Privacy policy
Your photos, your data.
Last updated:
We built Haircut Simulator with one principle: your selfie is yours. We do not sell it, we do not use it to train anything, and we share it only with the two AI providers we work with (fal and Anthropic) to generate the result you asked for. This page is the honest list of what we collect, why, with whom we share it, and for how long. If anything here is unclear, write us at bart@thomsin.dev.
Before we send your photo to fal or Anthropic for the first time, the app shows you a dedicated consent screen that names both providers and explains what each receives. You can revoke that consent from Profile → Settings at any time, after which the app will ask again before the next generation.
What we keep, at a glance
| What | Why | How long we keep it |
|---|---|---|
| Your selfie (the input) | To send to fal and Anthropic to render your style sheet or try-on. | Never written to disk on our servers. Held in memory only for the duration of one request, then gone from our side. Retention on fal and Anthropic is described below. |
| Your generated style sheet or try-on (the output) | To let your phone fetch the result back, including for background generations that finish while the app is closed. | Up to 14 days on our server, so your phone can pick it up via push or next launch. Deleted automatically once your phone confirms receipt, or by an every-3-hours cleanup pass once 14 days pass without pickup. |
| Email and name (via Apple Sign-In, optional) | To personalize your in-app greeting and to identify you in the third-party purchase-management service (RevenueCat) for support. | Stored on your device. A copy goes to the third-party purchase-management service (RevenueCat) so you can be reached if there is a purchase issue. Apple lets you share a hide-my-email relay or skip the name, and we never see your real Apple ID. |
| IP address (briefly) | To rate-limit the sign-in endpoint and prevent abuse. | About 10 minutes per request, then auto-deleted. |
Selfies and generated images
When you take or upload a selfie, the image stays on your device. When you tap to generate a style sheet or try-on, the app sends your photo through our backend to two AI providers we work with: fal (which renders the AI image of you with each hairstyle) and Anthropic (whose Claude API analyzes your photo so we can pick suitable cuts from our catalog). The result comes back to your phone. Full details under Third-party providers below.
Your selfie (the input). We never write your selfie to our database or to disk on our servers. It is forwarded in memory to fal and Anthropic to produce the result, then the request is gone from our side. fal and Anthropic each delete the image on their side within their own retention windows (described below).
The generated style sheet or try-on (the output). Because some generations finish in the background and your phone may pick them up later (via push notification or the next time you open the app), we hold the generated image on our server for up to 14 days while we wait for your phone to fetch it. As soon as your phone has the image, our server-side copy is removed. If 14 days pass without pickup, an automated daily cleanup deletes the generation along with any pending state for it.
We never sell or share your selfies with anyone other than fal and Anthropic, and we do not use them to train any machine learning model. Generated images live on your phone for as long as you keep them.
Face data
When you tap to generate a style sheet, we ask Anthropic (via the Claude API) to look at your selfie and produce a short JSON description of your hair and face: face shape, hair texture, hair type, density, hair color, and current length. We use this description for three things:
- Picking 8 hairstyles from our catalog that fit your features.
- Generating the AI image of each style via fal.
- Composing a short personalized note about the result.
The face-data description exists in memory on our backend only for the duration of one analysis request and is never written to disk or database. The selfie itself is sent to both fal and Anthropic, as described under Third-party providers below; both delete the image on their side within their respective retention windows.
We do not derive a face fingerprint, a biometric template, or any persistent face identifier from your photo. We do not build a profile from it, do not run analytics on it, and never share it with anyone other than the two AI providers named above.
If you want us to remove any record of your account from our side, email bart@thomsin.dev from your Apple Sign-In address. We will delete the credit-balance record within 14 days. See also our Terms of Use and Acceptable Use Policy.
Account and sign-in
We use Apple Sign-In for accounts. When you sign in, we ask Apple for three things:
- An anonymous identifier unique to you for this app only. This is not your Apple ID. We use it only as a temporary key while a generation is being processed, then it is gone with the rest of that data.
- Your email address. Apple offers a "Hide My Email" option that gives us a random relay address instead of your real email, so you can stay anonymous if you prefer. We store whatever Apple returns (your real address or the relay) on your device and pass it to the third-party purchase-management service (RevenueCat) so you can be reached if there is a purchase issue.
- Your name. Apple lets you edit it before sharing or skip it entirely. If you share it, we use it for the in-app greeting and to identify your account in the third-party purchase-management service (RevenueCat).
Apple returns email and name only the first time you sign in for this app. We do not collect either on our own proxy servers: they live on your device and on the third-party purchase-management service (RevenueCat).
Credits and purchases
Haircut Simulator sells consumable credits through the App Store. All payment processing, card numbers, billing addresses, and refunds are handled by Apple. We never see your financial details.
Your credit balance is tracked by a third-party purchase-management service, not by us.
IP addresses
To prevent abuse of the sign-in endpoint we count requests per IP address over short windows. Those counters auto-delete after about ten minutes. We do not use IP addresses for tracking, advertising, or analytics.
What we don't do
- We don't keep a history of which haircuts or colors you've tried.
- We don't use advertising networks, analytics SDKs, or crash-reporting services that transmit personal data.
- We don't embed tracking pixels or fingerprinting.
- We don't sell your data, and we don't share it with anyone other than the providers listed below, who receive only what they need to do their part of the work.
Third-party providers
To run the app we rely on a small number of providers. Each receives only the data needed for its part of the work and is contractually bound to provide the same or equal protection of your data as required by this policy. None of them receive your data for advertising, profile-building, or resale.
- fal (fal.ai): generates the AI image of you with each hairstyle. Receives your selfie. fal retains uploads for up to 48 hours under their API lifecycle, then deletes. fal does not use your image to train any model.
- Anthropic (anthropic.com): provides the Claude API. Analyzes your selfie to pick 8 catalog styles that suit your features, and again to compose a short style note. Anthropic does not use API data to train its models; standard Anthropic enterprise retention applies (up to 30 days max for trust & safety, then deletion).
- RevenueCat: confirms App Store purchase receipts and tracks your credit balance. Receives an anonymous identifier and the Apple receipt. Never receives your photo, face data, or in-app content.
- Apple: App Store distribution, Sign in with Apple, push notifications, and payment processing.
- Neon (Postgres): hosts our small database. Holds only your credit balance keyed by anonymous identifier. No photos, no face data.
- Vercel: hosts our backend. Processes the selfie in memory during one HTTP request; never writes it to disk.
Before we send your photo to fal or Anthropic for the first time, the app shows you a dedicated consent screen that names both providers and explains what each receives. You can revoke that consent at any time from Profile → Settings, and we will ask again before the next generation.
Your rights
Most app data is stored locally on your device, so you have full control over it: deleting the app removes all of it. The small amount of data we touch on our proxy servers (image bytes during processing, rate-limit counters) is anonymous and auto-deletes.
Deleting your account. You can delete your account at any time from Profile, Settings, Delete account inside the app. Tapping it shows a confirmation screen explaining what will be removed. On confirmation we:
- Revoke your Sign in with Apple link (the app stops appearing under iOS Settings, Apple Account, Sign in with Apple, Apps using Apple Account).
- Remove your name and email from our purchase-management service.
- Wipe all per-user rows on our servers: any cached generation results, your push token, and your Sign in with Apple refresh token.
- Clear the app's own local storage on this device: the app's local database, its preferences, its image caches, and its sign-in state. (Nothing outside the app is touched.)
What we keep after deletion. We retain the record of past purchases (transaction IDs, amounts, dates, currency) and the Apple-derived account identifier that links them together, plus any unused credit balance you had at deletion. We keep the purchase record so we can help with any refund question, verify charges if you contact us, and reconcile our books against Apple's payout statements. We keep the unused balance because Apple App Review Guideline 3.1.1 states that credits purchased via in-app purchase do not expire. If you sign in again later with the same Apple ID, any unused credits will be available again. You will not receive a second starter-credit grant.
If you would prefer email assistance, write to bart@thomsin.dev from your Apple Sign-In address and we will complete the deletion within 14 days.
If you are a resident of the European Economic Area, you have certain data protection rights under GDPR. You can exercise them (access, correction, deletion, portability) by deleting your account from inside the app, or by emailing us at bart@thomsin.dev.
Any email exchange you have with us at bart@thomsin.dev lives in our inbox. You can ask us to delete the exchange at any time via the same address.
Children
Haircut Simulator is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has used the app, contact us and we'll remove the record.
Changes to this policy
We may update this policy as the app evolves. The "Last updated" date at the top of this page reflects the current version. Material changes will be surfaced inside the app on next launch.
Contact
bart@thomsin.dev. Bart Thomsin, sole developer, Netherlands.