← Back to HEMECO

Privacy Policy

Last Updated: November 16, 2025

Thank you for using HEMECO ("HEMECO," "we," "us," or "our"). We built HEMECO to let you virtually try on makeup, hairstyles, and clothing. This Privacy Policy explains what personal data we collect, how we use and share it, how long we keep it, and what rights you have.

HEMECO Inc. is a Canadian corporation based in Montreal, Quebec. We designed this Policy with global privacy laws in mind, including (where applicable):

  • EU / UK General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA/CPRA)
  • Illinois Biometric Information Privacy Act (BIPA)
  • Brazil's LGPD
  • Canada's PIPEDA and Quebec's Law 25
  • Other similar global privacy and biometric laws

By using the HEMECO website or any service that links to this Policy (together, the "Services"), you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Services. If you have questions, you can contact us at contact@hemeco.app.

1. Scope

This Privacy Policy applies to:

  • The HEMECO website and web applications; and
  • Any marketing, help, or support pages that link to this Policy.

This Policy does not apply to third‑party services we do not control (for example: social media platforms, sponsored links, or other websites you navigate to from our site). Those services have their own privacy practices.

2. Privacy at a Glance: Key Points

Legal documents can be long, so here is a quick overview of what matters most—especially for your photos and biometric‑related information.

What data do you collect?

Account info (if you create one), device and usage data, and the specific photos/videos you choose to use with HEMECO.

Do you collect biometric data?

Yes, when you use virtual try‑on features. Our technology analyzes face and body geometry to place virtual makeup, hair, and clothing. This can be considered biometric or "biometric‑like" data under some laws.

How do you use my biometrics?

Only to provide the virtual try‑on effects you request (makeup, hair, clothing). We do not use this data to identify you or anyone else, and we do not use it for authentication or facial recognition.

Do you sell my data?

No. We do not sell, lease, or trade your personal data or biometric data for money. We also do not share your personal data for cross‑context behavioral advertising without the required opt‑in where laws require it (e.g., under CCPA/CPRA).

How long do you keep my photos?

For virtual try‑on, we keep photos and videos only as long as needed to generate your result and briefly support re‑edits (typically up to 24 hours, and never more than 48 hours in normal operations), unless you choose features that require longer storage (like a cloud gallery).

Do you use my photos to train AI?

Yes. We use your photos and try‑on data to train and improve our AI models that power virtual try‑on features. This helps us make the experience better for everyone. We will not use your identifiable content for external marketing or share it with third parties for their own AI training unless you separately opt in.

The rest of this Policy provides full details.

3. Information We Collect

We collect only the data we need to operate, secure, and improve HEMECO. The main categories are:

3.1 User Content (Photos / Videos) for Virtual Try‑On

When you use our virtual try‑on features, you may:

  • Capture images or videos using your device camera; or
  • Upload images or videos from your device.

We only receive the specific photos or videos you choose to use in HEMECO. We do not scan or access your entire device storage in the background. Your images may contain:

  • Your face, body, and hairstyle
  • Your clothing and body shape/silhouette
  • Embedded metadata (EXIF data such as time, device model, or location). Where possible, we ignore or strip out metadata. We do not use EXIF GPS tags for geolocation.

3.2 Account & Profile Data

If you create an account, we may collect:

  • Name or display name
  • Username/handle
  • Email address
  • Password or authentication token (stored securely; never in plain text)
  • Profile photo or avatar (optional)
  • Country or region (if you provide it)

You may also optionally add profile details (such as a short bio or pronouns) where supported.

3.3 Communications, Support & Promotions

If you contact us or interact with us outside core try‑on features:

  • Support & feedback: name, email, message content, and relevant technical context (device, OS, browser version).
  • Surveys, beta programs, contests, or promotions: contact info and any responses or feedback you choose to provide.

Participation in surveys, betas, and promotions is optional. We will explain what data we collect and why at the time.

3.4 Information Collected Automatically

When you use the Services, we automatically collect certain information through cookies and analytics tools (e.g., Google Analytics).

a. Device & Browser Information

  • Device model and manufacturer
  • Operating system and version
  • Language and region settings
  • Browser type and version

b. Usage & Interaction Data

  • Features used (makeup, hair, clothing try‑on, etc.)
  • Filters and effects applied (aggregated statistics)
  • Pages viewed, buttons clicked, session duration
  • Navigation flows

We use this to understand which features are popular, what is confusing, and how to improve performance.

c. Identifiers

  • Device identifiers (e.g., IDFV on iOS, Android ID)
  • Advertising identifiers (e.g., IDFA on iOS, GAID on Android) where permitted and subject to consent requirements
  • Internal app instance IDs generated by our SDKs

You can reset or limit advertising identifiers in your device's privacy settings (iOS: Settings → Privacy & Security → Tracking; Android: Settings → Privacy → Ads).

d. Logs & Diagnostics

  • IP address (sometimes truncated or pseudonymized)
  • Error reports and performance metrics (load times, error codes)
  • Basic network information (country, approximate region, ISP)

We use this to fix bugs, secure the site, and analyze performance.

e. Approximate Location

We do not collect precise GPS location by default. We may infer approximate country or region from your IP address or browser locale in order to:

  • Localize content (language, legal screens, pricing);
  • Comply with regional privacy and consumer laws;
  • Measure global usage patterns.

3.5 Data From Third Parties

a. Social / Single‑Sign‑On (SSO)

If you sign in using a third‑party account (e.g., Sign in with Apple, Google, or other providers), we may receive:

  • Your name (where provided)
  • Email address
  • An authentication token or identifier

We do not receive your third‑party password. Please check the third‑party's settings to control what they share with us.

b. Analytics & Attribution Partners

We may work with analytics or attribution providers to understand:

  • How users discovered HEMECO (e.g., which campaign or channel)
  • Which visits lead to signups or certain feature usage

These partners may use cookies and identifiers, subject to platform rules and consent requirements.

We do not buy personal data from data brokers.

3.6 Sensitive & Biometric‑Related Data

Our virtual try‑on features involve analyzing face, hair, and body images to overlay digital makeup, hairstyles, and clothing. This analysis can involve:

  • Facial geometry (landmark coordinates for eyes, nose, lips, jawline, etc.)
  • Head and hair contours (for hairstyle simulation)
  • Body and silhouette geometry (for clothing overlays and pose estimation)
  • Temporary mathematical vectors or measurements (angles, distances, proportions)

Under laws like BIPA and other biometric laws, such measurements can be treated as biometric identifiers or biometric information. We treat them as biometric or biometric‑like data, even where not strictly required, to be conservative.

We do not use this data to identify you as a specific person (no facial recognition against a database), and we do not use it for authentication or identity verification.

We do not intentionally collect:

  • Government ID numbers
  • Financial account numbers
  • Detailed health or medical records
  • Sensitive demographic attributes (e.g., religion, sexual orientation), unless you voluntarily include such info in content or communications

4. How We Use Your Information

We use personal data for the following purposes:

4.1 Provide and Maintain the Services

  • Process your photos / videos to apply AI try‑on effects
  • Allow you to create and maintain an account
  • Save edits, favorites, or cloud gallery content (if you choose those features)
  • Provide customer support and respond to your requests

4.2 Improve and Develop the Services

  • Understand how features are used and where users get stuck
  • Fix bugs and errors
  • Test new features and user flows (including A/B tests)
  • Train and improve our AI models using your photos, try‑on sessions, and usage data to enhance accuracy, speed, and user experience for all users
  • Develop new virtual try‑on features and effects

By using HEMECO, you agree that we may use your content and data to improve our AI models. We will not share your identifiable content with third parties for their own AI training or use your content for external marketing purposes without your separate explicit consent.

4.3 Personalize Your Experience

Where allowed by law and your settings, we may:

  • Remember your preferred looks, filters, or styles
  • Suggest similar filters, looks, or style packs based on past actions

4.4 Communicate With You

  • Respond to support requests or feedback
  • Send service‑related notices (e.g., changes to this Policy or our Terms, security alerts, important updates)

These communications are not primarily promotional.

4.5 Marketing and Promotions (Optional)

With your consent where required, we may:

  • Send email newsletters or messages about new features, promotions, or offers
  • Show reminders (e.g., a trial ending soon)

You can opt out of marketing at any time.

4.6 Analytics, Attribution & Advertising

We use analytics and attribution to:

  • Understand where users come from (e.g., which campaigns lead to signups)
  • Measure engagement, retention, and feature adoption

If we ever introduce personalized advertising or cross‑site tracking, we will:

  • Update this Policy; and
  • Request any required opt‑in consent before enabling such tracking

4.7 Safety, Security & Abuse Prevention

  • Detect and prevent fraud, spam, and abuse
  • Protect users and HEMECO from security threats
  • Enforce our Terms and Acceptable Use rules

4.8 Legal Compliance & Rights Protection

  • Comply with tax, accounting, and regulatory requirements
  • Respond to lawful requests from authorities (subject to careful review)
  • Establish, exercise, or defend legal claims

We will not use your personal data for materially new purposes that are not compatible with those listed here without updating this Policy and, where required, obtaining your consent.

5. Legal Bases for Processing (GDPR, LGPD, etc.)

Where laws like GDPR or LGPD apply, we rely on one or more of the following legal bases:

  • Contractual necessity – to provide the Services you request (e.g., processing your images for virtual try‑on, creating your account).
  • Consent – especially for camera/photo access, biometric processing in certain jurisdictions, marketing communications, and personalized ads/tracking where required.
  • Legitimate interests – such as improving the service, preventing fraud, and securing our systems, balanced against your rights and freedoms.
  • Legal obligation – where we must process data to comply with law (e.g., financial record‑keeping, responding to valid legal requests).

For the same data, multiple bases may apply depending on the context.

6. Biometric & Face/Body Geometry Data

Because HEMECO provides virtual makeup, hairstyle, and clothing try‑on, our technology processes data that can qualify as biometric information under laws like BIPA and similar statutes.

6.1 What We Collect for Virtual Try‑On

When you use try‑on features, our algorithms may:

  • Detect your face, hairline, and key facial landmarks
  • Detect head orientation and approximate hair area
  • Detect body outline or pose for clothing overlays
  • Compute temporary vectors or measurements needed to position virtual try‑on elements

We treat facial geometry, hair/head geometry, and body/silhouette geometry as biometric or biometric‑like data.

6.2 Purpose of Biometric Processing

We use this biometric‑related information solely to:

  • Apply virtual makeup, hairstyles, and clothing effects
  • Adjust virtual try‑on effects to your movements in real time
  • Improve realism and alignment of the effect

We do not:

  • Use biometric data to identify or verify your identity;
  • Run facial recognition against a database of people;
  • Use biometric data for automated decisions with legal or similarly significant effects.

6.3 Consent (Including BIPA & Similar Laws)

In jurisdictions with biometric laws (e.g., Illinois BIPA, Texas, Washington, and others), those laws often require clear notice and written consent before collecting biometric identifiers. We comply by:

  • Presenting notices explaining what biometric‑related data we collect, how we use it, and how long we keep it;
  • Asking you to affirmatively agree (for example, clicking "I Agree" or enabling the feature) before you first use biometric‑enabled try‑on features in those jurisdictions; and
  • Making this Privacy Policy publicly available, including our retention and destruction schedule (see Section 9).

If you do not consent to biometric processing, please do not use virtual try‑on features that involve your face or body images.

For minors where allowed: The Services are not intended for children under 13. For users 13–17 (or under the age of majority in your jurisdiction), a parent or legal guardian must review this Policy and our Terms and provide consent on the minor's behalf where required. In BIPA‑covered jurisdictions, the parent/guardian's consent is intended to serve as the required "written release" for biometric processing.

6.4 Storage & Retention of Biometric‑Related Data

Our goal is to minimize storage of biometric‑related data. In many cases, detection and processing occur in your browser or on your device. Where our servers are used, biometric‑related data is typically processed in volatile memory only for the duration of computation and is not stored as a separate record.

For typical try‑on sessions:

  • Photos/videos used for try‑on are stored on our servers only for as long as needed to generate results and briefly support re‑edits, generally up to 24 hours, and never more than 48 hours in normal operations.
  • Biometric‑related data derived from those images is destroyed along with the source image and is not kept separately.

If you explicitly opt in to features that require longer storage (for example, saving a persistent AI avatar or personalized model):

  • We will explain what is stored and for how long;
  • We will keep it no longer than 3 years after your last interaction with that feature, unless law requires a shorter period or allows a longer one; and
  • We will delete it sooner if you revoke consent or delete your account, subject to technical and legal constraints (see Section 9).

6.5 Sharing of Biometric Data

We do not sell biometric information and do not share it with third parties for their independent marketing or advertising.

Biometric‑related processing may be performed by:

  • Our cloud infrastructure providers (if we use them to process images); and
  • Vendors providing AI processing components.

These providers act as data processors on our behalf and are contractually required to:

  • Use biometric‑related data only to provide services to HEMECO;
  • Protect it with strong security measures; and
  • Delete it according to our instructions.

We may also disclose biometric data if required by law or court order, as allowed by applicable biometric laws, and subject to strict review.

7. How We Share Personal Data

We do not sell your personal data for money. We share data only as described below:

7.1 Service Providers (Processors)

We use trusted third‑party service providers to help us operate the Services, such as:

  • Cloud hosting and computing providers
  • Analytics and error‑reporting tools
  • Customer support tools
  • Email delivery services
  • AI processing vendors

They may access personal data only to provide their services to us and must protect it and follow our instructions.

7.2 Within Our Corporate Group

If HEMECO has subsidiaries or affiliates, we may share data internally as needed to provide and support the Services, subject to this Policy.

7.3 Business Transfers

If HEMECO is involved in a merger, acquisition, financing, or sale of all or part of its assets, your information may be transferred as part of the transaction, subject to this Privacy Policy or a successor policy offering at least equivalent protections.

7.4 Legal & Safety

We may disclose data when we reasonably believe it is necessary to:

  • Comply with applicable law, regulation, or legal process;
  • Respond to lawful requests from public authorities;
  • Protect the rights, safety, or property of HEMECO, our users, or others;
  • Detect, prevent, or address fraud, abuse, or security issues.

7.5 Your Sharing

When you choose to share content (for example, exporting an edited photo to a social platform or sending it to a friend), we transmit it as you direct. Once content leaves HEMECO, it is governed by the recipient's or platform's own terms and privacy policies.

7.6 Aggregated or De‑Identified Data

We may share aggregated statistics or de‑identified data (for example, "X% of users used hairstyle try‑on this month") that does not reasonably identify you. This is not considered personal data.

8. International Data Transfers

HEMECO is based in Canada, and we may process data in Canada, the United States, and other countries where we or our service providers operate. These countries may have privacy laws that differ from those in your jurisdiction.

For users in the EEA, UK, Switzerland, Brazil, and similar regions: When we transfer personal data to countries that do not have an "adequacy" decision, we use appropriate safeguards, such as:

  • Standard Contractual Clauses (SCCs) with service providers; and
  • Additional technical and organizational measures (encryption, access controls, minimization).

For users in Quebec, when personal information is transferred outside Quebec (for example, to servers in the U.S.), we conduct a Privacy Impact Assessment as required by Law 25 to ensure the data receives adequate protection. We also maintain a person in charge of the protection of personal information as required by Quebec law.

By using the Services, you understand that your data may be transferred to countries outside your own. Where required by law, we will rely on your explicit consent or other valid mechanisms.

9. Data Retention & Deletion

We keep personal data only for as long as necessary for the purposes described in this Policy or as required by law.

9.1 Typical Retention Periods

User Photos & Videos (for Try‑On)

Stored on servers only as long as needed to generate results and briefly support re‑edits (generally up to 24 hours, no more than 48 hours in normal operations). Deleted from active systems after that period unless you choose features that require longer storage (e.g., cloud gallery).

Biometric‑Related Data (Face/Body Geometry)

Processed ephemerally (in browser or in volatile memory) and destroyed along with the source image. If stored as part of an optional, explicitly consented feature (e.g., a persistent AI avatar or model), retained no longer than 3 years after your last interaction with that feature, or until you withdraw consent or delete your account, whichever is earlier, subject to legal obligations.

Account Data (email, profile info, settings)

Kept while your account is active. If you delete your account or it remains inactive for a long period (e.g., 2 years), we schedule deletion or anonymization, retaining only what we must for legal, security, or accounting reasons.

Analytics & Logs

Raw logs and device‑level data are kept for a limited period (typically a few months). Aggregated statistics (which no longer identify you) may be kept longer.

Support Communications

Typically kept for up to 2 years to help us understand recurring issues and improve support.

Transaction & Billing Records

Retained as required by tax and accounting laws (often 5–7 years, depending on jurisdiction).

9.2 Deletion Requests

If you request deletion of your data (see Section 10), we will delete or anonymize your personal data from active systems, subject to:

  • Legal obligations (e.g., records we must keep);
  • Security or fraud‑prevention needs; and
  • Technical constraints (e.g., backups).

Backups are retained for disaster recovery only. If your data appears in backups, it will be overwritten during normal backup rotation and will not be used for any other purpose.

10. Your Rights & Choices

Your privacy rights depend on your location, but we aim to give all users strong controls over their data.

10.1 Common Rights (Available to Many Users)

Subject to applicable law, you may have the right to:

  • Access – ask whether we process your personal data and request a copy.
  • Rectify – correct inaccurate or incomplete information.
  • Delete – request deletion of your personal data ("right to be forgotten").
  • Portability – receive certain data in a machine‑readable format and transmit it to another controller.
  • Restrict – request that we temporarily restrict processing under certain circumstances.
  • Object – object to certain processing (e.g., marketing or some legitimate interest‑based processing).
  • Withdraw consent – withdraw your consent where processing is based on consent (for example, marketing or biometric‑related features in some jurisdictions).

If you withdraw consent or request deletion, some features may no longer work (for example, we cannot maintain a cloud gallery without storing your images).

10.2 Region‑Specific Highlights

EEA / UK (GDPR)

You have rights to access, rectification, erasure, restriction, portability, and objection (including to direct marketing). You may also lodge a complaint with your local Data Protection Authority.

California (CCPA/CPRA)

You may have rights to:

  • Know the categories and specific pieces of personal information we collect about you;
  • Access, correct, or delete your personal information;
  • Opt out of "sale" or "sharing" of personal information;
  • Limit the use and disclosure of sensitive personal information; and
  • Be free from discrimination for exercising your rights.

As of the "Last Updated" date above:

  • HEMECO does not sell personal information as defined by CCPA.
  • We do not share personal information for cross‑context behavioral advertising without any required opt‑in.
  • Our use of biometric‑related data is limited to what is necessary to provide the Services, except where you separately opt in to optional features like AI training.

Illinois (BIPA) and Similar Biometric Laws

You have rights regarding biometric information, including the right to be informed of collection, the purpose of use, and the retention schedule, and to give or withhold consent. See Section 6 and Section 9 for our biometric practices and retention schedule.

Brazil (LGPD)

You may have rights to confirmation of processing, access, correction of incomplete or outdated data, anonymization, blocking or deletion of unnecessary or non‑compliant data, data portability, and revocation of consent.

Canada (PIPEDA & Quebec Law 25)

You may have rights to access your personal data, challenge its accuracy, and complain to regulators. Quebec Law 25 provides additional protections, including impact assessments for certain transfers and heightened obligations around consent and data minimization.

Other U.S. States (e.g., Colorado, Virginia, Connecticut, Utah, etc.)

Emerging state privacy laws grant similar rights (access, correction, deletion, data portability, opt‑out of certain processing). We aim to honor these rights in line with applicable law.

10.3 Exercising Your Rights

You can:

  • Use account settings, where available (e.g., delete account, manage notifications).
  • Contact us at contact@hemeco.app with your request.

We may need to verify your identity (for example, via your account login or email verification) before fulfilling your request. We will respond within the timeframe required by law (generally 30–45 days, with extensions for complex requests where allowed).

You can also:

  • Opt out of marketing emails at any time using the "unsubscribe" link.
  • Control browser permissions (camera, microphone, location, notifications) in your browser settings.
  • Manage cookies and tracking preferences in your browser settings.

11. Children's Privacy

HEMECO is not intended for children under 13 (or under the minimum age required in your country, if higher). We do not knowingly collect personal data from children under this age.

If you are 13–17 (or under the age of majority in your jurisdiction), you may use HEMECO only with the consent and supervision of a parent or legal guardian, who is responsible for your use and for providing any required consents (including biometric consent in applicable jurisdictions).

For BIPA‑covered minors in Illinois, we require the parent or guardian to provide the written consent for biometric processing described in this Policy.

If we learn that we have collected personal data from a child under the minimum age without verifiable parental consent, we will delete it. If you believe a child has used the Services without proper consent, please contact contact@hemeco.app.

12. Security

We take the security of your data seriously and use a combination of technical and organizational measures, including:

  • Encryption in transit (HTTPS/TLS) between your device and our servers;
  • Encryption at rest for stored content where appropriate;
  • Access controls and least‑privilege principles for our staff and systems;
  • Secure development practices and periodic security reviews;
  • Use of reputable cloud providers with strong security programs;
  • Incident response and breach‑notification procedures.

No system is 100% secure. You can help by:

  • Using a strong, unique password;
  • Keeping your device and browser up to date;
  • Letting us know immediately if you suspect unauthorized access to your account.

If we become aware of a data breach affecting your personal data and posing a high risk to your rights and freedoms, we will notify you and any relevant authorities as required by law.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in our Services or business;
  • Changes in applicable laws and regulations; or
  • Changes in technology or industry practices.

When we make material changes, we will:

  • Update the "Last Updated" date at the top; and
  • Provide additional notice where appropriate (for example, on the website or via email).

Your continued use of the Services after an update means you accept the revised Policy. If you do not agree with changes, you should stop using HEMECO and may request deletion of your data.

14. Contact & Complaints

Data Controller

HEMECO Inc.
3069 rue Cherrier
Île-Bizard, QC H9C 1C8
Canada

Privacy & Data Protection Contact

Email: contact@hemeco.app

If required by law, we will designate local representatives for the EU/UK/Brazil and update their contact details in this section. Until then, users in those regions may contact us at the email above.

If you believe we have not handled your data in accordance with applicable law, you have the right to lodge a complaint with your local data protection or privacy authority (for example, CNIL in France, ICO in the UK, ANPD in Brazil, OPC in Canada). We encourage you to contact us first so we can try to resolve your concerns.