This Privacy Policy explains how Appthos Studio OÜ, a private limited company incorporated in the Republic of Estonia (registry code 17466725), with its registered office at Paavli tn 5a/1, Põhja-Tallinna linnaosa, 10412 Tallinn, Harju maakond, Estonia ("Appthos Studio", "we", "us" or "our"), collects and uses personal data in connection with the Fragnatique mobile application (the "App"). Appthos Studio is the data controller for that personal data.
For any privacy question or to exercise your rights, contact us at contact@appthos.com. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
This Policy applies to personal data we process through the App, regardless of the language in which you use it (the App is offered in 33 languages). It is designed around the EU General Data Protection Regulation (GDPR) and also addresses the UK GDPR and applicable United States state privacy laws for users in those regions. It does not apply to third-party services that have their own privacy policies (such as Apple, Google or your device operating system).
We have designed the App to minimise the personal data we hold about you:
The table below summarises the personal data we process, the purpose and legal basis, the service providers involved, where the data is processed, and how long it is kept. The sections that follow provide further detail.
| Data | Purpose & Legal Basis | Recipient / Processor | Location / Transfer | Retention |
|---|---|---|---|---|
| Scent profile, collection, preferences, generated formulations | Provide core App features (performance of contract) | Stored locally on your device | On device, not transmitted to us | Until you uninstall the App |
| Photographs you upload + related prompt text (Photo feature) | Generate style-based fragrance suggestions (explicit consent) | Third-party AI provider | USA (DPF / SCCs) | Not retained by us; transient processing only |
| Quiz / questionnaire answers | Tailor recommendations (performance of contract) | Processed in-App and by our providers | EU / USA as applicable | While your Account is active |
| Usage & analytics events (screens, interactions) | Understand and improve the App (consent) | Third-party analytics provider | USA (DPF / SCCs) | Up to 14 months |
| Crash & diagnostic data (device info, identifiers) | App stability and security (legitimate interest) | Third-party crash reporting provider | USA (DPF / SCCs) | Approx. 90 days |
| Anonymous user ID (no name or e-mail) | Maintain your session and Account (contract / legitimate interest) | Third-party authentication provider | USA (DPF / SCCs) | Until uninstall / Account deletion |
| Push-notification token | Send notifications you opt into (consent) | Third-party messaging provider | Global | Until refreshed or notifications disabled |
| Remote configuration data | Configure features remotely (legitimate interest) | Third-party configuration provider | USA | No persistent user data |
| Subscription status & purchase identifiers | Manage your Subscription (contract) | Third-party subscription management provider | USA (DPF / SCCs) | While Subscription active + legal retention |
| Payment / transaction data | Process your purchase (contract) | App Store – independent controller | USA / EU | Per Store policy |
| Approximate or precise location | Weather-aware suggestions (consent) | Third-party weather data provider | United Kingdom (adequacy) | Not retained; transient |
| Technical connection data (e.g. IP) when loading images | Deliver fragrance and note images (legitimate interest) | Third-party content delivery provider | Global CDN | Transient; no profile data sent |
We process your preferences, quiz answers and an anonymous user identifier to provide the App, maintain your session and deliver the recommendation features you request. The legal basis is the performance of our contract with you (the Terms of Use), and, for maintaining a stable and secure service, our legitimate interests.
If, and only if, you give your explicit consent and confirm you are at least 18, the photograph you submit is transmitted to a third-party AI service and processed transiently to infer general, non-identifying attributes, for the sole purpose of generating a fragrance suggestion. We do not perform facial recognition or identity verification, do not uniquely identify you, and do not infer your race or ethnic origin. The image is not retained by us; the AI provider processes it as our service provider in accordance with its applicable terms. You can decline this feature and still use the rest of the App, and you can withdraw your consent at any time.
With your consent, we use analytics tools to understand how the App is used (for example, which screens are viewed and how features perform) so that we can improve it. You can withdraw this consent at any time in the App settings or your device settings.
We process crash and diagnostic data to keep the App stable and secure, and remote-configuration data to manage features. The legal basis is our legitimate interest in providing a reliable and secure service. This does not involve your name or e-mail address.
To manage your Subscription we process your subscription status and purchase identifiers through a third-party subscription management provider. Payment itself is processed by the applicable Store (Apple App Store), which acts as an independent controller for the payment transaction under its own privacy policy. The legal basis for managing your Subscription is the performance of our contract with you.
If you opt in to push notifications, we process a notification token to deliver them. The legal basis is your consent, which you can withdraw at any time by disabling notifications in your device settings.
To generate recommendations and, where you consent, style-based suggestions from a photograph, we use automated processing (profiling). These features produce suggestions only; they do not produce legal effects concerning you or similarly significantly affect you, and we do not make decisions about you based solely on automated processing within the meaning of Article 22 GDPR. Where you interact with an AI system (such as the Chatbot) or receive AI-generated output, this is indicated within the App. You can object to profiling, withdraw any consent, and contact us for more information about the logic involved.
The App uses artificial-intelligence technologies, including third-party AI systems, to generate recommendations, conversational responses and fragrance-related outputs.
AI-generated outputs are probabilistic in nature and may be inaccurate, incomplete, inconsistent or unsuitable for a user's expectations. Similar inputs may produce different outputs over time. AI-generated outputs are intended for informational, educational and entertainment purposes only and should not be interpreted as objective assessments of any person's identity, personality, attractiveness, age, gender, preferences or other personal characteristics.
Certain features (such as Create Your Scent and the Chatbot) can use your device location to provide context-aware suggestions, for example weather-appropriate recommendations. Location is used only where you grant permission, is sent to a third-party weather data provider for transient processing, and is not stored by us for this purpose. You can grant or withdraw location access at any time through your device settings. Where the feature only needs your general area, we seek to use approximate rather than precise location.
We share personal data only with service providers (processors) that process it on our behalf and under contract, and with the Stores and payment providers as described above. Our principal providers are:
We do not sell your personal data.
Some of our providers process data outside the European Economic Area, principally in the United States. Where this happens, we rely on appropriate safeguards: the EU–US Data Privacy Framework where the provider is certified, and the European Commission's Standard Contractual Clauses (with supplementary measures where appropriate) otherwise. Transfers to the United Kingdom rely on the EU adequacy decision for the UK. You may request more information about these safeguards using the contact details below.
We keep personal data only for as long as necessary for the purposes described in this Policy, in line with the retention periods in the table in Section 4. On-device data remains until you uninstall the App. When you delete your Account, we delete the personal data associated with it, except for limited data we are required or permitted to retain by law (for example to comply with legal obligations or to defend legal claims) and data held in anonymised or aggregated form. Records held by the Stores or payment providers are governed by those providers.
Subject to applicable law, you have the right to: access your personal data; have it corrected; have it erased; restrict or object to its processing; data portability; and, where processing is based on consent, withdraw that consent at any time (without affecting processing carried out before withdrawal). To exercise any right, contact us at contact@appthos.com; we respond within the time limits required by law. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or with the supervisory authority in your country of residence.
The App is a general-audience service and is not directed to children under 13. We do not knowingly collect personal data from children under 13; if we become aware that we have, we will take reasonable steps to delete it. If you believe a child under 13 has provided us with personal data, please contact us at contact@appthos.com.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration or disclosure, taking into account the nature of the data and the risks involved. No system can be guaranteed to be completely secure, but we work to protect your data and to limit the data we hold by design.
The App does not use website cookies, but it uses software development kits (SDKs) and mobile identifiers that function similarly. These include an analytics and app-instance identifier, a push messaging token, an anonymous authentication identifier and a subscription management identifier. Non-essential identifiers, such as those used for analytics, are used only with your consent, which you can manage in the App or device settings.
If you are a resident of California or another US state with a comprehensive privacy law, you may have additional rights, including the right to know and access the personal information we collect, to delete it, to correct it, to opt out of any "sale" or "sharing" of personal information for cross-context behavioural advertising, and to limit the use of sensitive personal information. The categories of personal information we collect are described in Section 4. We do not sell your personal information for money, and we do not use it for cross-context behavioural advertising. We treat precise geolocation and photographs you submit as sensitive personal information and use them only for the purposes described in this Policy. We honour recognised opt-out preference signals (such as Global Privacy Control) where required, and we will not discriminate against you for exercising your rights. We do not knowingly sell or share the personal information of users under 16. To exercise these rights, contact us at contact@appthos.com.
We may update this Policy from time to time. We will make the updated version available in the App and, where the changes are material, provide reasonable notice. The "Effective date" above indicates when the current version took effect.
For any questions about this Policy or to exercise your rights, reach us at:
Appthos Studio OÜ
Registry code: 17466725
Paavli tn 5a/1, Põhja-Tallinna linnaosa
10412 Tallinn, Harju maakond, Estonia