we change anything that affects you, we will update the "last updated" date above, and ask for your consent again before the change takes effect.

Contact

NovaSky Studio Ltd.
privacy@amorieapp.com

← Back to Amorie