Privacy Policy

COSMEE® is a registered trademark of COSMEE WORLD LLC, a United States company operating from Austin, Texas. We compound personalized skincare formulas by hand for sensitive, reactive, and acne-prone skin. This policy covers data collected through diagnosis.cosmeeworld.com and our previous storefront at cosmeeworld.com.

You can reach us at info@cosmeeworld.com.

We only collect what we need to do our job. Specifically:

• Skin quiz answers — the 7-step DermAI™ questionnaire (skin type, top concerns, severity, history, age range, biological sex, optional health conditions). Used to compound your formula.
• Photos you upload — optional, used only by our vision model to read clinical signals (redness, texture, etc.). See Section 4 for how we handle these.
• Contact details — your first name (manual entry), email (manual entry or Google sign-in), and any message you send through our contact form.
• Order details — billing/shipping address and payment processing data when you check out. We never see or store your full card number; that lives with the payment processor.
• Technical data — IP address, browser, device, timezone, and how you navigate the site, including anonymized session replays (see Section 7).

• To compound and ship your custom routine.
• To improve DermAI™ — your quiz patterns help the model serve future users better. We don’t train on identifiable personal information.
• To send transactional emails (order confirmations, your results, follow-up tips) and respond to support requests.
• To prevent fraud, abuse, and to comply with applicable law.
• If you opted in: to send occasional skincare tips and offers. You can unsubscribe with one click in any email.

We do not sell your personal data. We do not share it with advertisers. We do not use it to build cross-site advertising profiles.

The photo step in the skin quiz is optional. If you skip it, the quiz still produces a result based on your written answers — slightly less precise, but functional.

If you do upload a photo:

• It is transmitted over HTTPS and stored encrypted at rest in our database (Firebase Cloud Firestore, hosted by Google Cloud).
• It is used by our vision model to score clinical markers (redness, sensitivity signals, surface texture). The model does not perform facial recognition or identification.
• It is never shown publicly, sold, shared with advertisers, or used for marketing without your explicit written consent.
• You can request deletion at any time by emailing info@cosmeeworld.com. We respond within 7 business days.

• Active subscribers / clients: for as long as your subscription is active plus 24 months, so we can answer questions and reformulate if needed.
• Quiz responses without a purchase: 12 months.
• Photos: 12 months unless you explicitly opted in to longer retention for protocol calibration.
• Transactional emails sent: kept on Resend’s logs for up to 12 months for deliverability and dispute resolution.

You can ask us to delete your account and all associated data earlier — see Section 9.

We use the following services to operate. Each has its own privacy policy that governs the data they handle on our behalf:

• Shopify — payment processing and order management (today).
• Stripe — payment processing (rolling out; will replace Shopify Payments over time).
• Firebase / Google Cloud — database (Firestore) and authentication (Sign in with Google).
• Resend — transactional and marketing email delivery.
• Vercel — website hosting.
• Microsoft Clarity — anonymized session replay and heatmap analytics (helps us see where users get stuck on the quiz — see Section 7).
• Roboflow / our internal vision model infrastructure — computes the DermAI™ scan on uploaded photos.

We use the minimum tracking necessary:

• Strictly necessary cookies — for sign-in sessions, cart state, and security. These can’t be turned off.
• Microsoft Clarity — records anonymized session replays of how visitors interact with the site (where they click, scroll, drop off). Personally identifying form inputs are masked. We use this exclusively to improve the quiz funnel, not to profile individual users. You can opt out at clarity.microsoft.com/opt-out.

We do not use Meta Pixel, Google Ads tracking pixels, or any third-party retargeting tools at this time.

Our infrastructure runs in the United States. Some of our processors (Vercel CDN, Google Cloud, Resend) may replicate data across data centers globally for resilience and performance. If you are accessing the site from outside the US, you consent to this transfer.

You can ask us to:

• Show you the data we hold about you.
• Correct any inaccurate data.
• Delete your account and all personal data.
• Export your quiz responses and order history in a machine-readable format.
• Stop sending you marketing emails (unsubscribe link on every marketing email; transactional emails like order confirmations are not affected).

California residents (CCPA), Virginia residents (VCDPA), and EU/UK residents (GDPR) have additional rights including the right to opt out of profiling and the sale of personal information. We do not sell personal information, but you can still email info@cosmeeworld.com with any rights request and we’ll respond within 30 days.

COSMEE is intended for users 16 years and older. We do not knowingly collect personal information from anyone under 16. If you believe a minor has submitted data to us, please email us and we’ll delete it.

We use TLS in transit, encryption at rest where supported by our processors, password hashing (bcrypt) for accounts not tied to Google sign-in, and the principle of least privilege for staff access. No system is perfect — if you discover a vulnerability, please report it to info@cosmeeworld.com and we’ll respond within 72 hours.

We’ll update this page when we change how we handle data. Material changes (new third parties, new categories of data, new uses) will be announced by email at least 30 days before they take effect, to the address associated with your account.