Face Age

Privacy Policy

How we collect, use, and protect your personal data with full transparency.

Last updated: March 2026

Controller (and Service Provider/Business)

Drylabs GmbH

Straße der Jugend 18

14974 Ludwigsfelde, Germany

Mailing: Straße der Jugend 18, 14974 Ludwigsfelde, Germany

Email: info@dry-labs.com

Phone: +49 (0)30 310 13 860

DPO/Privacy Contact: info@dry-labs.com

1) What We Collect

Data Categories We Collect:

  • Account & Identity: name, email, password (cryptographically hashed), country/region, age affirmation (18+)
  • Facial Photographs & Biometric Data: photos you upload for analysis and the biometric analysis results derived from them (estimated age, facial features, skin metrics, symmetry scores). Under GDPR Art. 9, facial images used for identification may constitute special category data. Under the Illinois Biometric Information Privacy Act (BIPA), they may constitute biometric identifiers.
  • Biographical & Lifestyle Data (optional): if you choose to complete your bio profile, we may collect lifestyle factors (smoking, alcohol, exercise, sleep, diet, stress), medical history (skin conditions, cosmetic procedures, medications, chronic conditions), substance-use history, and demographic data (ethnicity, occupation type, climate). This data is entirely optional and can be deleted at any time.
  • Billing: payment token/last-4, billing zip/postcode, transaction IDs (processed by our PCI-certified processor), carrier info if using mobile billing
  • Usage & Device: IP, device/OS/browser, language, app/version, referral source, session data, crash logs
  • Referral Data: if you participate in our referral program, we store your referral code and the email addresses of people you invite (with your consent)
  • Cookies/Similar Tech: session cookies, auth, analytics, A/B testing, fraud prevention, advertising (where applicable and permitted)

2) Facial Image Processing and AI Analysis

When you use our facial analysis service, we process your photographs to provide AI-powered biological age estimation, beauty analysis, and skin health assessments. Here is exactly how we handle your images:

Image Storage and Security

  • Secure Storage: Images are stored on our servers with cryptographically randomized filenames that cannot be guessed or enumerated. There is no public URL to any uploaded image.
  • Authenticated Access Only: Images are served exclusively through an authenticated endpoint that verifies you are the owner. No one else -- including other users, search engines, or third parties -- can access your images.
  • Encrypted Transfer: All image data is transmitted using TLS encryption (HTTPS) with modern cipher suites.
  • Retention: Images are retained for the duration of your account to enable your analysis history and trend tracking. When you delete an individual analysis or your entire account, the corresponding image files are permanently erased from our servers (see Section 11).

AI Analysis Services

To provide accurate analysis, we use a combination of proprietary and industry-leading AI models -- including cloud-based vision services, large multimodal models, open-source on-device models, and specialized neural networks -- all operating under Data Processing Agreements (DPAs). Our analysis pipeline may employ multiple models simultaneously to cross-validate results. Key safeguards:

  • All AI service providers are contractually prohibited from retaining your images after processing is complete.
  • No AI provider uses your data to train or improve general-purpose models.
  • Where possible, facial landmark detection is performed locally in your browser -- no image data leaves your device for that step.

Special Categories of Data (GDPR Art. 9)

Facial photographs used for analysis may constitute biometric data under GDPR Article 9 and similar laws (e.g., Illinois BIPA, Texas CUBI). We process this data based on:

  • Explicit Consent (Art. 9(2)(a)): You provide explicit, informed consent before your first upload via a dedicated consent dialog. You may withdraw consent at any time by deleting your data.
  • Purpose Limitation: Your facial images are used solely for providing you with biological age, beauty, and skin health analysis. They are never used for marketing, advertising, AI model training, facial recognition of third parties, or any other purpose.
  • No Sale or Sharing: We never sell, license, or share your facial images with any third party beyond the analysis processors listed above, and only for the purpose of generating your personal results.

3) Biographical and Lifestyle Data

We offer an optional biographical questionnaire to provide you with a personalized anti-aging plan. This data may include health-related information and is treated with additional care:

  • Entirely Optional: You can skip the questionnaire at any time and use the full service without providing any biographical data.
  • Purpose: Used exclusively to generate personalized anti-aging recommendations based on peer-reviewed scientific literature.
  • Health Data (GDPR Art. 9): Some biographical data (medical history, chronic conditions, medications) may constitute health data under GDPR. We process it based on your explicit consent when completing the questionnaire.
  • Immediate Deletion: You can delete your biographical profile at any time from your account settings. Deletion is immediate and permanent.
  • No Sharing: Biographical data is never shared with third parties, advertisers, or data brokers.

4) Why We Use Data (Purposes & Lawful Bases)

Where GDPR applies, we rely on Art. 6(1)(b) (contract), (c) (legal duty), (f) (legitimate interests), and (a) (consent) as appropriate. For special category data (facial images, health data), we rely on Art. 9(2)(a) (explicit consent).

Data Processing Purposes:

  • Provide facial analysis & personalized recommendations (explicit consent for biometric/health data; contract necessity for the service)
  • Account management & authentication (contract necessity)
  • Billing & fraud prevention (contract, legitimate interests; legal obligations)
  • Customer support & communications (contract, legitimate interests)
  • Service improvement/analytics (legitimate interests; consent where required). We may analyze aggregated, anonymized statistics -- never individual images.
  • Marketing (consent where required; legitimate interests otherwise; CAN-SPAM/TCPA compliance)
  • Legal compliance & enforcement (legal obligations, legitimate interests)

5) "Do Not Sell or Share" (U.S. State Laws)

We do not sell your personal data -- including facial images -- for money or any other consideration. We do not share facial images or biometric data with ad networks, data brokers, or any third party for targeted advertising.

How to Opt-Out (CA/CO/CT/VA/UT residents):

  • Use the site's "Do Not Sell/Share My Personal Information" link or cookie banner settings
  • Or email info@dry-labs.com (subject: "Do Not Sell/Share")

California residents can also limit use of sensitive personal information via the same mechanisms.

6) Your Rights

EU/EEA/UK/CH Rights (GDPR / UK GDPR / DSGVO):

  • Access (Art. 15): Request all personal data we have about you, including all facial images and analysis results
  • Rectification (Art. 16): Correct inaccurate personal data
  • Erasure (Art. 17): Delete all your personal data -- including all facial images, analysis results, and biographical data -- without undue delay. See Section 11.
  • Restriction (Art. 18): Limit processing of your data
  • Portability (Art. 20): Export your data in machine-readable JSON format via your profile page
  • Objection (Art. 21): Object to processing for marketing purposes
  • Withdrawal of Consent (Art. 7(3)): Withdraw consent for biometric data processing at any time by deleting your account and data

U.S. (CA/CO/CT/VA/UT) Rights:

  • Access: Know what personal information we collect and use
  • Correction: Correct inaccurate personal information
  • Deletion: Delete all personal information including facial images
  • Portability: Receive your data in portable JSON format
  • Opt-out: Opt-out of targeted ads/sale (facial images are never sold or shared for advertising)
  • Limit sensitive PI: Limit use of sensitive personal information (CA)

Illinois BIPA Rights:

If you are an Illinois resident, you have the right to: (a) be informed that biometric data is being collected; (b) know the purpose and duration of collection; (c) provide written consent before collection; and (d) have your biometric data permanently destroyed when the purpose has been satisfied or within 3 years of your last interaction with us, whichever comes first.

Request via info@dry-labs.com or use the self-service tools in your profile (Export Data, Delete Account). We respond within statutory timelines.

7) Children

Face Age is for 18+ only. We do not knowingly collect data from children under 13 (COPPA) or under 16 (GDPR). If you believe a child used the service, contact us immediately and we will delete all associated data including any uploaded images.

8) Cookies & Tracking

We use required cookies (security, auth) and optional cookies (analytics, performance, ads). Manage via the cookie banner/consent manager and your browser settings. We honor applicable EU ePrivacy/GDPR consent standards for non-essential cookies.

Cookie Types:

  • Required Cookies: Security, authentication, session management, CSRF protection
  • Optional Cookies: Analytics, performance optimization, advertising (where consent is given)

9) Data Sharing (Categories of Recipients)

We Share Data With:

  • AI Analysis Providers: Certified, GDPR-compliant AI services used solely to generate your analysis results, operating under Data Processing Agreements. These providers do not retain your images after processing.
  • Cloud Infrastructure Provider: Our hosting environment for secure data storage and application delivery
  • Payment Processor: PCI-DSS certified processor for secure payment handling
  • Analytics: Anonymized usage data only -- never facial images or biometric data
  • Legal/Compliance: To comply with law, protect rights, or enforce terms
  • Corporate Events: Merger, acquisition, or asset sale (with notice as required)

We require all processors to sign Data Processing Agreements (DPAs). Facial images are never shared for advertising, marketing, or AI training.

10) International Transfers

We transfer data to the U.S. and other countries with appropriate safeguards (EU Standard Contractual Clauses / UK IDTA, Swiss addendum, and supplementary measures). Our AI analysis providers maintain industry-standard transfer mechanisms. Details available on request.

11) Your Right to Immediate & Complete Deletion

You have full authority over your data. We provide one-click, immediate, irreversible deletion of all your personal data -- no waiting period, no hidden copies, no trace.

What "Delete Account and Data" Removes:

  • All facial images -- permanently erased from our servers (both original files and thumbnails)
  • All analysis results -- every scan, score, and metric permanently deleted from the database
  • Your biographical/lifestyle profile -- all health and lifestyle data permanently deleted
  • Your account -- email, username, password hash, preferences, and all settings permanently deleted
  • Payment records -- transaction history permanently deleted (except where retention is required by tax/financial law)
  • Referral data -- all invitation records permanently deleted
  • Active subscriptions -- automatically cancelled with your payment provider

How to Delete:

  • Go to your Profile page and click "Delete account and data"
  • Confirm with your password
  • All data is permanently and irreversibly erased immediately

You can also delete individual analyses (including the associated image file) from your dashboard at any time.

Alternatively, email info@dry-labs.com to request deletion. We will process your request within 72 hours.

12) Security

We employ administrative, technical, and physical safeguards designed to protect your personal data, including your facial images:

Security Measures:

  • Encryption in Transit: All data transmitted via TLS 1.2/1.3 with modern cipher suites
  • Image Access Control: Uploaded images are stored with randomized filenames and served exclusively through an authenticated endpoint that verifies ownership. There is no public URL, directory listing, or direct file access.
  • Password Security: Passwords are cryptographically hashed with per-user salts. We never store plaintext passwords.
  • Payment Data Encryption: Sensitive payment data is encrypted at rest using industry-standard symmetric encryption
  • Access Controls: Least-privilege access to production systems with SSH key authentication
  • Security Headers: HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, strict Referrer-Policy
  • Path Traversal Protection: All file access is validated against directory traversal attacks

No method of transmission or storage is 100% secure. If you discover a vulnerability, please contact us immediately at info@dry-labs.com.

13) Data Retention

We retain different types of data for specific periods. You can delete all data immediately at any time (see Section 11).

Retention Periods:

  • Facial Images: Retained while your account is active. Permanently deleted when you delete an individual analysis or your account.
  • Analysis Results: Retained for the duration of your account. Permanently deleted on account deletion.
  • Biographical/Lifestyle Data: Retained while your account is active. Permanently deleted on account deletion or when you remove your bio profile.
  • Account Information: Retained for the duration of your account. Permanently deleted on account deletion.
  • Payment/Billing Data: Retained for 7 years after the transaction as required by tax and financial regulations, then deleted.
  • Technical/Server Logs: Retained for 30 days for security purposes, then automatically purged.
  • Deletion Audit Logs: When you delete your account, we retain only an anonymized timestamp and hashed identifier for 12 months to demonstrate regulatory compliance. This log cannot be linked back to you.

14) Communications

Communication Types:

  • Transactional: account, security, billing, data deletion confirmations
  • Marketing: with consent where required; opt-out anytime (unsubscribe link; STOP for SMS to [SMS_SHORTCODE])
  • E-SIGN: by using the service you consent to electronic communications

15) Exercising Rights / Complaints

Submit requests to info@dry-labs.com or use the self-service tools in your profile. EU/EEA/UK users may also complain to their supervisory authority (e.g., CNIL, ICO, BfDI). We will not discriminate against you for exercising privacy rights.

16) Changes

We'll post updates here and, when material, notify you (email/in-product). Continued use after the effective date means you accept the changes. For changes affecting biometric data processing, we will seek renewed explicit consent where required by law.

Contact for Privacy Matters

For questions about data protection and privacy, please contact us:

Drylabs GmbH

Straße der Jugend 18

14974 Ludwigsfelde, Germany

Email: info@dry-labs.com

Phone: +49 (0)30 310 13 860