Privacy Policy

1. Introduction

Lonik ("the App," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use our mobile application, and describes your rights under the Saudi Arabian Personal Data Protection Law ("PDPL").

By using the App, you consent to the data collection and processing practices described in this Policy. If you do not agree with any term of this Policy, please do not use the App.

2. Data Controller Identity

The data controller responsible for processing your data is a sole proprietorship registered in the Kingdom of Saudi Arabia:

Name: Smart Lonik (سمارت لونك) — Sole Proprietorship

Commercial Registration No.: 7054462135

City: Jubail, Eastern Province, Kingdom of Saudi Arabia

Privacy Contact Email: support@lonik.app

3. Definitions

• Personal Data: Any data relating to you that can be used to identify you, such as your name, photos, and account details.
• Sensitive Data: Biometric data (such as face photos), health data (such as height, weight, age), and any data classified as sensitive under Saudi law.
• Processing: Any operation performed on personal data, including collection, storage, analysis, and sharing.
• PDPL: The Personal Data Protection Law of the Kingdom of Saudi Arabia.

4. Data We Collect

4.1 Account Data

• An anonymous user ID auto-generated upon first launch.
• The email address linked to your Google account when you sign in.
• The full name associated with your Google account.
• The display name you choose manually.

4.2 Biometric Data (Sensitive)

• Selfie photos you take for personal color analysis.
• Photos you take while using the "Color Mirror" feature.
• Color attributes extracted from your photo analysis: skin tone, undertone (warm, cool, neutral), hair color, and seasonal color category.

4.3 Health and Body Data (Sensitive, Optional)

• Age.
• Height.
• Weight.

This data is used exclusively to personalize style recommendations and is never required to use the App.

4.4 User-Generated Content

• Photos of your wardrobe items and the AI-extracted metadata (type, color, fabric, category, brand).
• Photos uploaded to your inspiration board and their analysis.
• Your answers to the Style Discovery quiz.
• The resulting style profile.

4.5 Chat Conversations

• Full text of messages you send and receive from the AI assistant.
• Images you upload within the chat.
• Text extracted from your voice messages (voice-to-text conversion happens locally on your device; only the resulting text is transmitted).

4.6 Operational Data

• Date and time of creation of each record in your account.
• App version in use.
• Crash and technical error reports (collected via Sentry — see Section 7.7).

5. Purposes of Data Collection

We process your data exclusively for the following purposes:

1. Service Delivery: Generating your personal color analysis, style recommendations, and AI assistant interactions.
2. Personalization: Linking your content (wardrobe, inspiration, quiz answers) to your account for use across sessions.
3. Service Improvement: Understanding feature usage to improve the App (without disclosing your identity).
4. Communication: Responding to your inquiries and notifying you of material policy updates.
5. Legal Compliance: Responding to lawful requests from competent authorities.

6. Legal Basis for Processing

We rely on the following bases under the Saudi PDPL:

• Explicit Consent: Provided by you when creating your account and accepting this Policy.
• Contractual Necessity: Because collecting certain data is required to provide the requested service.
• Legitimate Interest: In improving service quality and security.

For sensitive data (biometric and health), we rely primarily on your explicit consent, which you provide before enabling these features.

7. Third Parties That May Receive Your Data

We use technical service providers to operate the App. The complete list follows:

7.1 Database and Cloud Storage

Provider: Supabase Inc.

Location: United States of America

Actual storage servers located in: ap-south-1 (Mumbai, India)

What they receive: All your stored data (account, wardrobe, inspiration, chats, style profile).

Their privacy policy: https://supabase.com/privacy

7.2 AI Conversation and Analysis Service

We use two AI providers: a primary provider that processes your requests, and a fallback provider used automatically if the primary is unavailable.

Primary Provider: OpenAI, L.L.C.

Location: United States of America

Note: Your data is processed via the OpenAI API and is not used to train their models.

Their privacy policy: https://openai.com/policies/privacy-policy

Fallback Provider: Google LLC — Gemini API

Location: Google's global infrastructure

Their privacy policy: https://policies.google.com/privacy

What both providers receive on each interaction:

• Your message text plus the last 30 messages of conversation context.
• Your display name, age, height, and weight (if provided).
• Your seasonal color category and palette.
• Images of clothing items and inspiration when analysis is requested.

7.3 Sign-In

Provider: Google Sign-In (OAuth)

What they receive: Authentication requests only; they return your email, name, and Google ID to us.

7.4 Voice-to-Text Conversion

Provider: Google Speech Recognition (Android)

What they receive: Your voice recordings may be transmitted to Google servers during conversion, depending on your Android version. This is activated only when you use the microphone button.

7.5 On-Device Processing (No Data Leaves the Device)

We use the Google ML Kit library for face detection during initial color analysis. This processing occurs entirely within your device, and no images are sent to any external server during this specific feature.

7.6 App Distribution

Provider: Google Play Services

What they receive: Operational information per Google's own policy (device ID, IP address, etc.).

7.7 Crash and Error Reporting

Provider: Sentry (Functional Software, Inc.)

Location: European Union servers (Germany)

What they receive: Crash reports only — device type and operating system, app version, technical error trace (stack trace), and a limited technical event log. We disable transmission of your personal data by default: no IP address, no email, no images, and no chat content.

Their privacy policy: https://sentry.io/privacy/

8. Cross-Border Data Transfer

Please be advised that your data will be transferred to and processed outside the Kingdom of Saudi Arabia, specifically:

• India: Via Supabase servers.
• United States: Via OpenAI and Google services.
• European Union (Germany): Via Sentry.

We make these transfers based on:

1. Your explicit consent, provided when you accept this Policy.
2. The necessity of the transfer to perform the service you requested.
3. Contractual safeguards with service providers that require an adequate level of protection.

If you do not wish your data to be transferred outside Saudi Arabia, please do not use the App.

9. Data Retention Period

We retain your personal data for as long as your account remains active, because account continuity requires preserving your color profile, wardrobe records, and chat history.

Upon your request to delete the account, we delete all your data within a maximum of 30 days, except for data we are legally required to retain for a specified period (if any).

Backups: Your data may remain in backups for a period not exceeding 90 days after deletion, after which it is automatically purged.

10. Your Rights Under the PDPL

The Saudi PDPL grants you the following rights, which you may exercise by contacting us at the email in Section 2:

1. Right to Be Informed: To know whether we process your data and the basis for it.
2. Right of Access: To obtain a copy of your data stored with us.
3. Right to Correction: To request correction of inaccurate or incomplete data.
4. Right to Erasure (Deletion): To request full deletion of your data.
5. Right to Data Portability: To obtain a copy in a machine-readable format for transfer to another provider.
6. Right to Withdraw Consent: To withdraw your consent to processing at any time. Withdrawal does not affect processing that occurred before withdrawal.
7. Right to File a Complaint: To file a complaint with the Saudi Data and Artificial Intelligence Authority ("SDAIA") if you believe our processing violates the PDPL: https://sdaia.gov.sa

We will respond to your requests within 30 days of receipt.

11. Children's Privacy

The App is intended for users who are 18 years of age or older.

If you are between 13 and 17 years old, you may use the App only with the explicit consent of a parent or legal guardian, who assumes responsibility for supervising your use and reviewing this Policy.

We do not permit use of the App by anyone under the age of 13. If we become aware that we are processing data from a user under 13, we will delete it immediately.

12. Data Security

We implement reasonable technical and organizational measures to protect your data, including:

• Encryption in transit via HTTPS.
• Encryption at rest on Supabase servers.
• Access controls within the database via Row-Level Security policies.
• Authentication via trusted identity providers.

However, no electronic system can be guaranteed to be fully secure. We are not liable for breaches resulting from causes outside our reasonable control.

13. Device Permissions Requested

You may revoke any of these permissions at any time from your device settings, noting that some features will not function without their permissions.

14. Cookies and Tracking Technologies

The App does not use cookies in the browser sense, but it does use local on-device storage to save your preferences. We do not use any advertising or commercial tracking tools. We use Sentry solely for crash and technical error diagnostics to improve app stability (see Section 7.7).

15. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will notify you within the App before the change takes effect. Your continued use of the App after the update constitutes acceptance of the updated version.

16. Contact Us

For any inquiry or request related to this Policy or your data, you may contact us at:

Email: support@lonik.app

We will respond within a period not exceeding 30 days.

17. Governing Law

This Policy is governed by and construed in accordance with the laws of the Kingdom of Saudi Arabia, specifically the Personal Data Protection Law issued under Royal Decree No. (M/19) of 1443H and its executive regulations.

Any dispute arising out of or relating to this Policy is subject to the exclusive jurisdiction of the competent courts of the Kingdom of Saudi Arabia.