Version 1.1 · June 10, 2026
This policy explains what data Baselit processes, on what legal basis, and what rights you have. Baselit is operated from Germany, so this policy follows the EU General Data Protection Regulation (GDPR / DSGVO) and German law. We keep it plain on purpose.
Marco Mori
Birkachstraße 3
88131 Lindau (Bodensee)
Germany
Email: hello@baselit.app · Phone: +49 171 2931804
A Data Protection Officer is not yet legally required at our current size (single operator, no large-scale processing of special-category data, Art. 37 GDPR). We review this as we grow.
When you open this site, our hosting provider automatically stores standard technical data your browser sends: browser type/version, operating system, referrer URL, hostname, time of the request, and IP address (shortened where technically possible).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure, stable website). Retention: max. 30 days, then automatic deletion. Provider: Vercel Inc., Covina, CA, USA, under an Art. 28 GDPR data processing agreement incl. EU Standard Contractual Clauses (see §5).
If you join the waitlist, we collect only your email address.
Purpose: to notify you about the app launch and relevant Baselit updates. Legal basis: Art. 6(1)(a) GDPR (your explicit, voluntary consent, given by entering your email and clicking the button; no pre-ticked boxes). Retention: until you withdraw, or at the latest 12 months after launch.
Withdrawal: you can withdraw consent any time with future effect, via email to hello@baselit.app (subject "unsubscribe") or the unsubscribe link in every email. Withdrawal does not affect the lawfulness of prior processing.
Processor: we use an email delivery provider for the waitlist, under an Art. 28 GDPR data processing agreement.
This landing page sets no tracking cookies and runs no web-analytics tool. We build no usage profiles. If we ever add privacy-friendly, cookie-free analytics, we will update this policy first.
This section describes processing inside the Baselit app. If you only visit this website, it does not apply to you.
You can take a photo of your skin for AI-based skin scoring. Core design decision: the original photo is never stored on our servers. The flow is:
photo (in memory) → normalise → AI analysis → score numbers (0–100) → photo discarded
The selfie is transmitted transiently to the AI provider for analysis and discarded immediately after the score is computed. It is never written to our database or storage, and we keep no face embeddings or feature vectors. We store only the numeric score, the five axis values, the timestamp and your history. These pure numbers are not biometric data under Art. 9 GDPR, as no person can be identified from them (cf. EDPB Guidelines 05/2022).
Photo timeline: if you use the optional photo timeline, those photos are stored only locally on your device. They are never uploaded to our servers. Deleting the app deletes them.
Third-country transfer: the photo is sent to a US vision API (Anthropic Claude Vision) for analysis. An Art. 28 data processing agreement incl. EU Standard Contractual Clauses is in place; your photo data is not used to train AI models (contractually fixed); no personal identifiers (name, account ID) are sent in the API call (data minimisation, Art. 5(1)(c) GDPR). Legal basis: Art. 6(1)(b) GDPR (performance of the core service).
The app includes an AI chat coach for skincare questions. When you send a message, the following is transmitted to generate the reply:
Recipient: the request is relayed through our backend to Anthropic PBC (USA), which runs the language model that generates the reply. An Art. 28 data processing agreement incl. EU Standard Contractual Clauses is in place, and Anthropic does not use API data to train its models (contractually fixed).
Storage: we do not store your chat content on our servers. Your chat history lives only locally on your device. Server-side we keep only a numeric usage counter (messages per day/month, no content) to enforce fair-use limits; error logs contain no conversation content.
Legal basis: Art. 6(1)(b) GDPR (performance of the service) for chat content and score context. For the voluntary health-related inputs (pregnancy/breastfeeding, sensitivity), which may constitute health data under Art. 9 GDPR: your explicit consent, Art. 9(2)(a) GDPR, given during onboarding. These inputs are optional; the coach works without them, and you can withdraw consent at any time by removing them from your profile or deleting your account.
| Provider | Purpose | Location | Transfer basis |
|---|---|---|---|
| Vercel Inc. | Hosting / CDN (landing) | USA | SCCs, DPA |
| Email provider | Waitlist delivery | EU/US | DPA / SCCs |
| Supabase Inc. (app) | Hosting, database, auth (backend) | USA (EU region: Frankfurt, Germany) | SCCs, DPA |
| Anthropic PBC (app) | AI image analysis and Skin Coach chat | USA | SCCs, DPA |
Some providers are based in the USA. Transfers rely on EU Standard Contractual Clauses (Commission Decision 2021/914) and/or the EU–US Data Privacy Framework where the provider is certified. We have run a Transfer Impact Assessment and apply data minimisation. Details on the safeguards are available on request.
| Data | Retention |
|---|---|
| Server logs | max. 30 days |
| Waitlist email | until withdrawal, max. 12 months after launch |
| Account data (from app) | until account deletion |
| Selfie raw data | not stored (discarded right after analysis) |
| Photo timeline (app) | local on your device only, never uploaded |
| Coach chat content (app) | not stored on our servers (history lives on your device) |
| Coach usage counter (app) | numeric count per day/month, no content |
| Score history (from app) | until account deletion |
| Sensitivity inputs (from app) | until withdrawal or account deletion |
You have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection to processing based on legitimate interests (Art. 21), and withdrawal of consent at any time with future effect (Art. 7(3)). To exercise any of these, contact hello@baselit.app. We usually respond within 30 days.
In-app deletion: you can delete your account and all server-side data directly in the app via "Delete my data and account" in the settings, without contacting us. This removes your account, score history and profile inputs.
You may complain to a data protection authority if you believe your data is processed unlawfully. The authority responsible for Baselit (operator based in Baden-Württemberg) is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI)
Postfach 10 29 32, 70025 Stuttgart, Germany
Phone: +49 711 615541-0 · poststelle@lfdi.bwl.de
baden-wuerttemberg.datenschutz.de
We make no decisions based solely on automated processing (incl. profiling) that produce legal effects concerning you (Art. 22 GDPR). The skin score is an informational orientation value, not a binding decision.
Baselit is not directed at anyone under 16. We do not knowingly collect personal data from minors under 16 and will delete such data promptly if discovered.
We may update this policy when our processing or the legal situation changes materially. The current version is always available on this page. For material changes, we notify registered users by email at least 30 days in advance.