Luxwave ("Company," "we," "us," or "our") operates OmniTintAI ("App"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our App.
By using OmniTintAI, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the App.
1. Information We Collect
We collect the following categories of information:
a) Device Information
- Anonymous Device Identifier: A randomly generated UUID created on first app launch. Not linked to your real name or identity. Used to manage usage limits, credit balances, and preferences.
- Device Model, OS, and App Version: Collected for diagnostic and compatibility purposes.
- We do NOT collect your phone number, IMEI, or hardware serial number.
b) Account Information (Optional)
- Email address and password (handled by Google Firebase Authentication)
- Display name (if provided)
- We do NOT have access to your plaintext password — Firebase handles all authentication securely.
c) Photos & Camera Data
- 3D AR Try-On: Live camera feed processed entirely on your device. Camera frames are NOT transmitted to any server.
- 2D AI Try-On: Your selected photo is transmitted to our backend, which proxies it to a third-party AI processing service for image generation. Not permanently stored after processing.
- Hair Scanner: Your photo is transmitted to our AI backend for cosmetic analysis. Results cached locally for 30 minutes, then automatically deleted.
- Saved Face Photo (Premium): Stored ONLY on your device. Never uploaded to our servers for storage. Transmitted to our AI processing service only when you initiate a try-on. You can delete it anytime in Settings.
- Photo Exports: Generated images saved to your photo library at your request. We do not retain copies.
- Stylist Card Exports: Generated locally on your device and shared via native sharing. We do not store or transmit these cards.
d) Biometric Information
IMPORTANT — PLEASE READ CAREFULLY
- Face Landmark Detection: Our AR feature detects 478 facial landmark points to overlay virtual hair colors. Processing occurs entirely on your device using Google's MediaPipe framework.
- Face Attribute Analysis: When you use the Hair Scanner, our AI analyzes facial attributes including face shape, skin undertone, and hair characteristics.
This facial geometry data constitutes "biometric information" under certain state laws, including the Illinois Biometric Information Privacy Act (BIPA). See Section 5 for our complete biometric data disclosure.
e) Usage & Preference Data
- Feature usage (which features you use and how often)
- Hair color preferences, saved favorites, and style selections
- Try-on history (trend IDs and timestamps)
- Search queries within the App
- Session duration and interaction patterns
- Recommendation feedback
- Hair progress journal entries (if you use this feature)
- Shopping bag contents and product interactions
f) Purchase & Credit Data
- Credit balances (daily free remaining + purchased credits)
- Purchase amounts (1 or 15 credits)
- Premium subscription status
- Feature usage counts against limits
- We do NOT collect or store payment card information — all payments are processed by Google Play.
g) Training Data (Opt-In Only)
With your EXPLICIT CONSENT (a separate, affirmative toggle in Settings that is OFF by default), we may collect the following categories of training data to improve our AI systems:
- Photo and hair segmentation mask pairs from the hair mixer feature
- Frame images captured during 3D AR try-on sessions (selected automatically for image quality from your share/save clips — these may include your face)
- Before/after image pairs from 2D AI try-on generations (your input photo plus the generated result — these may include your face)
- Associated non-identifying metadata (timestamps, trend IDs, shade codes, anonymized device hash)
Training data handling:
- Entirely optional — requires a separate affirmative opt-in toggle in Settings
- You can revoke consent at any time in Settings — collection halts immediately
- A rolling local buffer (approximately 300 hair mixer samples + 500 combined AR frames / 2D generation deltas) temporarily holds samples on your device before each secure upload, at which point the local copies are cleared. These are device-side buffer limits only — there is no fixed lifetime cap on the total number of samples you may contribute over time.
- EXIF metadata is stripped before storage
- Uploaded data is keyed to an anonymized device hash only — NOT to your real name, email, or other personal identifier
- Stored in encrypted third-party object storage for the sole purpose of AI model improvement
h) Advertising Data (Free Users Only)
- Device advertising identifier
- Ad interaction data (impressions, clicks)
- General location data (for ad targeting)
- Premium users see NO ads and NO advertising data is collected.
2. Permissions We Request
- Camera: Required for 3D AR try-on, hair scanner, and photo capture.
- Photo Library: To select photos for AI try-on and to save generated images.
- Internet: Required for all AI processing, credit management, trend data, and product information.
- Notifications: Optional, for hair journey reminders and feature updates.
- Vibration: For haptic feedback on interactions.
You can manage these permissions at any time through your device's Settings.
3. How We Use Your Information
- a) Provide Services: Process your photos for AR overlay and AI try-on generation, analyze your hair and face attributes, deliver personalized style recommendations.
- b) Manage Usage & Credits: Track daily free usage limits, maintain purchased credit balances, enforce fair use policies.
- c) Personalize Experience: Remember your preferences, saved favorites, and taste profile.
- d) Display Advertisements: Show contextual ads to free-tier users via Google AdMob. Premium users see no ads.
- e) Analytics & Improvement: Understand how features are used to improve the App experience. Analytics data is aggregated and anonymized.
- f) AI Model Training (Opt-In Only): If you consent, we use anonymized photos, segmentation masks, AR frame captures, and 2D before/after pairs to improve our hair segmentation, color-rendering, and style-generation AI models. All training data is EXIF-stripped and stripped of personal identifiers before use. Consent can be revoked in Settings at any time.
- g) Communicate: Send optional notifications about your hair journey progress and feature updates.
- h) Security & Fraud Prevention: Detect and prevent abuse, enforce usage limits, and maintain service integrity.
- i) Service Monitoring: Automated health checks to ensure availability and performance. No user-identifiable information is collected by these checks.
- j) AI Recommendations: Use your scan results (undertone, level, hair condition) to generate personalized shade suggestions. Recommendations are NOT endorsements by product manufacturers or Amazon.
4. How We Share Your Information
a) AI Processing Provider
- What we share: Your photo (when you use 2D AI try-on or Hair Scanner)
- Purpose: AI image generation and cosmetic hair analysis
- Retention: Photos are processed and not permanently stored by the provider
- Note: Photos are transmitted via HTTPS only when you initiate a generation or scan
b) Authentication & Analytics Provider
- What we share: Email/password (if account created), app usage events, user properties
- Purpose: Authentication, analytics
c) Advertising Provider (Google AdMob — Free Users ONLY)
- What we share: Device advertising ID, ad interaction data
- Purpose: Displaying advertisements to free-tier users
- Premium users: NO data shared with any advertising provider
d) Amazon.com, Inc.
- What we share: Product search queries (no personal information)
- Purpose: Product search and affiliate commerce
- Disclosure: OmniTintAI is a participant in the Amazon Services LLC Associates Program. We may earn commissions on qualifying purchases. This does not affect the price you pay.
e) Cloud Infrastructure & Storage Providers
- What we share: All data transmitted to our backend passes through our infrastructure providers' networks. If you opt in to training-data sharing, anonymized training images are stored in third-party encrypted object storage.
- Purpose: Backend hosting, request processing, and (for opt-in users only) training-data storage for AI model improvement
- Security: All data is encrypted in transit (HTTPS/TLS) and at rest. Stored training data is keyed by anonymized device hash only.
WE DO NOT:
- Sell your personal information to any third party
- Share your photos with advertisers
- Provide your biometric data to any third party (except as necessary to deliver the third-party AI processing services you initiate, such as 2D AI Try-On or Hair Scanner)
- Allow third parties to use your data for their own marketing purposes
5. Biometric Data Disclosure
This section is provided in compliance with the Illinois Biometric Information Privacy Act (740 ILCS 14/1 et seq.) and similar state biometric privacy laws.
a) What Biometric Data We Collect
OmniTintAI processes facial geometry data — specifically, the spatial coordinates of 478 facial landmark points — to overlay virtual hair colors and styles onto your face in real-time (3D AR) and to analyze your facial attributes (Hair Scanner).
b) Purpose
Biometric data is collected and used SOLELY for:
- Rendering accurate 3D AR hair color overlays on your face
- Analyzing face shape, skin undertone, and hair attributes for personalized recommendations
- Generating 2D AI try-on images (photo sent to a third-party AI service for processing)
c) On-Device Processing
For 3D AR try-on: All facial landmark detection and processing occurs ENTIRELY ON YOUR DEVICE. No biometric data is transmitted to any server for this feature.
d) Consent
Before using any camera-based feature for the first time, you will be presented with a biometric consent dialog. You must affirmatively consent before any facial geometry data is processed. You may decline, in which case camera-based features will not be available.
e) Retention & Destruction
- 3D AR face landmarks: Processed in real-time, never stored. Discarded immediately when you close the AR view.
- Hair Scanner analysis results: Cached locally for 30 minutes, then automatically deleted.
- 2D AI try-on photos: Transmitted to our AI processing provider for generation, then discarded. Generated result images stored in device temporary cache, cleared on cache clear.
- Training data (opt-in): Held in a rolling local buffer (approximately 300 hair mixer samples + 500 combined AR/generation deltas) that clears on each successful upload. If uploaded, stored in anonymized form — keyed by device hash only — in third-party encrypted object storage. There is no fixed lifetime cap on samples you may contribute. You may delete all local training data at any time by disabling the toggle in App Settings or clearing App data.
f) No Sale or Disclosure
We do NOT sell, lease, trade, or otherwise profit from your biometric data. We disclose biometric data only as necessary to provide services you affirmatively initiate — specifically: (1) transmitting your photo to third-party AI processing services when you use 2D AI Try-On or Hair Scanner; and (2) if and only if you opt in to training-data sharing, uploading anonymized, EXIF-stripped images to third-party encrypted object storage for AI model improvement. Training data is keyed by anonymized device hash, is never linked to your real identity, and is never used to identify you.
g) Revocation
You may revoke your biometric data consent at any time by:
- Discontinuing use of camera-based features
- Clearing App data in your device settings
- Uninstalling the App
Upon revocation, all locally stored biometric-related data is destroyed.
h) Security
- On-device processing (3D AR data never leaves your device)
- HTTPS/TLS encryption for all data in transit
- Enterprise-grade cloud infrastructure security for backend processing
- No permanent server-side storage of raw biometric data
6. Data Retention
| Data Type | Retention Period |
|---|
| Device identifier | Until you uninstall the App or clear App data |
| Account credentials | Until you delete your account |
| Face analysis cache | 30 minutes (auto-deleted) |
| AR face landmarks | Not stored — real-time only |
| Try-on usage (daily) | 48 hours (server-side, auto-expires) |
| Purchased credits | Permanent (until used) |
| Favorites & preferences | Until you clear App data |
| Telemetry events | Until synced to our servers, then up to 24 months |
| Training data (local) | Rolling buffer (~300 hair mixer + ~500 AR/generation deltas); cleared on each successful upload, on toggle-off, or on uninstall |
| Training data (uploaded) | Retained indefinitely in anonymized form (device-hash keyed) for AI model improvement |
| Generated try-on images | Device cache only — cleared on cache clear |
| Saved face photo | On-device only — until you delete it, clear App data, or uninstall |
| Stylist card exports | Device cache only — not stored on our servers |
| Service health data | 2 minutes (auto-expires, no user data) |
| Diagnostic logs | Until you clear via Settings |
7. Your Rights — California Residents (CCPA/CPRA)
- a) Right to Know: Request disclosure of what personal information we have collected about you, the sources, purpose, and third parties.
- b) Right to Delete: Request deletion of your personal information. Delete local data by clearing App data in device settings. For server-side data, contact us below.
- c) Right to Opt Out of Sale: We do NOT sell your personal information. There is nothing to opt out of.
- d) Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
- e) Right to Correct: You may request correction of inaccurate personal information.
- f) Right to Limit Use of Sensitive Personal Information: You may limit our use of sensitive personal information (including biometric data) to purposes necessary to provide the service.
To exercise any of these rights, contact us at: privacy@luxwavelabs.com
We will respond to verifiable consumer requests within 45 days.
8. Children's Privacy (COPPA)
OmniTintAI is intended for users aged 13 and older. We do NOT knowingly collect personal information from children under 13.
If you are a parent or guardian and believe your child under 13 has provided personal information to us, please contact us immediately at privacy@luxwavelabs.com. We will promptly delete any such information.
9. Data Security
- All data in transit is encrypted using HTTPS/TLS
- Backend services run on enterprise-grade cloud infrastructure
- API keys and secrets are stored securely as server-side environment secrets — never in client code
- Biometric data (3D AR) is processed on-device and never transmitted
- Photos sent for AI processing are transmitted over encrypted connections
- Device identifiers are anonymous UUIDs — not linked to your identity
- Local data is stored in your device's secure storage
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
10. Advertising
a) Free Users
Free-tier users see advertisements powered by Google AdMob: banner ads, interstitial ads (with cooldown periods), and optional rewarded video ads. AdMob may use your device's advertising identifier and general location to serve relevant ads. You can limit ad tracking through your device's privacy settings.
b) Premium Users
Premium subscribers see ZERO advertisements. No ad-related data is collected from premium users. AdMob is completely disabled for premium accounts.
c) Ad Preferences
Manage ad preferences through Google's Ad Settings, your device's privacy/advertising settings, or by upgrading to Premium.
11. Amazon Affiliate Disclosure
OmniTintAI is a participant in the Amazon Services LLC Associates Program. When you view or purchase products through links in OmniTintAI:
- We may earn a commission on qualifying purchases
- This does NOT affect the price you pay
- Product availability and pricing are determined by Amazon and its sellers
- We do not control Amazon's checkout, payment, or fulfillment processes
12. Data Deletion
- a) Local Data: Go to your device Settings → Apps → OmniTintAI → Clear Data. This removes all preferences, favorites, cached photos, training data, and usage history from your device.
- b) Account Data: Delete your account through the App's Settings screen.
- c) Server-Side Data: Contact us at privacy@luxwavelabs.com. We will process deletion requests within 30 days.
- d) Residual Data: Anonymized, aggregated analytics data that cannot be linked to you may be retained even after deletion.
13. Do Not Track
OmniTintAI does not currently respond to "Do Not Track" browser signals as there is no industry standard for mobile applications. You can control data collection through the permissions and settings described in this policy.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last Updated" date at the top of this policy and displaying a notice within the App. Your continued use of OmniTintAI after changes take effect constitutes acceptance of the revised Privacy Policy.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
LuxWave Labs, LLC
Privacy Inquiries: privacy@luxwavelabs.com
Legal Inquiries: legal@luxwavelabs.com
Bug Reports & Support: support@luxwavelabs.com
For CCPA requests, include "CCPA Request" in your subject line. For biometric data inquiries, include "Biometric Data Inquiry" in your subject line.