Privacy Policy

CraftMySkin Privacy Policy
Last Updated: 05 December 2025

Introduction

At CraftMySkin, we are committed to protecting your privacy, and we take great care with your personal information. This policy will help you understand how we use and protect your data. If you have any questions, feel free to contact us at info@craftmyskin.com. This should be read together with our Terms of Service, which together apply to your use of the CraftMySkin website, the CraftMySkin application, user platform as well as any other services offered by CraftMySkin.
By accessing or using the CraftMySkin website, mobile application and associated services, you agree to the practices and policies outlined in this privacy policy and you hereby consent to the collection, use, and sharing of your information as described in this privacy policy. If you do not agree with this privacy policy, you cannot use the services. If you use the services on behalf of someone else (such as your child) or an entity (such as your employer), you represent that you are authorized by such individual or entity to accept this privacy policy on such individual’s or entity’s behalf.

1. Overview

CraftMySkin (“we”, “our”, “us”) is a technology-driven company providing personalized skin and hair routines through digital platforms. This Privacy Policy (“Privacy Policy”) covers our practices with respect to personally identifiable information (“Personal Information”) that we gather when you use our Services (“Services”).
We created this Privacy Policy (“Privacy Policy”) to give you confidence as you use our website, applications, and services and to demonstrate our commitment to the protection of privacy.

2. Information We Collect

We receive Personal Information directly from you when you voluntarily provide us with such Personal Information, including the following:

  1. Personal identification information.
  2. Skin and hair profile data,
  3. Transaction details.
  4. Technical usage data.
  5. Demographic data (such as your country, gender, or your date of birth).

We may also collect additional information, which may be Personal Information, as otherwise described to you at the point of collection or pursuant to your consent. You may still access and use some of the Services if you choose not to provide us with any Personal Information, but some features of the Services that require your Personal Information may not be accessible to you.

2.1 Optional Photo and Face Data
Users may optionally submit photos, including images of their face skin, to support cosmetic routine personalisation within the app. Such images are stored solely to generate personalised beauty routine and product recommendations based on visible cosmetic characteristics such as skin tone and texture. Face data is not used for identification, authentication, or any purpose beyond cosmetic personalisation. Optional photos are not shared with third parties, are not used for advertising, and are deleted from our processing systems upon submission of account deletion request. Retained data is stored securely on encrypted servers in accordance with Section 4 of this policy.

3. Purpose of Data Collection

We may use information that is not Personal Information to better understand who uses CraftMySkin and how we can deliver a better experience, as well as what type of educational information is important to our users.
We use information, including Personal Information, to provide the Services and to help improve the Services, to develop new services. Specifically, such use may include:

  1. Generating personalized routines;
  2. Recommending brands based on user profile;
  3. Customizing or tailoring your experience of the Services, which may include sending customized messages or showing you sponsored results;
  4. Sending emails and other communications that display content that we think will interest you and according to your preferences;
  5. Improving platform performance;
  6. Customer support and communication;
  7. Fulfilling our legally required obligations, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities;
  8. Protecting against or deterring fraudulent, illegal, or harmful actions; and
  9. Enforcing our Terms of Service and other agreements;

4. Storage and Security of Information

The security of your Personal Information is important to us. We endeavor to follow generally accepted industry standards to protect the Personal Information submitted to us, both during transmission and in storage. For data storage, we resort to the services of the hosting organizations. We take your privacy seriously and, therefore, encrypt your personal data – where necessary – before sending it to the hosting organizations for the purposes of its storage. Please note that we cooperate only with those hosting organizations that have passed our security and reliability checks.

In particular, we resort to the service providers that have adopted technical and organizational measures to protect your personal data against unauthorized/unlawful processing and accidental loss, destruction, or other damage.

5. Data Retention

We retain Personal Information about you for as long as you have an open account with us or as otherwise necessary to provide you with Services. In some cases, we retain Personal Information for longer, if doing so is necessary to comply with our legal obligations, prevent fraud, enforce the Agreement, or as otherwise permitted or required by applicable law, rule, or regulation. Afterwards, we retain some information in a depersonalized or aggregated form, but not in a way that would identify you personally.

6. Information Provided on Behalf of Minors and Others

As noted in the Terms of Service, the Services are not intended for use by children, and children under the age of 16 should not use our service. CraftMySkin does not knowingly collect any information from minors, nor are the Services directed to or attended for use by children. If you are under 16, please do not attempt to register for the Services or send any Personal Information about yourself to us.

If you are a parent or legal guardian of a minor, you may, in compliance with the Agreement, use the Services on behalf of such minor. Any information that you provide us while using the Services on behalf of your minor child will be treated as Personal Information as otherwise provided herein.

If you use the Services on behalf of another person, regardless of age, you agree that CraftMySkin may contact you for any communication made in connection with providing the Services or any legally required communications. You further agree to forward or share any such communication with any person on behalf of whom you are using the Services.

7. Legal Basis

CraftMySkin processes personal data in accordance with applicable data protection laws, including the Kenya Data Protection Act, 2019, the EU General Data Protection Regulation (GDPR), and other relevant international privacy regulations. We rely on the following lawful bases when processing personal data:

7.1. Consent

We process personal data where users have freely given, specific, informed, and unambiguous consent. This includes, but is not limited to:

  1. Completion of skin and hair assessments or questionnaires
  2. Generation of personalized skin and hair routines
  3. Optional sponsorship or promotional communications

Users may withdraw consent at any time through account settings or by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

7.2. Contractual Necessity

We process personal data where it is necessary to perform a contract or to take steps at the request of the user prior to entering into a contract. This includes:

  1. Creating and managing user accounts
  2. Delivering personalized skin and hair routine recommendations
  3. Providing customer support and service communications

Without this information, CraftMySkin may be unable to provide its core services.

7.3. Legitimate Interests

We may process personal data where it is necessary for our legitimate business interests, provided those interests do not override the rights and freedoms of users. Legitimate interests include:

  1. Improving platform performance, functionality, and user experience
  2. Conducting analytics, research, and service optimization
  3. Ensuring platform security, fraud prevention, and abuse detection
  4. Maintaining internal operational records

Where legitimate interest is relied upon, we conduct assessments to ensure processing is proportionate and minimally intrusive.

7.4. Legal Obligation

We process personal data where required to comply with legal and regulatory obligations, including:

  1. Financial, accounting, and tax compliance
  2. Responding to lawful requests from regulatory bodies, courts, or public authorities
  3. Compliance with consumer protection, data protection, and e-commerce laws

7.5. Vital Interests (Limited Circumstances)

In rare cases, we may process personal data to protect the vital interests of a user or another individual where no other lawful basis is available.

8. Sharing of Information

We will not rent or sell your personal data to third parties, but we may share your information obtained via tools like cookies, log files, and device identifiers with third-party organizations that provide automatic data processing technologies for the Website and applications. We do not control or influence these third parties’ tracking technologies or how they may be used.

Please note that while we partner solely with third parties who have assured us they apply the necessary technical and organizational measures to protect your data, we cannot guarantee the absolute security of any information transmitted from the Website directly to such third parties. We are not responsible for any accidental loss or unauthorized access to your data through the fault of third parties.

The Website and application may contain links to third-party sites/services. You may also visit the Website by following a link from a third-party site. We are not responsible for the privacy practices of these third-party sites or services linked, including for the information or content contained within them (unless we are the providers of those sites and/or services).

We may disclose your personal information if it is needed for objective reasons, due to the public interest, or in other unforeseen circumstances:

  1. as required by law;
  2. when we believe, in good faith, that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request;
  3. if we are involved in a merger, acquisition, or sale of all or a portion of our assets, you will be notified via email and/or a prominent notice in our Website of any change in ownership or your personal information usage, as well as any choices you may have regarding your personal information.

9. User Rights
Applicable data protection laws give you the following rights regarding your personal information:

  1. The Right to Know (also referred to as the Right to Access). You have the right to obtain a confirmation as to whether or not personal data concerning you is being processed. Additionally, you can request a copy of the personal data we hold about you and additional details on how such data is processed. 
  2. The Right to Data Portability. You are entitled to request your personal information in a portable, structured, and machine-readable format that makes it easier to reuse such information or transfer it directly to another service, move it wherever you want.
  3. The Right to Correct Inaccuracies (also referred to as the Right to Rectification). Where you cannot update your data by yourself through your account (if available) or the App settings, you can ask us to correct, change, complete, or rectify your data.
  4. The Right to Data Deletion (also referred to as the Right to Erasure or the Right to Be Forgotten). You have the right to request the deletion of all or some pieces of your personal data that we process. In this regard, you should bear in mind that applicable data protection laws may provide exceptions to the Right to Data Deletion, which means that under certain circumstances we may need to keep some pieces of your data to comply with legal obligations, detect fraud, exercise or defend legal claims, or for other legal reasons. Therefore, upon receiving your verified request, we’ll delete your personal data and direct our service providers to do the same unless a legal exception applies.
  5. The Right to Object to Processing of Personal Data. When your personal information is processed automatically with the involvement of third-party service providers, you may object to such processing in some circumstances. Additionally, when your personal information is processed for direct marketing purposes, you may ask to cease processing your data for these direct marketing purposes. In order to exercise your right to object, please submit the corresponding request.

To exercise any of the rights described above, you can contact us at support@craftmyskin.com. Please bear in mind that we ensure the above mentioned rights only with respect to the information that we physically access and store. We also would like to draw your attention to the fact that, in order to process your request, we first have to identify you as a user of the CraftMySkin Services. 

10. International Data Transfers

We work in the cross-border area and provide our Services to users around the world.

Third-party organizations that provide automatic data processing technologies for the Services or our third-party partners may transfer the automatically processed information across borders and from your country or jurisdiction to other countries or jurisdictions around the world.

If you are located in the European Union or other regions with laws governing data processing that may differ from the country law, please note that we may transfer information, including personal information, to a country and jurisdiction that may not have the same data protection laws as in your home jurisdiction. We try to make sure that the recipient of any personal data provides proper protection of the personal data received, in accordance with the current legislation on the protection of such information.

By using the CraftMySkin Services, you agree that we may transfer your personal data to any third country, a territory, or one or more specified sectors within that third country, or to the international organization where data protection and confidentiality regulations may not provide the same level of protection of personal data as those in your country.

11. Changes to The Privacy Policy

The effective date of this Privacy Policy is set forth at the top of this page. We will notify you of any material change by posting a notice on this page. Your continued use of the Services after the effective date constitutes your acceptance of the amended Privacy Policy. We encourage you to periodically review this page for the latest information on our privacy practices. Any amended Privacy Policy supersedes all previous versions. If you do not agree to future changes to this privacy policy, you must stop using the services after the effective date of such changes.

12. Contact

If you have any comments, concerns, or questions about this Privacy Policy, please contact us at support@craftmyskin.com or at:

CraftMySkin Pharma Limited,
NextGen Office Building Suites, Mombasa Road,
Nairobi, Kenya
+254 722 426 132
info@craftmyskin.com