Privacy Policy

Enviya
Moonsail Software LLC
Last updated: June 29, 2026

This Privacy Policy explains how Enviya ("the App", "we", "us") collects, uses, and protects your information. Enviya is an AI beauty-coaching app: you upload a look you want, scan your own features, and receive a personalized hair, makeup, and skin plan to work toward that look. Enviya is intended for adults (18+) only.

Short version. Enviya has no name-or-email login. To build your plan, a downscaled photo of your face and the photo of the look you upload are sent to our backend and to our AI provider for analysis, then discarded after that request. We keep only the derived text description of the look and your numeric progress scores. We never store your photos, and we never produce an image of you or of the look you uploaded.

1. No Traditional Account

Enviya does not require a name, email address, password, or social login. When you first open the App, our backend provisions an anonymous account identified only by a random account identifier generated for that install, plus a one-time secret stored on your device that authenticates requests for that account. This anonymous account exists so that your referral code, your subscription status, and your progress history persist between sessions. It is not tied to your real-world identity.

If you choose to enter an optional first name during onboarding, that name is stored only on your device (to personalize your profile screen) and is not sent to our servers.

2. Your Photos (Face Scan and Uploaded Look)

This is the most important section. Enviya works by analyzing two photos: a selfie of your own face, and a target look photo that you upload.

• On-device face detection. Before anything is sent anywhere, your device runs an on-device face detector (Google ML Kit) to confirm a real human face is present and well-framed. This on-device geometric analysis stays on your device and is never transmitted to us.
• What is sent to our backend. To read attributes that on-device geometry cannot see (such as your coloring, undertone, hair color and texture, current makeup, and the hair, makeup, brow, and styling attributes of the look you uploaded), a downscaled copy of your selfie and of the uploaded target photo is sent to our backend, which forwards them to our AI provider (Anthropic's Claude API) for attribute extraction and plan generation. See Section 7.
• We do not retain your photos. The images are used only to process that request and are not stored by our backend after the response is returned. We keep only the derived text output (see below). We never save your selfie or your uploaded photo to our database.
• What we do keep is text, not images. For an uploaded look, we cache the derived text attributes (for example, "long copper hair, soft-arched brows, warm soft-glam makeup") keyed by a hash of the image bytes and on a time-limited basis, so re-scanning the same look does not re-run a paid analysis. For each scan you complete, we store a small set of numeric progress scores and dimension labels (overall and per-dimension, such as skin, hair, makeup, brows, style) so the App can show your progress trend over time. None of this includes your photo.
• No image output, ever. Enviya never renders, generates, morphs, or outputs an image of you or of the look you uploaded. Your plan is text only.

Biometric notice. A facial image can be considered biometric information under some laws. Enviya sends a downscaled facial image to our backend and AI provider only transiently to generate your attributes and plan, does not retain the image after the request, and does not sell or share biometric information. By scanning your face you consent to this transient processing. You can stop at any time by not scanning; you can delete the data we do retain at any time (Section 13).

3. The Look You Upload Is a Third Party

The photo you upload as a target look may show another real person (for example, a celebrity, influencer, or someone else). By uploading it, you represent that you have the right to do so, and you authorize us to use it solely to extract style attributes for your own personalized plan. We do not attempt to identify, name, or reconstruct the person in the uploaded photo; our AI is instructed to describe only the look (hair, makeup, brows, apparent-age cues, styling), never the identity. The uploaded image is not retained after attribute extraction. Do not upload photos of minors. See also our Terms of Use.

4. Information Our Backend Stores

Tied to your anonymous account identifier, our backend stores a limited set of records needed to operate the App:

• Account record: the random account identifier, a one-way hash of your device secret, your referral code, the count of any earned referral credits, and the creation timestamp.
• Entitlement state: whether the account is free or paid, expiration timestamp, and the timestamp of the last subscription event, derived from RevenueCat / the app stores.
• Usage metering: a record per "fresh look" analyzed, used to enforce usage limits and a short cooldown. It contains a look key (a hash of derived attributes) and a timestamp, not your photo.
• Progress history: for each scan, an overall numeric score and per-dimension scores and labels, with a timestamp, used to draw your progress trend. Text and numbers only.
• Referral ledger: your referral code, and redemption rows recording which referred accounts completed a genuine scan (deduplicated per code and account) so referral credits can be granted to the referrer.
• Moderation log: if you use the in-app "Report this result" control, we log the report (the associated scan/plan reference and your free-form reason) so we can review AI-generated content, as required by app-store generative-AI policies.
• Time-limited shared caches: derived attribute text and derived score text, keyed by content hash and automatically expired after a period. These caches are keyed by image content, not by your account, and exist to avoid re-billing identical analyses.
• Server request and diagnostic logs: request identifiers, route paths, status, timing, and event/reason codes, and where relevant the associated account identifier. For abuse detection and rate-limiting we may also log a source IP address or a coarse network-derived signal.

5. Permissions

The App requests only the permissions necessary to function:

• Camera: required to capture your guided selfie for scanning.
• Photos / Photo Library: required to let you pick the target look image you want to upload.

6. Analytics and Crash Reporting

The App uses Google Firebase Analytics to collect app-usage events such as screen views and feature interactions (including product events like referral codes copied or shared), and Firebase Crashlytics to collect crash reports, performance diagnostics, device state, and technical error context. Firebase may also collect identifiers such as Firebase installation identifiers, device information, and IP address. This data is used to understand how the App is used and to improve reliability and performance. This collection is governed by Google's privacy policy.

7. AI Processing

Enviya uses Anthropic's Claude API (operating through our backend) to analyze your photos and to write your plan. Your downscaled selfie and uploaded look image, and the text attributes derived from them, are sent to Anthropic for processing. Under Anthropic's commercial terms, data submitted through the API is not used to train Anthropic's models; Anthropic may retain limited inputs and outputs for a limited period for safety and abuse monitoring under its own policies. We do not retain the images after the request. See Anthropic's privacy policy: anthropic.com/legal/privacy.

8. Subscriptions and In-App Purchases

Enviya offers an optional auto-renewing subscription. Purchases are processed by the Apple App Store (iOS) or Google Play (Android). We do not receive your full payment card details. The App also uses RevenueCat to manage and validate subscription status and to restore purchases across platforms. RevenueCat receives and processes subscription lifecycle events and an app user identifier; in Enviya, that identifier is the anonymous account identifier. Our backend receives RevenueCat webhook events, entitlement identifiers, and expiration timestamps needed to confirm whether your account has paid access.

9. Third-Party Services

Anthropic (Claude API): processes your photos and derived text to extract attributes and generate your plan. Privacy policy: anthropic.com/legal/privacy

Google Cloud Platform: hosts our backend (Cloud Run) and database. Privacy policy: cloud.google.com/terms/cloud-privacy-notice

Google Firebase Analytics & Crashlytics: collects usage, diagnostics, and crash data to help us improve the App. Privacy policy: policies.google.com/privacy

RevenueCat: manages subscription / entitlement state and receives subscription lifecycle events and app user identifiers used for purchase restoration and paid-access management. Privacy policy: revenuecat.com/privacy

Google Play Billing / Apple App Store: processes in-app purchases. Privacy policy: policies.google.com/privacy / apple.com/legal/privacy

10. How We Use Your Information

We use the information above only to: generate and display your attributes, score, and plan; show your progress over time; operate the referral program; enforce usage limits and prevent abuse; manage subscriptions and restore purchases; review reported AI content; and maintain, secure, and improve the App. We do not sell your personal information, and we do not use your facial data for advertising.

11. Data Security

We use reasonable technical and organizational measures to protect your information. Data is encrypted in transit (HTTPS/TLS) between the App and our backend and AI provider. Access to backend records is restricted to authorized service accounts, and account-scoped requests are authenticated with a per-account secret so that an account identifier alone cannot act on your data. Enviya is anonymous by design: we do not collect names, emails, or logins, which limits what could be exposed. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security.

12. International Data Transfers

We operate in the United States, and our backend and service providers (including Anthropic and Google Cloud) process data on servers located in the United States. If you use the App from outside the United States, your information will be transferred to and processed in the United States, where data-protection laws may differ from those in your country. By using the App, you consent to this transfer and processing.

13. Data Retention and Deletion

Your photos are not retained beyond the request that analyzes them. Derived attribute and score caches are time-limited and expire automatically. Account-linked records (your account, entitlement, progress history, referral ledger, and any moderation-log entries) are retained until you delete them or they are no longer needed to operate the App.

You can delete your account and its data at any time from inside the App: Profile → Delete my account. This purges your anonymous account, your progress history, and your referral-ledger entries from our backend, and clears local data on your device. For more detail, and for what to do if you no longer have the device, see Delete My Data.

Deleting your data does not remove records held by third-party providers under their own retention policies (such as app-store purchase history, RevenueCat records, or Firebase data), and does not remove the time-limited shared caches described above, which are keyed by image content rather than your account and expire on their own.

14. Children's Privacy

Enviya is intended for adults and is not directed to anyone under 18. We do not knowingly collect personal information from anyone under 18. If you believe a person under 18 has used the App or provided information through it, please contact us and we will take appropriate action. Do not upload photos of minors as a target look.

15. Your Rights

Because Enviya does not use a traditional account, we usually cannot verify identity through a user profile. We and our service providers may still hold pseudonymous records tied to an anonymous account identifier, a purchase token, or a provider-managed identifier. You can delete the account-linked data we hold using the in-app deletion described above. For data held by third-party services such as Firebase, the app stores, or RevenueCat, you may need to use those providers' own controls or your device settings.

If you are located in the European Economic Area, the United Kingdom, or a U.S. state with applicable privacy law (such as California), you may have additional rights to access, correct, delete, or restrict processing of your information, including rights regarding biometric information. Contact us at the address below to exercise those rights.

16. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the App after any changes constitutes acceptance of the updated policy.

17. Contact

If you have questions about this Privacy Policy, please contact us at:
[email protected]