Privacy Policy

Last updated: April 11, 2026

Novalinya places fundamental importance on protecting your privacy. This policy describes how we collect, use and protect your personal data, in compliance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

1. Data controller

The data controller is Novalinya, reachable at hello@novalinya.com.

2. Data collected

When you use the service, we collect the following categories of data:

Category	Data	Purpose
Identity	First name, gender, age range	Report personalization
Contact	Email address	Report delivery and communication
Biometric data*	Scalp photos (front + top)	AI hair assessment analysis
Health data	Family history, loss duration, concerned area, hair routine	Personalizing recommendations
Payment	Data processed by Stripe (not stored by us)	Premium payment processing
Technical	IP address, browser type, timestamp	Security and anonymous statistics

*Scalp photos are used solely for analysis purposes and are never used for biometric identification.

3. Legal basis for processing

Explicit consent (art. 6-1-a and 9-2-a GDPR) for photos and health information, collected via the mandatory checkbox before form submission;
Contract performance (art. 6-1-b) for report delivery and payment management;
Legitimate interest (art. 6-1-f) for site security and service improvement (anonymized statistics).

4. Data retention

Scalp photos: automatically deleted after report generation (maximum 24h technical retention);
Generated report and form responses: retained for 12 months, then anonymized;
Email and Premium billing data: retained 10 years for accounting obligations;
Technical logs: maximum 6 months.

5. Data recipients

Your data is intended exclusively for Novalinya and its subprocessors strictly necessary for service delivery:

Amazon Web Services (AWS) — infrastructure hosting (Paris, France);
Supabase — database (Frankfurt, Germany);
OpenAI — AI analysis processing (via API, data is not used for training);
Stripe — payment processing;
Resend — transactional email delivery.

Some subprocessors are located outside the European Union (OpenAI, Stripe). Transfers are governed by the European Commission's Standard Contractual Clauses (SCC).

6. Your rights

In accordance with GDPR, you have the following rights:

Right of access to your personal data;
Right to rectification in case of inaccuracy;
Right to erasure ("right to be forgotten");
Right to restriction of processing;
Right to data portability;
Right to object to processing;
Right to withdraw consent at any time.

To exercise these rights, contact us by email at hello@novalinya.com. We will respond within a maximum of one month.

You also have the right to lodge a complaint with a supervisory authority such as the CNIL in France: www.cnil.fr

7. Security

Novalinya implements all appropriate technical and organizational measures to protect your data: HTTPS/TLS encryption, EU hosting, restricted access, access logging, encrypted backups, automatic photo deletion after analysis.

8. Cookies

Cookie usage is detailed in our Cookie Policy.

9. Changes

This policy may be modified at any time. The version in force is the one published on this page. In case of substantial modification, you will be informed by email.