Privacy Policy

Welcome to Plumped. We are committed to protecting your privacy and handling your personal data with transparency and care. This Privacy Policy explains how Plumped (“we”, “our”, or “us”) collects, uses, shares, and safeguards your personal information when you use our mobile application, website, or any related services (collectively, the “Service”).

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use our Service.

We collect information in the following ways to provide and continuously improve the Service.

Information You Provide Directly

• Account information: Name, email address, and password when you register.
• Skin profile: Skin type, concerns, sensitivities, and goals you enter to receive personalised recommendations.
• Skin photos: Images you voluntarily upload or capture using the in-app camera for analysis. Photos are processed to generate recommendations and stored securely.
• Product feedback: Ratings, reviews, or reaction logs you submit for skincare products.
• Communications: Messages or enquiries you send to our support team.

Information Collected Automatically

• Usage data: Features used, pages viewed, interactions with recommendations, and in-app events.
• Device information: Device type, operating system version, unique device identifiers, and app version.
• Log data: IP address, browser type, access timestamps, and error reports.
• Analytics data: Aggregated and anonymised behavioural data used to improve the Service.

Information from Third Parties

If you choose to sign in via a third-party provider (such as Apple or Google), we receive limited profile information (name and email) from that provider. We also receive aggregated conversion data from affiliate partners when you purchase products through our platform.

We use the information we collect to:

• Provide, operate, and maintain the Service, including generating personalised skincare recommendations.
• Analyse your skin profile and photos to surface relevant product comparisons and routines.
• Process transactions and manage your account.
• Send transactional emails (confirmations, password resets) and, with your consent, marketing communications and product updates.
• Improve and develop the Service through usage analysis, A/B testing, and research.
• Detect, prevent, and address technical issues, fraud, and abuse.
• Comply with legal obligations and enforce our Terms of Service.

We do not sell your personal data. We may share information in the following limited circumstances:

• Service providers: Trusted third-party vendors (cloud hosting, analytics, email delivery, customer support) who process data on our behalf under strict data processing agreements.
• Affiliate partners: When you purchase a product through an affiliate link, we share a transaction identifier with the relevant affiliate network to process commission. No personally identifiable information beyond what is strictly necessary for the transaction is shared.
• Legal requirements: We may disclose data when required by law, court order, or governmental authority, or to protect the rights, property, or safety of Plumped, our users, or others.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you before any such transfer.
• With your consent: We may share information with third parties when you have given explicit consent to do so.

We retain your personal data for as long as your account is active or as needed to provide the Service. Specific retention periods:

• Account data and skin profiles are deleted within 30 days of account deletion.
• Skin photos are retained for up to 24 months from upload, unless you delete them earlier via app settings.
• Transaction and purchase history may be retained for up to 7 years to comply with financial regulations.
• Analytics data is anonymised within 14 months and retained indefinitely in aggregate form.
• Support communications are retained for up to 3 years from last contact.

You may request deletion of your account and associated data at any time by contacting us or using the in-app account deletion feature.

Under the General Data Protection Regulation (GDPR) and applicable data protection laws, you have the following rights:

To exercise any of these rights, contact us at contact@plumped.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Our website uses cookies and similar tracking technologies to enhance your experience, analyse usage, and support our affiliate partnerships.

Types of Cookies

• Strictly necessary: Required for the website to function (session management, security). Cannot be disabled.
• Analytics: Help us understand how visitors interact with the site. Processed using anonymised data.
• Preference: Remember your settings and personalisation choices across visits.
• Affiliate/marketing: Track clicks on affiliate links to attribute commissions accurately. Set by our affiliate networks, including Awin.

You can control cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Service.

Plumped is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are under 16, please do not use our Service or submit any personal information.

If we become aware that we have inadvertently collected personal data from a child under 16 without verified parental consent, we will delete that information promptly. If you believe we may have collected data from a child, please contact us at contact@plumped.co.uk.

We implement industry-standard security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of sensitive data at rest (AES-256).
• Access controls and authentication requirements for internal systems.
• Regular security audits and vulnerability assessments.
• Staff training on data protection and security practices.

While we strive to protect your personal data, no method of transmission over the internet is 100% secure. In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority as required by law.

Your information may be transferred to and processed in countries outside of the European Economic Area (EEA). Where such transfers occur, we ensure appropriate safeguards are in place in accordance with GDPR requirements, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions by the European Commission for certain countries.
• Binding Corporate Rules where applicable.

You may contact us for more information about the specific safeguards applied to your data transfers.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. When we make significant changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify you via email or an in-app notification for material changes.
• Where required by law, seek your renewed consent.

Continued use of the Service after changes become effective constitutes acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

You also have the right to lodge a complaint with your national data protection authority if you believe your data protection rights have been violated.