Privacy Policy
ScalpSense AI Platform
Key Privacy Facts at a glance
Data Controller
Sanviau Luxe Essentials Private Limited, India
Health Data Processed
Yes (Scalp/Hair Images, Biometric)
Third-Party AI Processors
Yes (Multiple AI Vision Engines)
Data Storage
Securely saved on Company servers
Retention Period
12 months active, then anonymized or deleted
User Rights
Access, Correction, Deletion, Portability, Objection
Minors (Under 18)
Not permitted to use the Platform
International Transfers
Yes, with appropriate legal safeguards
Data Protection Officer
Vijay Busani — vijay@sanviau.com
1.Introduction and Scope
Sanviau Luxe Essentials Private Limited (“Company”, “We”, “Us”, “Our”), incorporated under the Companies Act, 2013 in India, with its registered office at Blooms, Mokila, Hyderabad, Telangana, India, is committed to protecting the privacy and personal data of all users of its Scalp & Hair AI Analysis Platform (“Platform”).
This Privacy Policy explains how We collect, use, store, share, transfer, and protect your personal data, including sensitive health data and biometric information, when you access or use the Platform. It applies globally to all users regardless of their country of residence and is designed to comply with:
- check_circleInformation Technology Act, 2000 and IT (SPDI) Rules, 2011 — India
- check_circleDigital Personal Data Protection Act, 2023 (DPDP Act) — India
- check_circleGeneral Data Protection Regulation (GDPR) 2016/679 — European Union & UK
- check_circleUK GDPR and Data Protection Act 2018 — United Kingdom
- check_circleCalifornia Consumer Privacy Act (CCPA) / CPRA — United States (California)
- check_circlePersonal Data Protection Act (PDPA) — Singapore
- check_circlePersonal Data Protection Act B.E. 2562 (PDPA) — Thailand
- check_circleLei Geral de Proteção de Dados (LGPD) — Brazil
- check_circlePersonal Information Protection and Electronic Documents Act (PIPEDA) — Canada
- check_circlePrivacy Act 1988 — Australia
- check_circleAll other applicable data protection laws in jurisdictions where the Platform is accessed.
By using the Platform, you acknowledge that you have read, understood, and consent to the practices described in this Privacy Policy. If you do not agree, you must not use the Platform.
2.Data Controller and Data Protection Officer
2.1 Data Controller
The data controller responsible for your personal data is:
Sanviau Luxe Essentials Private Limited
location_onVilla No 10, Blooms, Mokila, Hyderabad, Telangana, India
mailEmail: privacy@sanviau.com
gavelGrievance Office (India): legal@sanviau.com
2.2 Data Protection Officer (DPO)
For GDPR and equivalent purposes, our Data Protection Officer can be contacted at:
Vijay Busani
mailEmail: legal@sanviau.com
EU/UK users may also contact their local supervisory authority (see Section 14 for jurisdiction-specific rights and contacts).
3.Categories of Personal Data Collected
3.1 Data You Provide Directly
We collect the following categories of data that you voluntarily submit:
- arrow_forwardIdentity Data: Full name, date of birth, age, gender.
- arrow_forwardContact Data: Email address, phone number (if provided).
- arrow_forwardHealth & Biometric Data: Photographs of your scalp and hair uploaded for analysis. This constitutes sensitive personal data and special category data under applicable law.
- arrow_forwardLifestyle Questionnaire Data: Diet, nutrition habits, stress levels, sleep patterns, exercise frequency, hair care routines, and medical history as voluntarily disclosed.
- arrow_forwardPayment Data: Payment method details processed by third-party payment processors. We do not store full card numbers.
- arrow_forwardAccount Data: Username, password (hashed), account preferences.
3.2 Data Collected Automatically
- arrow_forwardDevice & Technical Data: IP address, device type, operating system, browser type and version, time zone.
- arrow_forwardUsage Data: Pages visited, features used, time spent on the Platform, clicks, and navigation patterns.
- arrow_forwardCookies & Tracking: See Section 11 (Cookies Policy).
3.3 Data from Third Parties
If you use third-party login (e.g., Google, Apple), We receive limited profile information from those providers in accordance with their privacy policies and your consent settings.
3.4 Special Categories of Data / Sensitive Data Notice
The photographs you upload and the health information you provide constitute: (a) Sensitive Personal Data or Information (SPDI) under Indian IT Rules 2011; (b) Special Category Data under GDPR/UK GDPR (health data, potentially biometric data); (c) Sensitive Personal Information under CCPA; and equivalent classifications under all applicable laws. We process this data only with your explicit, informed, freely given consent, which you provide by using the Platform and accepting this Privacy Policy.
4.How We Use Your Personal Data
We process your personal data only for the following specified, explicit, and legitimate purposes:
5.Legal Basis for Processing
We rely on the following legal bases for processing your personal data depending on your region:
| Jurisdiction / Law | Legal Basis | Key Rights Granted & Contact |
|---|---|---|
| GDPR / UK GDPR (EU/UK) | Art. 6 & 9 GDPR (Explicit consent (Art. 9(2)(a)) for health data; contract performance; legitimate interests) | Your national Data Protection Authority (DPA) |
| DPDP Act 2023 (India) | Sections 4, 6, 7 DPDP Act (Consent of Data Principal; legitimate uses) | Data Protection Board of India |
| CCPA/CPRA (California, US) | CCPA §1798.100 et seq. (Disclosure + opt-out rights; sensitive data consent) | California AG / CPPA |
| PDPA (Singapore) | PDPA 2012 (Consent; legitimate interests) | PDPC Singapore |
| LGPD (Brazil) | Art. 7 & 11 LGPD (Consent; legitimate interests; health protection) | ANPD Brazil |
| PIPEDA (Canada) | PIPEDA Schedule 1 (Knowledge and consent) | Office of the Privacy Commissioner (OPC) Canada |
| Privacy Act (Australia) | APP 3, 6 (Consent and permitted health situations) | OAIC Australia |
6.Data Storage and Security
6.1 Where We Store Your Data
Your personal data, including uploaded images and Reports, is stored securely on the Company's servers located on cloud infrastructure (AWS Asia Pacific region). The Company uses industry-standard cloud architecture and security practices.
6.2 Security Measures
We implement the following technical and organisational measures to protect your data:
- Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256).
- Role-based access controls limiting staff access to personal data.
- Regular security assessments and penetration testing.
- Anonymisation and pseudonymisation of data used for AI model training.
- Secure deletion protocols for data beyond retention periods.
- Multi-factor authentication for administrative access.
6.3 Data Retention
We retain your personal data as follows:
- Account data and Reports: Retained for 12 months from the date of generation or the last active use of your account, whichever is later.
- Uploaded images: Retained for 12 months to enable progress tracking, then permanently deleted or irreversibly anonymised unless you request earlier deletion.
- Payment records: Retained for 7 years as required by financial and tax regulations.
- Anonymised data: May be retained indefinitely for research and model training improvement.
6.4 Data Breach
In the event of a personal data breach that poses a risk to your rights and freedoms, We will notify affected users and applicable supervisory authorities within the timeframes required by applicable law (72 hours under GDPR; as prescribed under India's DPDP Act and CERT-In guidelines).
7.How We Share Your Personal Data
We do not sell your personal data. We share your data only in the following limited circumstances:
7.1 Third-Party AI Processor Disclosure
The Platform uses multiple third-party AI service providers to perform image analysis and generate Reports. Your uploaded images and associated data are transmitted to these providers for processing. All third-party AI providers are engaged under data processing agreements that require them to: (a) process data only on our instructions; (b) implement appropriate security measures; (c) not use your data for their own purposes; and (d) comply with applicable data protection laws. A current list of third-party AI processors is available on request at privacy@sanviau.com.
7.2 Clinical Reviewers
Where Clinical Review is included or selected, your AI Report and submitted images (in anonymised or pseudonymised form where possible) are shared with licensed trichologists or dermatologists engaged by the Company. These professionals are bound by confidentiality obligations and medical ethics requirements.
7.3 Payment Processors
Payment data is processed by third-party payment processors. We share only the minimum necessary data for payment processing. We do not store full payment card details.
7.4 Legal and Regulatory Disclosure
We may disclose your data to law enforcement, regulatory bodies, or courts where required by applicable law, a valid legal order, or to protect the Company's legal rights, safety of users, or the public.
7.5 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy protections described in this Policy. We will notify you of any such transfer.
7.6 No Sale of Data
We do not sell, rent, or trade your personal data to any third party for their own marketing or commercial purposes. This applies to all users globally, including California residents under the CCPA/CPRA.
8.International Data Transfers
As the Platform operates globally and uses third-party AI providers and cloud infrastructure, your data may be transferred to and processed in countries outside your country of residence.
We ensure all international transfers are protected by appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU/UK.
- Binding Corporate Rules (BCRs) where applicable.
- Adequacy decisions issued by relevant authorities.
- Data Processing Agreements incorporating GDPR-equivalent protections for all transfers.
- Compliance with India's DPDP Act cross-border transfer provisions.
You may request details of the specific safeguards applicable to your data transfer by contacting privacy@sanviau.com.
9.Your Privacy Rights
Depending on your country of residence, you may have the following rights regarding your personal data. These rights can be exercised by contacting privacy@sanviau.com:
We will respond to all valid rights requests within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.
10.Children's Privacy
The Platform is strictly prohibited for use by individuals under 18 years of age. We do not knowingly collect, process, or store personal data of individuals under 18.
The Platform does not comply with COPPA (Children's Online Privacy Protection Act) because it is designed exclusively for adults. If We discover that data from a person under 18 has been collected, We will delete it immediately and terminate the associated account. If you are a parent or guardian and believe your child has submitted data, contact privacy@sanviau.com immediately.
12.Special Provisions for Health and Biometric Data
YOUR HEALTH DATA — EXPLICIT CONSENT
The photographs of your scalp and hair, and any health information you provide, constitute health and potentially biometric data, which is subject to the highest level of protection under applicable law. We process this data solely to provide the Service you have requested, based on your explicit, freely given, specific, and informed consent. You may withdraw this consent at any time by deleting your account or contacting privacy@sanviau.com, which will result in deletion of your images and Reports.
With respect to your health and biometric data, We specifically confirm:
- check_circleWe do not use your identified health data for advertising, marketing profiling, or sale to third parties.
- check_circleWe do not use your images to train AI models in an identifiable form without your separate explicit consent.
- check_circleClinical reviewers access your data only to the minimum extent necessary to provide the clinical review service.
- check_circleYou may request deletion of your images and health data at any time, independently of closing your account.
13.Marketing Communications
With your prior consent, We may send you marketing communications about new features, promotions, and health and wellness content related to the Platform.
You may opt out of marketing communications at any time by:
- Clicking the 'unsubscribe' link in any marketing email.
- Adjusting your communication preferences in your account settings.
- Contacting privacy@sanviau.com.
Opting out of marketing will not affect service-related communications necessary for your use of the Platform.
14.Jurisdiction-Specific Rights and Contacts
14.1 European Union and United Kingdom (GDPR / UK GDPR)
EU and UK users have the rights described in Section 9. You may lodge a complaint with your national supervisory authority. UK users may contact the Information Commissioner's Office (ICO) at ico.org.uk.
14.2 India (IT Act 2000, SPDI Rules 2011, DPDP Act 2023)
Indian users may contact our Grievance Officer at legal@sanviau.com. Complaints may also be addressed to the Data Protection Board of India once operational. Acknowledgment will be provided within 24 hours and resolution within 30 days of any grievance.
14.3 California, United States (CCPA / CPRA)
California residents have the right to know, access, delete, correct, and opt-out of sharing personal information. We do not sell personal information. To exercise your rights, contact privacy@sanviau.com. We will not discriminate against you for exercising your CCPA/CPRA rights.
14.4 Brazil (LGPD)
Brazilian users have the rights described in Article 18 of the LGPD, including access, correction, anonymisation, portability, and deletion. Contact privacy@sanviau.com. Complaints may be referred to the Autoridade Nacional de Proteção de Dados (ANPD).
14.5 Canada (PIPEDA)
Canadian users have the right to access and correct personal information We hold. Contact privacy@sanviau.com. Unresolved concerns may be escalated to the Office of the Privacy Commissioner of Canada (OPC).
14.6 Australia (Privacy Act 1988)
Australian users may access and correct personal information. Complaints can be lodged with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
14.7 Singapore (PDPA)
Singapore users may withdraw consent and request access or correction of personal data. Contact privacy@sanviau.com. Complaints may be referred to the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.
15.Changes to This Privacy Policy
We reserve the right to update or modify this Privacy Policy at any time. We will notify you of material changes by posting an updated version on the Platform with a revised effective date and, where required by law, by email or in-app notification.
Your continued use of the Platform after the effective date of any modification constitutes your acceptance of the revised Privacy Policy. We encourage you to review this Policy periodically.
16.How to Contact Us
For any privacy-related queries, requests, complaints, or to exercise your rights, please contact:
location_onAddress: 3rd Floor, Shop no. 323, Raichandani Business Bay, Gandipet Main Rd, Opp. Rajapushpa Regalia, Kokapet, Narsingi, Hyderabad, Telangana 500075
mailEmail: privacy@sanviau.com
badgeGrievance Officer (India): Vijay — legal@sanviau.com
security_tokenData Protection Officer (GDPR): Vijay Busani — vijay@sanviau.com
Response Time: Acknowledgment within 72 hours; full response within 30 days (or as required by applicable law).
YOUR CONSENT
BY USING THIS PLATFORM, YOU CONFIRM THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND THAT YOU PROVIDE YOUR FREE, SPECIFIC, INFORMED, AND UNAMBIGUOUS CONSENT TO THE COLLECTION, PROCESSING, STORAGE, AND TRANSFER OF YOUR PERSONAL DATA, INCLUDING HEALTH AND BIOMETRIC DATA, AS DESCRIBED IN THIS POLICY. YOU HAVE THE RIGHT TO WITHDRAW YOUR CONSENT AT ANY TIME BY CONTACTING privacy@sanviau.com.