privacy. no bs.

last updated: may 2, 2026

tldr

ur photo → AI → gone from our server in the same request. zero pixels saved. if u sign in with google, ur scan results (text only), routine, favorites and check-ins sync to supabase so they follow u across devices. signed out? everything stays on this device. either way, photos only live on ur device or in ur own Google Drive (if u opted in) — never on tinkskin servers.

ur photo

wtf happens to it

u upload a selfie → it sits in our server's RAM just long enough to forward to the AI vision model.
the AI returns a result → ur image is yeeted from server memory in the same request. usually a few seconds, never beyond.
we don't log it, save it, back it up, or peek at it. no copy ever lands on disk.
opting into Drive backup? ur photo goes straight to ur own Google Drive. tinkskin never holds a copy.
optional close-ups (step 2 of the scan, "anything specific?") follow the exact same path as the main 3 angles — held in server RAM only long enough to forward to the AI, then dropped. backed up to ur own Drive only if u opted in. the short notes u type for each close-up are sent to the AI alongside the photo.

the brain

which AI reads ur face

primary: Google AI Studio (Gemma 4 31B + Gemma 4 26B). see google's privacy policy for that hop. free tier API submissions aren't used to train production Google models.
fallback: OpenRouter running Gemma 3 27B (kicks in only when google's quota is hit). see openrouter.ai/privacy.
models in rotation: Gemma 4 31B → Gemma 4 26B → Gemma 3 27B. the list rotates as better ones drop.

signing in

google login

signing in is optional. u can scan, get recs, and save stuff on-device without ever logging in. if u do sign in, here's the deal:

auth runs through Supabase with Google as the OAuth provider. we never see ur google password — only the OAuth tokens google hands back.
from ur google profile we receive email, name, avatar URL, and a stable user id. that's it. no contacts, no calendar, no gmail, no docs.
ur session token lives in localStorage under tinkskin-auth, scoped to this domain. signing out kills it.
we ask for the Drive scope (drive.file) at sign-in even if u don't enable Drive backup yet — that way enabling it later doesn't punt u back through OAuth. unused = unused; we never call Drive unless u opt in.
delete ur account? hit helldock@protonmail.com with the email u signed in with and we'll wipe every row keyed to ur user id. supabase cascade-deletes the rest.

drive backup

google drive (optional)

by default, progress photos live in IndexedDB on this device only. opting into Drive backup uploads them to ur own Google Drive — tinkskin's server is not in the upload path and never holds a copy.

scope: drive.file — the most restricted Drive scope google offers. it grants access only to files tinkskin itself created. we cannot read, list, or touch anything else in ur Drive. ur tax docs are safe.
folder layout we create in ur Drive:
- tinkskin Photos / Scans / Day 0 - 2026-05-02 (Initial) — per-scan day folders
- tinkskin Photos / Progress — opt-in progress photos
uploads go directly from ur browser to google's drive API. our server isn't a middleman.
we cache the folder ids (tinkskin-drive-folder-*) in localStorage so we don't re-query Drive every upload. delete those keys and we just re-create folders on next upload.
revoking access: myaccount.google.com/permissions → tinkskin → revoke. existing files in ur Drive stay where they are; u own them outright.

if u sign in

what we save on the server

signing in lets ur stuff sync across devices. here's the full list of what supabase stores, keyed to ur user id and protected by row-level security (other users physically cannot read ur rows):

profilesname + avatar pulled from ur google profile.
scansscan results (the JSON the AI returned + close-up notes). no photos. Drive file ids if u opted in.
favoritesproducts u saved.
routine_logsdaily AM/PM check-ins — date + done/not done, that's it.
user_routine_itemsur custom Routine — products u've added to AM/PM steps.
reactionsproducts that broke u out + severity 1–5 + ur notes.
diary_entriespost-scan check-ins (water/sleep/stress/sun/drinks/symptoms/wellness). see below.
progress_photosmetadata only — Drive file id, taken-at, angle. zero pixels in our db.

signed-out users don't hit any of this. everything stays on the device.

check-ins

the lifestyle modal

after each scan (and on the Routine "quick check-in" button) u get a tiny form: water / sleep / stress / sun / drinks / symptom chips. it's optional — "nah skip" is always on the table.

values write to tinkskin_diary in localStorage immediately and, if signed in, to diary_entries on supabase. they power the heatmaps + correlations on Overview.
we compute a 0–100 wellness_score client-side from those numbers and store it. nothing about ur entry leaves supabase — no third-party analytics, no AI provider, nothing.
this is not medical data in any clinical sense. it's a vibe check, not a health record.

ur device

local cache on this browser

the keys below cache ur stuff locally so the app works offline-first. if u're signed in, supabase is the source of truth and these mirror it; if u're signed out, this is the only copy.

tinkskin_analysisur most recent scan + recommendations. overwritten on each new scan.
tinkskin_historylast 20 scans so the History page works. JSON in localStorage.
tinkskin_favoritesproducts u saved.
tinkskin_routineLogdaily AM/PM routine check-ins powering the streak.
tinkskin_earnedBadgesgamification badges u've unlocked.
tinkskin_diary + tinkskin_reactionspost-scan check-in notes and patch test reactions.
tinkskin_patchQueue + tinkskin_reorderDataqueued patch tests and reorder reminders.
tinkskin_notifPrefsur in-app notification settings.
tinkskin_seen + tinkskin_statsRange + tinkskin_trendsRangeUI state — what u've already seen, default chart ranges, etc.
tinkskin_photos (IndexedDB)progress photos, only if u opted in. stays here unless u also enabled Drive backup, in which case copies live in ur own Drive too. tinkskin's server never touches the pixels.

the close-up notes u type during a scan land on ur scan record server-side (in scans.closeup_meta) so the report can echo them back later. the AI provider sees them once during analysis; nothing about them goes to amazon, google analytics, or any third party beyond the AI provider.

want it gone? one tap:

products

recommendations + amazon

recommendations are computed in ur browser by matching ur scan to our local product database. nothing about u gets shipped to amazon for this step.
amazon links are affiliate links — tinkskin earns a small cut on qualifying purchases at no extra cost to u. recommendations are picked on clinical evidence; affiliate doesn't move the rankings.

tracking

analytics + cookies

on production deployments, tinkskin uses Vercel Web Analytics for page views and basic perf metrics. no cookies, no cross-site tracking, anonymized by Vercel.
on local dev or self-hosted instances, no analytics scripts run at all (the script is hostname-gated).
we don't use Google Analytics, Segment, PostHog, Intercom, Hotjar, or any fingerprinting / behavioural tracker.
we don't set any cookies. ur session is held in localStorage, scoped to this domain.

Medical disclaimer

tinkskin provides cosmetic skin analysis only and is not a medical diagnosis tool. The analysis is generated by an AI vision model and may not accurately reflect your skin condition. Always consult a board-certified dermatologist for skin health concerns.

contact

questions?

hit me at helldock@protonmail.com.