Türkiye United States France
Türkiye United States France

COVALENT LABS İLAÇ VE KOZMETİK ANONİM ŞİRKETİ

EPISTE APPLICATION PRIVACY POLICY

VERSION: 2.0 Effective Date: 14 / 01 / 2026

1. Data Controller

This Application Privacy Policy ("Policy") has been prepared to explain the procedures and principles regarding the processing of personal data obtained within the scope of the skin analysis application EPISTE ("Application"), developed and operated by Covalent Labs İlaç ve Kozmetik Anonim Şirketi ("Company"). The Company attaches the utmost importance to the protection and lawful processing of personal data in accordance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and other applicable legislation.

Contact:

  • E-mail: info@covalentlabs.com.tr
  • Website: https://www.covalentlabs.com.tr

2. Scope of the Policy

This Policy is valid for members who use the Application and for relevant persons who interact with the Company via the Application. The Application aims to provide skin analysis by allowing users to upload facial photographs, to identify and detect skin issues, and to offer personalized skin care recommendations to the user.

3. Personal Data Processed

Within the Application, depending on the usage scenario, the following categories of personal data may be processed:

  • Identity and Contact Data (first name, last name, e-mail address, telephone number, membership information)
  • Transaction Security Data (session information, log records, device information)
  • Customer Transaction Data (in-app usage information, request and complaint records)
  • Biometric Data (facial photograph)
  • Health Information (analysis results regarding skin condition)

Biometric data and health information constitute special categories of personal data within the meaning of Article 9 of the GDPR.

4. Biometric Data (Facial Photograph)

Facial images uploaded by users within the scope of the application are stored locally on the user’s device and are processed by us solely on a real-time basis for the purpose of providing the skin analysis service. In this context, facial data are used for the identification of skin condition, the generation of analysis results, and the provision of personalized skin-care recommendations.

Facial data are collected solely on the basis of the relevant user’s explicit consent and are not collected in any form without such explicit consent.

Facial data may be shared, on a real-time basis and from the user’s device, with service providers that deliver AI-based analysis services, strictly to the extent necessary for the technical provision of the skin analysis service and for the delivery of other in-app services within that scope.

5. Purposes of Processing Personal Data

Personal data are processed for the following purposes:

  • Provision of the skin analysis service
  • Provision of diagnostic and detection services based on analysis results
  • Creation of personalized skin care recommendations
  • Monitoring of skin development
  • Provision of information regarding analysis results
  • Execution of membership procedures
  • Tracking of requests and complaints
  • Execution of information security processes
  • Ensuring the secure and uninterrupted operation of the Application

The screens where personal data are processed contain specific privacy notices indicating which of these purposes apply to the respective processing activity.

6. Legal Bases for Processing Personal Data

Personal data are processed based on the legal bases set out in Articles 5 and 6 of the GDPR. As a rule, for special categories of personal data [biometric (facial photograph) and health data], the data subject's explicit consent pursuant to Article 9(2)(a) of the GDPR is required.

The screens where personal data are processed contain specific privacy notices indicating which of these legal bases apply to the respective processing activity.

7. Methods of Collection of Personal Data

Personal data are collected electronically and systematically through information provided directly by the user via the Application (membership information, photo uploads, etc.) and through records that are automatically generated during the use of the Application.

8. Transfer of Personal Data

Personal data may be transferred, in accordance with Articles 6 and 9 of the EU General Data Protection Regulation (GDPR) and limited to the purposes of processing; to authorized persons, competent public authorities and institutions, and to business partners such as cloud infrastructure and artificial intelligence service providers, as detailed below. Necessary administrative and technical security measures are fully implemented during such transfers.

8.1. Sharing of Facial Data with Third-Party Artificial Intelligence Services

Facial photographs uploaded by users within the scope of the application are processed via artificial intelligence–based analysis systems operating over the Gemini API infrastructure provided by Google LLC, solely for the technical provision of the skin analysis service.

In this context, facial photographs are transmitted to the Gemini API in real time exclusively for the purposes of performing the skin analysis, generating analysis results and presenting personalized skin care recommendations to the user.

Google LLC (Gemini API) acts as a data processor in this process and does not process facial data on its own behalf or for its own purposes, nor does it act as a controller with respect to such data.

8.1.1. Retention Period and Usage Restrictions

Under the paid service terms of the Gemini API:

  • Facial data and related images are not used for model training or development, nor for cross-application or cross-platform tracking of users.
  • Facial data is not stored permanently.
  • Such data may be retained for a limited period solely for the detection of misuse, ensuring system security, and complying with applicable legal or regulatory obligations.
  • This retention period shall be limited to a maximum of fifty-five (55) days from the date of processing, subject to the technical and legal requirements determined by Google; at the end of this period the data is deleted by Google. This period is limited solely to mandatory security and legal audit processes provided for in Google's relevant service terms (linked below).

8.1.2. Google LLC's Data Processing Activities with Respect to Facial Data

These activities are carried out in accordance with the Google Privacy Policy, the Gemini API Terms of Service and the Gemini API Usage Policies. The relevant policy texts are accessible via the links below:

9. Retention Periods and Destruction

The Company retains personal data for the periods required by applicable law or for the duration necessary for the purposes for which the data are processed.

Within the scope of the application, personal data processed include photographic data, which is stored on the user’s device and processed by us solely on an instantaneous basis, without being retained. Other personal data are stored for a maximum period of thirty (30) days following the termination of the membership relationship; upon the expiry of this period, such data are disposed of by deletion, destruction, or anonymization methods.

10. Data Security

The Company takes necessary administrative and technical measures to prevent unlawful processing of or unlawful access to personal data. Within this scope, measures such as access authorization, encryption, logging and the use of secure infrastructure are implemented.

11. Rights of the Data Subject

Data subjects have the rights provided under the GDPR, including but not limited to: the right to obtain confirmation as to whether their personal data are being processed and to access such data (Article 15), the right to request rectification of inaccurate personal data (Article 16), the right to request erasure of personal data (Article 17), the right to request restriction of processing (Article 18), the right to data portability (Article 20), the right to object to processing (Article 21), and the right not to be subject to a decision based solely on automated processing, including profiling (Article 22). In case of damage, data subjects also have the right to seek compensation in accordance with Article 82 of the GDPR and applicable national law.

Applications may be submitted via info@covalentlabs.com.tr or through the application channels listed on the Company's website, such as a registered electronic mail address (if available) or the postal address.

12. Policy Updates

This Policy may be updated due to changes in legislation and application processes. Updates will be announced via the Application and/or the Company's website.