Your face, your data.

Privacy notice — European Union & EEA (GDPR)

This notice is issued by Refrakt ("we", "us", "our") in accordance with the General Data Protection Regulation (GDPR). It applies to individuals in the EU and European Economic Area (EEA).

1. Data controller

Refrakt UG (haftungsbeschränkt), Berlin, Germany, is the data controller for all personal data processed through this service. You can reach us at lirikkazh@gmail.com.

2. Personal data we collect

• Identity & contact data — name, email address, country.
• Biometric data (special category) — 3D facial scans, derived facial landmark coordinates, AI-generated facial previews. Processed under Art. 9(2)(a) GDPR on the basis of your explicit consent.
• Usage data — pages visited, features used, anonymised IP address, device and browser.
• Communication data — anything you share when contacting us or requesting early access.

3. Legal basis for processing

• Explicit consent (Art. 6(1)(a), Art. 9(2)(a)) — biometric and health-adjacent data.
• Contract performance (Art. 6(1)(b)) — to deliver the simulation service you requested.
• Legitimate interest (Art. 6(1)(f)) — security logging and fraud prevention.

4. Retention

Biometric scan data is deleted within 90 days of your last interaction with Refrakt, unless you request earlier deletion. Account data is retained for 24 months following last login, then automatically purged.

5. Your rights under GDPR

• Access — request a copy of all data we hold about you.
• Erasure ("right to be forgotten") — delete your data at any time.
• Rectification — correct inaccurate data.
• Portability — receive your data in a machine-readable format.
• Restriction — pause processing of your data.
• Objection — opt out of legitimate-interest processing.
• Withdraw consent — at any time, without affecting prior lawful processing.

To exercise any right, email lirikkazh@gmail.com. We respond within 30 days. If unsatisfied, you may lodge a complaint with your national supervisory authority — e.g. the Berliner Beauftragte für Datenschutz und Informationsfreiheit for users in Germany.

6. International transfers

Your data is processed on servers in the EU (Frankfurt). Any transfer outside the EEA is governed by Standard Contractual Clauses (Art. 46(2)(c) GDPR).

7. Cookies

Strictly necessary cookies are always on. Analytics and marketing cookies are off by default and only set with your explicit consent via our cookie banner.

8. Changes

Material changes will be posted here with an updated date. Where required by law, we will seek renewed consent.

Privacy notice — Turkey (KVKK)

Bu aydınlatma metni, 6698 sayılı Kişisel Verilerin Korunması Kanunu (KVKK) kapsamında Türkiye'deki kullanıcılara yönelik olarak Refrakt tarafından hazırlanmıştır.

This notice is issued by Refrakt in accordance with Turkish Law No. 6698 on the Protection of Personal Data (KVKK), for individuals located in Turkey.

1. Data controller / Veri Sorumlusu

Refrakt UG (haftungsbeschränkt), Berlin, Germany, is the data controller (veri sorumlusu) under KVKK. Contact: lirikkazh@gmail.com.

2. Personal data we collect

• Identity & contact data — name, email, country.
• Biometric & health data (sensitive / özel nitelikli) — 3D facial scans, derived facial measurements, AI-generated facial previews. Classified as sensitive personal data under KVKK Art. 6 and processed only with your explicit written consent.
• Usage data — pages visited, features used, anonymised IP, device and browser.
• Communication data — anything shared when contacting us or requesting early access.

3. Legal basis for processing

• Explicit consent (KVKK Art. 5/1, Art. 6/2) — required for biometric and sensitive personal data.
• Contract necessity (KVKK Art. 5/2-c) — to deliver the simulation service you requested.
• Legitimate interest (KVKK Art. 5/2-f) — security logging and fraud prevention.

4. Retention

Biometric scan data is deleted within 90 days of your last interaction, unless you request earlier deletion. Account data is retained for 24 months after last login.

5. Your rights under KVKK Art. 11

• Learn whether your personal data has been processed.
• Request information about the purpose and scope of processing.
• Know which third parties your data has been transferred to.
• Request rectification of incomplete or inaccurate data.
• Request erasure or destruction of your data.
• Object to outcomes detrimental to you arising from automated processing.
• Request compensation for damages arising from unlawful processing.

Send requests to lirikkazh@gmail.com. We respond within 30 days. You may also apply to the Kişisel Verileri Koruma Kurumu (KVKK Kurumu) if your request is not resolved.

6. Cross-border transfer / Yurt dışı aktarım

Your data is stored on EU-based servers. Cross-border transfers are carried out in accordance with KVKK Art. 9, subject to your explicit consent and appropriate contractual safeguards.

7. Cookies

Strictly necessary cookies are always on. Analytics and marketing cookies are off by default and require your explicit consent.

8. Changes

Material changes will be posted here with an updated date.

Privacy notice — Singapore (PDPA)

This notice is issued by Refrakt ("we", "us", "our") in accordance with the Personal Data Protection Act 2012 (PDPA) of Singapore. It explains how we collect, use, disclose, and protect personal data for individuals in Singapore.

1. Personal data we collect

• Identity & contact data — name, email, phone, country.
• Biometric & health-adjacent data — 3D facial scans, derived facial measurements, AI-generated previews of post-procedure outcomes.
• Usage data — pages visited, features used, device and browser information.
• Communication data — anything you share when you contact us, request early access, or complete a form.

2. Purposes of collection, use and disclosure

We collect, use and disclose your personal data only for purposes you would reasonably consider appropriate:

• To provide and improve the Refrakt service, including generating your facial simulations.
• To match you with your chosen clinician, where you explicitly direct us to.
• To communicate with you about your account, scan windows, and product updates you've opted into.
• To comply with legal obligations and respond to lawful requests from authorities.
• To detect, prevent and address fraud, abuse and security incidents.

3. Consent

We obtain your consent before collecting biometric data such as your 3D facial scan. Where the PDPA permits, we may rely on deemed consent or relevant exceptions (e.g. legitimate interest, business improvement) — and we will be transparent with you about this in each case.

You may withdraw consent at any time by emailing lirikkazh@gmail.com. We will action your request within a reasonable period and explain any consequences of withdrawal (for example, certain features may become unavailable).

4. Access and correction

You have the right to request access to the personal data we hold about you, and to ask us to correct it if inaccurate. We will respond within 30 days, or notify you if more time is required. A reasonable fee may apply for access requests, in line with the PDPA's permitted recovery of costs.

5. Data accuracy, protection and retention

We take reasonable steps to ensure personal data is accurate and complete, and we apply administrative, physical and technical safeguards to protect it. See our security page for technical details.

We retain personal data only for as long as needed for the purposes set out above, or as required by law. Facial scans and derived biometric data are deleted within 90 days of your last interaction with Refrakt, unless you ask us to retain them longer for continuity of care.

6. Transfers outside Singapore

To deliver the service, your personal data may be transferred to and processed in jurisdictions outside Singapore (including the European Union, where our processing infrastructure is hosted). We ensure any such transfers are subject to a standard of protection that is comparable to the PDPA, via contractual safeguards and binding processor obligations.

7. Cookies and analytics

We use a small number of strictly necessary cookies to make this site work. Analytics and marketing cookies are off by default and only enabled with your explicit consent via our cookie banner. You can change your preferences anytime from the footer.

8. Data Protection Officer

Our Data Protection Officer can be reached at lirikkazh@gmail.com for any privacy-related queries, access or correction requests, complaints, or to withdraw consent.

9. Complaints

If you are not satisfied with our handling of your personal data, you may raise a complaint with the Personal Data Protection Commission (PDPC) of Singapore at www.pdpc.gov.sg.

10. Changes to this notice

We will post any material changes to this notice on this page and update the "Last updated" date. Where required, we will obtain renewed consent.

Privacy notice — US, Canada & Latin America

This notice applies to users located in the United States, Canada, and Latin America. It explains the categories of data we collect, why, the rights you have, and how to exercise them.

1. Information we collect

• Identifiers — name, email, phone, country, IP address.
• Biometric information — 3D facial scans, derived facial landmark coordinates, AI-generated facial previews.
• Commercial information — products and services you request, including early access.
• Internet activity — pages visited, features used, time on site, device/browser data.
• Sensitive personal information — biometric data is treated as sensitive under the CCPA/CPRA and equivalent state laws.

2. Why we collect it

• To deliver the Refrakt service — including generating your facial simulations.
• To match you with a clinician of your choosing, when you direct us to.
• To communicate about your account and scan windows.
• For aggregated product analytics (only if you've consented to analytics cookies).
• To comply with legal obligations, prevent fraud, and protect Refrakt and our users.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

3. Your rights — California (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and (where applicable) sell or share.
• Access a copy of your personal information.
• Delete personal information we have collected from you.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of personal information (we don't do either, but you may still send the request).
• Limit the use of sensitive personal information (including biometric data).
• Non-discrimination — we will not deny service, charge different prices, or provide a different quality of service because you exercised these rights.

To exercise these rights, email lirikkazh@gmail.com with the subject line "Privacy request — California." We will verify your identity and respond within 45 days.

4. Your rights — Canada (PIPEDA)

If you are in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies. We respect the ten fair information principles, including:

• Consent — meaningful, informed consent before we collect or use your personal information.
• Limiting collection — we collect only what's necessary for the purposes we've explained.
• Accuracy — you can ask us to update or correct your information.
• Safeguards — appropriate technical and administrative protections.
• Access — you may request a copy of your personal information.

Complaints may be referred to the Office of the Privacy Commissioner of Canada at www.priv.gc.ca. If you're in Québec, additional rights apply under Law 25, including the right to data portability and the right to be informed of automated decision-making.

5. Your rights — Latin America

If you are in Latin America, your local data protection law applies in addition to the protections we offer globally. Notably:

• Brazil (LGPD) — you have rights to confirmation, access, correction, anonymization, portability, deletion, information about data sharing, and withdrawal of consent. Our Data Protection Officer can be reached at lirikkazh@gmail.com. Complaints may be raised with the ANPD.
• Mexico (LFPDPPP) — you have ARCO rights: Access, Rectification, Cancellation, and Opposition. Requests may be made to the email above.
• Argentina, Chile, Colombia, Uruguay, Peru and others — your local data protection authority's framework applies. We will respond to verified requests in line with applicable timelines.

6. Biometric data — special handling

Your 3D facial scan and derived measurements are biometric data. We treat this category with extra care:

• We collect biometric data only with your explicit, separate consent.
• We never sell, license, lease or otherwise disclose biometric data to third parties for their own purposes.
• We retain biometric data for a maximum of 90 days after your last interaction with Refrakt, unless you ask us to retain it longer for continuity of care, or longer retention is required by law.
• If you are in Illinois, Texas, or Washington, additional state biometric laws (BIPA, CUBI, Washington Biometric Identifiers Act) apply and we comply with them.

7. How we share your data

• Clinicians — only with people you explicitly choose to share with.
• Service providers — vetted processors (cloud hosting, email delivery) under binding contracts.
• Legal requests — when required by valid legal process, narrowly tailored.

8. International transfers

Refrakt's infrastructure is hosted primarily in the European Union. By using Refrakt, you understand and agree that your data may be transferred to and processed there. We rely on appropriate safeguards (including Standard Contractual Clauses) for such transfers.

9. Cookies

We use strictly necessary cookies to make this site work. Analytics and marketing cookies are off by default and only enabled with your consent. You can change your preferences anytime from the footer.

10. Contact us

For privacy questions, requests, or complaints: lirikkazh@gmail.com. We aim to respond within 10 business days and resolve verified requests within the timelines required by your local law.

11. Changes to this notice

If we make material changes, we'll post them here and update the "Last updated" date above. Where local law requires it, we'll seek your renewed consent.