Türkiye United States France
Türkiye United States France

COVALENT LABS İLAÇ VE KOZMETİK ANONİM ŞİRKETİ

EPISTE APPLICATION PRIVACY POLICY

VERSION: 2.0 Effective Date: 14 / 01 / 2026

1. Data Controller

This Application Privacy Policy ("Policy") has been prepared to explain the procedures and principles regarding the processing of personal data obtained within the scope of the skin analysis application EPISTE ("Application"), developed and operated by Covalent Labs İlaç ve Kozmetik Anonim Şirketi ("Company"). The Company attaches the utmost importance to the protection and lawful processing of personal data in accordance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and other applicable legislation.

Contact:

  • E-mail: info@covalentlabs.com.tr
  • Website: https://www.covalentlabs.com.tr

2. Scope of the Policy

This Policy is valid for members who use the Application and for relevant persons who interact with the Company via the Application. The Application aims to provide skin analysis by allowing users to upload facial photographs, to identify and detect skin issues, and to offer personalized skin care recommendations to the user.

3. Personal Data Processed

Within the Application, depending on the usage scenario, the following categories of personal data may be processed:

  • Identity and Contact Data (first name, last name, e-mail address, telephone number, membership information)
  • Transaction Security Data (session information, log records, device information)
  • Customer Transaction Data (in-app usage information, request and complaint records)
  • Biometric Data (facial photograph)
  • Health Information (analysis results regarding skin condition)

Biometric data and health information constitute special categories of personal data within the meaning of Article 9 of the GDPR.

4. Biometric Data (Facial Photograph)

Facial images uploaded by users within the scope of the application are stored locally on the user’s device and are processed by us solely on a real-time basis for the purpose of providing the skin analysis service. In this context, facial data are used for the identification of skin condition, the generation of analysis results, and the provision of personalized skin-care recommendations.

Facial data are collected solely on the basis of the relevant user’s explicit consent and are not collected in any form without such explicit consent.

Facial data may be shared, on a real-time basis and from the user’s device, with service providers that deliver AI-based analysis services, strictly to the extent necessary for the technical provision of the skin analysis service and for the delivery of other in-app services within that scope.

5. Purposes of Processing Personal Data

Personal data are processed for the following purposes:

  • Provision of the skin analysis service
  • Provision of diagnostic and detection services based on analysis results
  • Creation of personalized skin care recommendations
  • Monitoring of skin development
  • Provision of information regarding analysis results
  • Execution of membership procedures
  • Tracking of requests and complaints
  • Execution of information security processes
  • Ensuring the secure and uninterrupted operation of the Application

The screens where personal data are processed contain specific privacy notices indicating which of these purposes apply to the respective processing activity.

6. Legal Bases for Processing Personal Data

Personal data are processed based on the legal bases set out in Articles 5 and 6 of the GDPR. As a rule, for special categories of personal data [biometric (facial photograph) and health data], the data subject's explicit consent pursuant to Article 9(2)(a) of the GDPR is required.

The screens where personal data are processed contain specific privacy notices indicating which of these legal bases apply to the respective processing activity.

7. Methods of Collection of Personal Data

Personal data are collected electronically and systematically through information provided directly by the user via the Application (membership information, photo uploads, etc.) and through records that are automatically generated during the use of the Application.

8. Transfert des Données Personnelles

Les données personnelles peuvent être transférées, conformément aux articles 6 et 9 du Règlement Général sur la Protection des Données (RGPD) de l'UE et limitées aux fins de traitement; aux personnes autorisées, aux autorités et institutions publiques compétentes, et aux partenaires commerciaux tels que les fournisseurs d'infrastructure cloud et de services d'intelligence artificielle, comme détaillé ci-dessous. Les mesures de sécurité administratives et techniques nécessaires sont pleinement mises en œuvre lors de ces transferts.

8.1. Partage des Données Faciales avec les Services d'Intelligence Artificielle Tiers

Les photographies faciales téléchargées par les utilisateurs dans le cadre de l'application sont traitées via des systèmes d'analyse basés sur l'intelligence artificielle fonctionnant sur l'infrastructure de l'API Gemini fournie par Google LLC, uniquement pour la fourniture technique du service d'analyse de la peau.

Dans ce contexte, les photographies faciales sont transmises à l'API Gemini en temps réel exclusivement aux fins d'effectuer l'analyse de la peau, de générer les résultats d'analyse et de présenter des recommandations personnalisées de soins de la peau à l'utilisateur.

Google LLC (API Gemini) agit en tant que processeur de données dans ce processus et ne traite pas les données faciales en son propre nom ou à ses propres fins, ni n'agit en tant que responsable du traitement à l'égard de ces données.

8.1.1. Période de Conservation et Restrictions d'Utilisation

Dans le cadre des conditions de service payantes de l'API Gemini:

  • Les données faciales et les images associées ne sont pas utilisées pour l'entraînement ou le développement de modèles, ni pour le suivi inter-applications ou inter-plateformes des utilisateurs.
  • Les données faciales ne sont pas stockées de manière permanente.
  • Ces données peuvent être conservées pendant une période limitée uniquement pour la détection d'abus, la garantie de la sécurité du système et le respect des obligations légales ou réglementaires applicables.
  • Cette période de conservation est limitée à un maximum de cinquante-cinq (55) jours à compter de la date de traitement, sous réserve des exigences techniques et légales déterminées par Google; à la fin de cette période, les données sont supprimées par Google. Cette période est limitée uniquement aux processus d'audit de sécurité et juridiques obligatoires prévus dans les conditions de service pertinentes de Google (liées ci-dessous).

8.1.2. Activités de Traitement des Données de Google LLC Concernant les Données Faciales

Ces activités sont menées conformément à la Politique de Confidentialité de Google, aux Conditions d'Utilisation de l'API Gemini et aux Politiques d'Utilisation de l'API Gemini. Les textes de politique pertinents sont accessibles via les liens ci-dessous:

9. Retention Periods and Destruction

The Company retains personal data for the periods required by applicable law or for the duration necessary for the purposes for which the data are processed.

Within the scope of the application, personal data processed include photographic data, which is stored on the user’s device and processed by us solely on an instantaneous basis, without being retained. Other personal data are stored for a maximum period of thirty (30) days following the termination of the membership relationship; upon the expiry of this period, such data are disposed of by deletion, destruction, or anonymization methods.

10. Data Security

The Company takes necessary administrative and technical measures to prevent unlawful processing of or unlawful access to personal data. Within this scope, measures such as access authorization, encryption, logging and the use of secure infrastructure are implemented.

11. Rights of the Data Subject

Data subjects have the rights provided under the GDPR, including but not limited to: the right to obtain confirmation as to whether their personal data are being processed and to access such data (Article 15), the right to request rectification of inaccurate personal data (Article 16), the right to request erasure of personal data (Article 17), the right to request restriction of processing (Article 18), the right to data portability (Article 20), the right to object to processing (Article 21), and the right not to be subject to a decision based solely on automated processing, including profiling (Article 22). In case of damage, data subjects also have the right to seek compensation in accordance with Article 82 of the GDPR and applicable national law.

Applications may be submitted via info@covalentlabs.com.tr or through the application channels listed on the Company's website, such as a registered electronic mail address (if available) or the postal address.

12. Policy Updates

This Policy may be updated due to changes in legislation and application processes. Updates will be announced via the Application and/or the Company's website.