Legal

Privacy Policy

Last updated: May 28, 2026

Effective Date: May 28, 2026

Welcome to CrownShift ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the CrownShift iOS application (the "App") and our website at crownshift.app (the "Site"). Together, the App and the Site are referred to as our "Services." By using our Services, you agree to the practices described in this policy.

CrownShift is operated by CrownShift.AI, located in California, United States. We are the "business" responsible for the personal information described in this policy. If you have any questions or concerns, please contact us at crownshiftappsupport@gmail.com.

1. Information We Collect

Face Data

CrownShift does not perform facial recognition, biometric identification, or facial feature mapping. The app does not use Apple's ARKit face tracking, the Vision framework's face analysis APIs, TrueDepth / Face ID data, or any other system that extracts biometric templates, face geometry, or facial landmarks.

The only "face data" the app handles is the user-uploaded photograph itself — a standard image file that happens to contain the user's face. This photograph is handled as follows:

  • What is collected: A single selfie (or, for the Hair Analysis feature, a front-facing and optional side-profile photo) that you choose to upload from your camera or photo library. No biometric templates, face signatures, face geometry, or other derived measurements are extracted or stored.
  • Purpose: The photograph is used for one purpose only — to generate the AI hairstyle preview or hair analysis that you requested. It is not used for advertising, profiling, user identification, analytics, cross-user matching, or any other purpose.
  • How it is processed: EXIF metadata (such as GPS coordinates and device information) is stripped from the image. The photograph is then transmitted over HTTPS/TLS to our Firebase Cloud Function, which forwards it to Google's Gemini AI API along with a text prompt describing the requested style. Gemini returns a generated preview image, which is sent back to your device.
  • Third parties: The photograph is transmitted only to Google LLC (via Firebase Cloud Functions and the Gemini AI API) solely to fulfill your request. No other third parties receive the photograph. Per the Gemini API Terms of Service, data submitted to the paid tier of the Gemini API is not used by Google to train its models.
  • Storage & retention: Your uploaded photograph is not permanently stored on our servers or in any database. It exists transiently in memory on our Cloud Function only for the duration of the API call (typically 30–60 seconds) and is discarded immediately after the AI result is returned to you. The generated output image is stored locally on your device and optionally synced to your own account in Firestore; it is deleted when you delete it from the app, and all associated account data is removed within 30 days of account deletion.
  • No AI training: Your photographs are never used to train, fine-tune, or improve AI models — ours or any third party's.
  • Consent: Before the first use of any AI feature that processes your photo, the app presents an explicit consent screen that you must accept.
  • No sharing with other users: Your photographs and generated results are never shared with or visible to other CrownShift users.

Account Information

When you create a CrownShift account, we collect your email address. Your password is set through Firebase Authentication (provided by Google LLC) and is never transmitted to or stored by us — Firebase handles all credential storage and verification on Google's infrastructure. You may also sign in using Sign in with Apple or Google Sign-In, in which case we receive your name (if you choose to share it) and email address from the respective provider. We do not collect your name unless you choose to provide it in your profile or share it through a social sign-in provider.

During onboarding we also ask how you heard about CrownShift (for example, TikTok, Instagram, the App Store, or a referral from a friend). Your answer is stored in your account and used only to understand how users discover the app. This field is optional — if you do not answer, nothing is recorded.

Photos You Upload

To generate hairstyle previews, you upload photos of yourself (selfies). To run the hair analysis feature, you may upload front-facing and side-profile photos.

  • Uploaded photos are transmitted securely over HTTPS to our cloud servers.
  • Before processing, metadata (EXIF data such as GPS location, device info) is stripped from all images.
  • Photos are passed to the Google Gemini AI API solely to generate your requested preview or analysis.
  • We do not use your photos to train AI models.
  • Uploaded photos are not permanently retained on our servers after processing is complete.

Third-Party AI Processing

CrownShift uses Google's Gemini AI (provided by Google LLC) to generate hairstyle previews and hair analysis results. When you use these features:

  • Data sent: Your uploaded photo(s) are transmitted to Google's Gemini AI API through our secure cloud servers. For hairstyle generation, your selfie (and a reference style photo, if provided) is sent. For hair analysis, your front-facing and optional side-profile photos are sent along with your selected hair type.
  • Purpose: Photos are sent solely to generate your requested hairstyle preview or analysis. They are not used for any other purpose.
  • No training: Your photos are not used to train or improve AI models.
  • No retention: Photos are discarded from our servers and Google's servers immediately after your result is generated and returned to you.
  • Your consent: Before your first use of any AI-powered feature, CrownShift asks for your explicit permission to send your photos for processing. You may choose not to use these features.

Google's handling of data transmitted to the Gemini API is governed by Google's Privacy Policy and their Gemini API Terms of Service.

Saved Looks and Collections

If you choose to save a hairstyle preview, the generated image and associated metadata (style name, date created) are stored locally on your device using Apple's SwiftData framework. Saved look data may also be synced to your account in Firestore (our cloud database) to enable access across sessions.

Hair Type and Preferences

Hair type inputs provided during the Hair Analysis feature are used solely to generate your style profile during that session and are not retained after the analysis is complete.

In-App Purchase Information

CrownShift uses a credits system for AI-powered features. Purchases are processed entirely by Apple's App Store. We do not collect or store your payment card information. We receive confirmation from Apple that a purchase was made, along with your Apple-assigned purchase record. All billing disputes are handled through Apple.

Usage Data and Analytics

We use Google Analytics (provided by Google LLC) and Firebase (also provided by Google LLC, including Firebase Crashlytics where applicable) to understand how our Services are used and to diagnose technical issues. The data collected includes, for example, pages or screens viewed, features used, approximate location inferred from IP address (city/region level), device and browser type, session duration, and error or crash logs.

We have not enabled Google Signals or any of Google's advertising features on our analytics property, so this data is not used to build advertising profiles about you across other sites or apps. Google's handling of analytics data is governed by Google's Privacy Policy.

Cookies and Similar Technologies

Our Site uses cookies and similar technologies to support analytics and basic functionality. Specifically:

  • Google Analytics cookies (such as _ga and _ga_<property-id>): used to distinguish unique visitors and measure usage. These cookies typically expire within 2 years.
  • Session and preference cookies: set by your browser to remember basic display preferences. These do not identify you personally.

You can control or block cookies through your browser settings. Blocking cookies may affect the functionality of the Site but will not affect your ability to use the App.

The App does not use browser cookies, but Firebase SDKs running inside the App may store device-level identifiers (such as a Firebase Installation ID) on your device to support authentication, analytics, and crash reporting.

2. How We Use Your Information

  • Provide and operate the App: To authenticate your account, process AI previews and analyses, and store your saved looks.
  • Credits and purchases: To track your credit balance and unlock features you have paid for.
  • Improve the App: To diagnose technical issues and understand how features are used.
  • Communicate with you: To respond to support requests or send important service-related notifications.
  • Security: To detect fraud, abuse, and other illegal activity.
  • Understand how users discover us: The onboarding survey response ("how did you hear about CrownShift?") is used in aggregate to measure which channels are driving app downloads. It is not used for advertising or shared with third parties.

3. How We Share Your Information

We do not sell your personal information. We share your information only in the following limited circumstances:

Service Providers

  • Google LLC (Firebase, Gemini, Google Analytics & Google Sign-In): Firebase Authentication, Firestore database, and Cloud Functions run on Google's infrastructure. Your photos are transmitted to Google's Gemini API solely to generate AI outputs. Google Analytics collects usage data about our Services as described in the "Usage Data and Analytics" and "Cookies and Similar Technologies" sections above. If you use Google Sign-In, your authentication is handled by Google. Google's use of this data is governed by Google's Privacy Policy.
  • Apple Inc.: In-app purchases, App Store delivery, and Sign in with Apple are processed by Apple under Apple's Privacy Policy. When you use Sign in with Apple, Apple shares your name and email address (or a private relay email) with us to create your account.
  • RevenueCat, Inc.: We use RevenueCat to manage in-app purchases and credit fulfillment. RevenueCat receives anonymized purchase transaction data from Apple to verify and process your credit purchases. RevenueCat does not receive your photos or personal content. RevenueCat's use of this data is governed by RevenueCat's Privacy Policy.

Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests from public authorities (e.g., a court order or government agency).

Business Transfers

If CrownShift is involved in a merger, acquisition, or asset sale, your information may be transferred as a business asset. We will notify you before your data is transferred and becomes subject to a different privacy policy.

4. Data Retention

  • Account data (email, profile info, saved looks, credits balance) is retained as long as your account is active.
  • Uploaded photos / face data are not permanently retained on our servers. They are discarded immediately after your AI preview or analysis is generated and returned to the App — see the "Face Data" subsection above for details.
  • Generated preview images are stored locally on your device and optionally in your account's cloud storage until you delete them.
  • When you delete your account (via Settings → Delete Account in the App), all associated account data is permanently removed from our servers within 30 days.

5. Your Rights and Choices

Access and Correction

You can view and update your profile information (name, email) within the App under Settings.

Account Deletion

You may permanently delete your account and all associated data at any time through the App: Profile → Delete Account. You may also submit a deletion request by emailing crownshiftappsupport@gmail.com.

Opt-Out of Analytics

If you wish to opt out of anonymized usage analytics, please contact us at crownshiftappsupport@gmail.com.

California Residents (CCPA / CPRA)

If you live in California, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), gives you specific rights regarding your personal information. This section explains, in plain language, what we collect, who we share it with, how long we keep it, and how you can exercise your rights.

Categories of personal information we collect. In the past twelve (12) months, we have collected the following categories of personal information, as defined by the CCPA:

  • Identifiers (Category A): Email address, Firebase account ID, device identifier, and IP address — from you and from your device.
  • Customer records (Category B): Account credentials, any name or contact information you choose to provide, and your onboarding survey response indicating how you heard about CrownShift — from you.
  • Internet or other electronic network activity (Category F): App screens viewed, features used, session counts, and crash and diagnostic logs — from your device and through analytics tools such as Google Analytics and Firebase.
  • Geolocation (Category G): Approximate location inferred from your IP address (city or region level only). We do not collect precise GPS location.
  • Visual information (Category H): Photos you upload or capture for hairstyle generation or hair analysis, and the AI-generated preview images that result.
  • Inferences (Category K): Hairstyle suggestions and product recommendations generated from your inputs.
  • Commercial information (Category D): A record from Apple and RevenueCat confirming that a credits purchase occurred, plus your remaining credits balance. We do not receive your payment-card details.

We do not knowingly collect the following CCPA categories: protected-class characteristics (Category C), biometric identifiers used for identification (Category E), professional or employment information (Category I), education records (Category J), or content of any private communications.

Sensitive personal information. CPRA defines a sub-set called "sensitive personal information" (SPI). The only data we collect that could fall under SPI is the photograph of your face that you upload for hairstyle generation or hair analysis. We use these photos solely to generate the AI preview or analysis you requested, as described in the "Face Data" section above. We do not use them to uniquely identify you, do not run facial-recognition matching, do not retain them after processing, do not sell or share them, and do not use them for any purpose other than the service you asked for. Hair type and styling preferences you provide are not sensitive personal information under CPRA, and per the "Hair Type and Preferences" section above, they are not retained after your analysis session ends.

Because we only use SPI for the service you requested, the law does not require us to offer a separate "Limit the Use of My Sensitive Personal Information" link. You may still ask us to limit our use at any time using the contact methods below, and we will honor your request.

Categories disclosed to third parties for a business purpose. Over the past twelve (12) months we have disclosed:

  • Identifiers and internet-activity data to Google LLC (Firebase, Google Analytics) and Apple Inc. for authentication, hosting, analytics, crash reporting, and app delivery.
  • Your uploaded photo(s) to Google LLC (via the Gemini API) solely to generate your requested preview or analysis. Photos are transient — see the "Face Data" section.
  • Anonymized purchase transaction data to RevenueCat, Inc. to verify and fulfill in-app credit purchases.

Each of these service providers is bound by contract to use the information only for the services they perform for us.

Sale or sharing of personal information. CPRA defines "sale" broadly (any exchange of personal information for valuable consideration) and "sharing" specifically as disclosing personal information to a third party for cross-context behavioral advertising.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We use Google Analytics to measure how the App and website are used, but we have not enabled Google Signals or any of Google's advertising features on our analytics property, so analytics data is not used to build advertising profiles about you across other sites or apps. If our practices ever change, we will update this policy and provide a "Do Not Sell or Share My Personal Information" opt-out mechanism before any such sharing begins.

We do not knowingly sell or share the personal information of consumers under 16 years of age.

Your CCPA/CPRA rights. As a California resident, you have the right to:

  • Know what personal information we have collected about you, the categories of sources, the business purposes for collecting it, and the categories of third parties to whom we disclosed it.
  • Delete personal information we have collected from you, subject to certain legal exceptions (for example, to complete a transaction, detect security incidents, or comply with a legal obligation).
  • Correct inaccurate personal information we maintain about you.
  • Opt out of the sale or sharing of your personal information.
  • Limit our use of your sensitive personal information (not actively required for us, because we only use SPI for the service you requested).
  • Non-discrimination. We will not deny you service, charge you a different price, or provide a lower quality of service because you exercised any of your CCPA rights.

How to submit a verifiable consumer request. You can exercise any of the rights above by:

  • Emailing us at crownshiftappsupport@gmail.com with the subject line "California Privacy Request", or
  • Deleting your account directly in the App under Profile → Delete Account (for deletion requests).

To verify your identity, we will ask you to confirm information we already have on file (such as the email address associated with your account). We will not ask for more information than is reasonably necessary to verify your request. If we cannot verify your identity, we may decline the request and will tell you why. We will respond to verifiable consumer requests within 45 days; if we need more time (up to an additional 45 days), we will tell you the reason and the extension.

Authorized agents. You may designate an authorized agent to submit a request on your behalf. The agent must provide us with written, signed permission from you (or a valid power of attorney under California Probate Code §§ 4000–4465) and verification of the agent's own identity. We may also contact you directly to confirm that you have authorized the request.

Retention. We keep personal information only for as long as needed for the purposes described in this policy:

  • Account information (identifiers, customer records, credits balance) — for the life of your account; permanently removed within 30 days of account deletion, except where we must retain it to comply with law, resolve disputes, or enforce our agreements.
  • Onboarding survey response (how you heard about CrownShift) — for the life of your account; removed within 30 days of account deletion.
  • Uploaded photos — not retained on our servers. Held transiently in memory during AI processing (typically 30–60 seconds) and discarded immediately after your result is returned.
  • Generated preview images and saved looks — stored locally on your device and, if you save them, in your account's Firestore record until you delete the individual look or your account.
  • Hair-type and analysis inputs — used only for the current session and not retained afterward.
  • Analytics and app-usage data — retained in Google Analytics for up to the period set in our GA4 property (currently the GA4 default of 14 months), then automatically purged.
  • Crash and diagnostic logs — up to 90 days.
  • Support communications — up to 24 months after the issue is resolved.

Where a specific period is not listed, we determine retention based on (a) the nature and sensitivity of the data, (b) the purposes for which it is processed, (c) the potential risk of harm from unauthorized use, and (d) any applicable legal obligations.

"Shine the Light" (California Civil Code § 1798.83). California residents who have an established business relationship with us may request once per year a list of third parties to which we have disclosed personal information for those third parties' own direct marketing purposes. We do not currently disclose personal information for third-party direct marketing.

Canadian Residents (PIPEDA)

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA), including the right to access your personal information and request corrections. You may also withdraw consent to certain uses of your personal information, subject to legal or contractual restrictions. To exercise these rights, contact us at crownshiftappsupport@gmail.com.

EU/EEA Residents (GDPR)

If you are located in the EU or EEA, you have rights under the General Data Protection Regulation (GDPR), including the right to access, rectify, erase, restrict, or port your personal data. You also have the right to object to processing and to lodge a complaint with your local data protection authority. Our legal basis for processing your data is performance of a contract (providing the App's services) and, where applicable, your consent or legitimate interests. Contact us at crownshiftappsupport@gmail.com to exercise these rights.

6. Data Security

We implement appropriate technical and organizational safeguards to protect your information, including:

  • HTTPS/TLS encryption for all data in transit.
  • Firebase Security Rules restricting database access to authenticated users' own data.
  • Image metadata stripping before AI processing.
  • Authentication tokens with limited scope and expiry.

No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we take your privacy seriously and continuously work to improve our protections.

7. Children's Privacy

CrownShift is not directed to children under the age of 17. We do not knowingly collect personal information from children under this age. If you believe a child has provided us with personal information, please contact us at crownshiftappsupport@gmail.com and we will delete the information promptly.

8. Third-Party Links and Services

The App may contain links to third-party services (e.g., the Apple App Store). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third parties you interact with.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the "Last Updated" date. Your continued use of the App after changes take effect constitutes your acceptance of the revised policy.

10. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

© 2026 CrownShift. All rights reserved.