evora← Back to site
// Legal

Privacy Policy

Last updated · May 25, 2026

evora ("evora", "we", "us") operates the evora skin-intelligence platform (the "Service"). This Privacy Policy describes what information we collect, how we use it, and the choices you have. By using the Service you agree to the practices described below.

1. Information we collect

1.1 Photos you upload

When you run a skin analysis you provide one or more facial photographs. These images are transmitted over TLS, processed in-memory by our vision pipeline, and stored in an access-controlled object store encrypted at rest (AES-256).

1.2 Self-reported inputs

You may provide age, sex, ethnicity, climate, sleep, hydration, sun-exposure habits and product history. These inputs are used only to calibrate your analysis and protocol.

1.3 Account & billing data

If you create an account or make a purchase we collect your email address and a payment token from our PCI-compliant processor. We never receive or store full card numbers.

1.4 Technical data

We collect device type, browser, IP address (truncated after 30 days), and aggregated usage events to operate and secure the Service.

2. How we use your information

  • To generate your skin-intelligence assessment, biological-age estimate and evora protocol.
  • To deliver your results, receipts, and product updates you have opted into.
  • To detect fraud, abuse and to keep the Service secure.
  • To comply with legal obligations and respond to lawful requests.

3. What we never do

  • We never use your photos to train, fine-tune, or evaluate our models.
  • We never sell, rent, or trade your personal data or imagery.
  • We never share your photos with third-party advertisers or data brokers.
  • We never publish your before/after imagery without explicit, written, revocable consent.

4. Retention

Photographs are retained for 30 days from upload and then permanently deleted from primary storage and backups within a further 30 days. Derived numerical features (vector scores, biological-age estimate) are retained against your account so you can track progress, and can be deleted on request.

5. Sub-processors

We use a small number of vetted sub-processors strictly to deliver the Service: cloud hosting (AWS, eu-west-1), error monitoring (Sentry), email delivery (Postmark), and payment processing (Stripe). All sub-processors are bound by Data Processing Agreements.

6. Your rights

If you are in the EEA, UK, California or another jurisdiction with comparable laws, you have the right to access, correct, port, restrict, or delete your personal data, and to withdraw consent at any time. To exercise any of these rights, email privacy@evora.ai. We respond within 30 days.

7. International transfers

Where data is transferred outside your region of residence we rely on Standard Contractual Clauses or equivalent safeguards approved by competent regulators.

8. Children

The Service is not directed to children under 16, and we do not knowingly collect data from them. If you believe a child has provided us with personal data, contact us and we will delete it.

9. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email and posted here with a revised "Last updated" date.

10. Contact

evora · Data Protection Officer · privacy@evora.ai