Vella Studio

Privacy Policy

Last updated: 11 May 2026 · Effective immediately

This Privacy Policy explains how Vella Studio ("the App", "we", "us", or "our") collects, uses, shares, and protects your personal information. We've written this in plain language because your privacy matters and you deserve to understand what happens with your data.

Quick Navigation

1. The short version
2. Who runs Vella Studio
3. Data we collect
4. How we use AI (and which providers)
5. How we use your data
6. Third parties we share data with
7. Advertising measurement & App Tracking Transparency
8. Where data is stored and for how long
9. Your rights and choices
10. International data transfers
11. Region-specific rights (Australia, EU, UK, US, Brazil)
12. Children's privacy
13. Security
14. Changes to this policy
15. Contact us

1. The short version

If you read nothing else, read this:

Vella Studio is an AI-powered makeup and color analysis app. To work, it sends photos you choose to upload to third-party AI services for processing.
The AI providers we share photos with are Google (image generation), OpenAI (analysis), and Replicate (cloud infrastructure). We name them explicitly because you deserve to know.
We don't store your photos on our servers. Photos stay on your device. They are sent to AI providers only when you actively use a feature, and discarded after processing.
We don't sell your photos or train AI on them. Ever.
You can revoke AI permissions any time in Settings → Privacy & AI.
You can delete all your data by deleting the app or contacting us.
Analytics and (when permitted) ads measurement: We use product analytics to improve the App. With your consent, we may share limited measurement data with TikTok’s Business SDK so we can understand marketing performance across apps — not to show third‑party advertisements inside Vella Studio. See Sections 6 and 7.

The full details are below.

2. Who runs Vella Studio

Owner and Data Controller

LSA Management (Services) Australia Pty Ltd
24B Andrew Street
Mount Waverley, VIC 3149
Australia

Privacy contact: info@mobisec.lk

LSA Management (Services) Australia Pty Ltd is the legal entity responsible for Vella Studio and is the "data controller" under applicable privacy laws including the Australian Privacy Act 1988, the EU General Data Protection Regulation (GDPR), the UK GDPR, and the various US state privacy laws (CCPA, VCDPA, CPA, CTDPA, UCPA).

3. Data we collect

3.1 Photos and images you upload

When you use Vella Studio's AI features, you choose photos to upload from your device — typically selfies, makeup photos, or inspiration images. These are the most sensitive data we handle.

Selfies (no makeup): Used for color season analysis and as the base image for AI-generated makeup looks.
Makeup photos: Used by Roast Mode to provide AI feedback on your makeup application.
Inspiration images: Used by the "Recreate Any Look" feature to match a reference look to your features.

We treat photos as biometric-adjacent data and apply additional safeguards even where the law does not strictly require it.

3.2 Profile and preference data

You may provide the following information during onboarding or in Settings:

Skin type, age range, makeup style preferences, climate, daily routine pace, makeup budget
Selected color season (after AI analysis) and selected makeup looks
Settings preferences (e.g., notifications, AI consent state)

This data is stored locally on your device and is not transmitted to our servers.

3.3 Subscription and purchase data

When you start a free trial or subscribe, Apple's App Store handles the transaction. We receive:

Anonymous purchase identifiers and receipt validation tokens (via RevenueCat)
Subscription status (active / trial / expired / cancelled)
Product information (which subscription tier you bought)

We do not receive your name, email, payment card, or billing address from Apple. Your payment information stays with Apple.

3.4 Device, usage, and diagnostic data

To make the app work and improve it, we collect:

Device model, operating system version, app version
Anonymous device identifier (UUID, regenerated if you reinstall)
App opens, feature usage, session duration
Crash reports and error logs (no personally identifiable information)
Approximate (coarse) location, derived from IP address — used primarily to localize responses; advertising partners may receive IP-derived region signals for measurement as described in Sections 6–7
On Apple devices, advertising / device identifiers for measurement (for example IDFA) only if you allow tracking under App Tracking Transparency

3.5 Generated content

AI features produce outputs such as: color season analyses, makeup descriptions, after-images of your face with AI-applied makeup, and roast-mode feedback. These outputs are linked to your input photos and stored locally on your device. They are not transmitted to our servers.

3.6 Push notifications token

If you enable notifications, Firebase Cloud Messaging issues an anonymous device token so we can send you reminders, feature announcements, or important updates. You can disable notifications at any time in your iOS Settings.

3.7 Data we do not collect (and what we don’t use it for)

We do not require or collect your name, email, phone number, or address (unless you contact us by email).
We do not collect contact lists, social graph, or messages.
We do not display banners, interstitials, or other third‑party advertisements inside the App.
We do not access Apple's Identifier for Advertisers (IDFA) on iOS unless you approve App Tracking Transparency — and you can change that choice anytime in Apple Settings → Privacy & Security → Tracking.
Aside from anonymized analytics and TikTok measurement you consent to via ATT (see Sections 6 and 7), we don’t observe your browsing or activity in other unrelated apps.
We do not collect precise GPS location.

4. How we use AI (and which providers)

Apple App Store Guideline 5.1.2(i) Disclosure

Vella Studio shares photos you upload with the third-party AI providers listed in this section to perform AI analysis and generate transformed images. Before any photo is sent to these providers, we ask for your explicit consent within the app. You can review or revoke this consent at any time in Settings → Privacy & AI.

Vella Studio's core features rely on artificial intelligence. We are transparent about exactly which AI providers we use, what data is shared, and why.

4.1 Google (Gemini and image generation models)

Provider: Google LLC, accessed via Google Cloud's AI services and the "Nano Banana Pro" image generation model (Gemini 3 Pro Image)

What we share: The selfies, inspiration photos, and makeup photos you choose to upload. We also share text prompts describing the desired transformation (e.g., "apply soft glam makeup").

Purpose: Generate AI-transformed images of your face with makeup applied; recreate inspiration looks on your features; perform visual analysis of skin tone, eye color, and hair color for color season classification.

How long Google retains data: Per Google's Generative AI APIs Terms of Service, prompts and images submitted via paid API endpoints are not used to train Google's models and are retained only briefly for abuse-detection purposes (typically up to 30 days), then deleted.

Google's Privacy Policy: https://policies.google.com/privacy

Google Cloud's data processing terms: https://cloud.google.com/terms/cloud-privacy-notice

4.2 OpenAI

Provider: OpenAI, L.L.C. (using GPT-5 model family via the OpenAI API)

What we share: Photos you upload (selfies, makeup photos), plus text describing what we want the model to assess.

Purpose: Analyze your photo to assess makeup application; provide feedback through Roast Mode; generate personalized makeup recommendations and shade suggestions; perform certain steps of color season analysis.

How long OpenAI retains data: Per OpenAI's API Data Usage Policy, data submitted via the API is not used to train OpenAI's models. OpenAI retains API inputs and outputs for up to 30 days for abuse and misuse monitoring, then deletes them. Approved Zero Data Retention may apply to certain endpoints.

OpenAI's Privacy Policy: https://openai.com/policies/privacy-policy/

OpenAI's API Data Usage Policy: https://openai.com/policies/api-data-usage-policies/

4.3 Replicate

Provider: Replicate, Inc.

What we share: Photos in transit to AI models hosted on Replicate's infrastructure (specifically Google's Nano Banana Pro and similar models).

Purpose: Replicate is the cloud infrastructure that runs the AI models we use. It does not analyze your data itself; it routes photos to the model and returns the model's output to us.

How long Replicate retains data: Per Replicate's privacy practices, prediction inputs and outputs are retained for up to 1 hour by default to support debugging and reliability, after which they are deleted. We do not opt into longer retention.

Replicate's Privacy Policy: https://replicate.com/privacy

4.4 What we explicitly don't do with your photos

We don't sell your photos. Not to AI providers, not to advertisers, not to anyone.
We don't use your photos to train AI models. We use commercial API tiers that contractually exclude training use.
We don't store your photos on our servers. Photos pass through our backend only briefly while being relayed to the AI provider, and are not persisted.
We don't share your photos with anyone except the AI providers listed above. Not advertisers, not data brokers, not analytics providers.
We don't use facial recognition for identification. The AI does not match your face to any identity database. It only analyzes visual properties (skin tone, undertones, features) for makeup purposes.

4.5 Your control over AI processing

Before the first time the App sends a photo to any AI provider, we show you a consent screen explaining what will happen. You must tap "I agree, continue" for any AI processing to occur. If you decline, no photos will be sent to AI providers, but you will not be able to use the AI features.

You can revoke this consent at any time by going to Settings → Privacy & AI → Revoke AI permissions. After revocation, no further photos will be sent to AI providers until you grant consent again.

4.6 Automated decision-making

Vella Studio's AI features make automated decisions (e.g., classifying you as a "Soft Autumn" color season, recommending specific makeup shades). These decisions are not legally significant — they are aesthetic recommendations, not credit, employment, insurance, or housing decisions. You can disregard any AI output, request a different result, or stop using the app at any time.

5. How we use your data

We use the data described above only for the following purposes:

Provide the App's features: Generate AI Glow Ups, perform color analysis, run Roast Mode, save your preferences.
Manage your subscription: Validate purchases, restore purchases, deliver paid features to subscribers.
Improve the App: Analyze aggregate, anonymized usage patterns to identify bugs and prioritize features.
Send you essential communications: Push notifications about features you opted into, transactional messages about your subscription, reminders.
Comply with legal obligations: Respond to lawful requests from authorities, defend our legal rights, prevent fraud or abuse.
Measure advertising effectiveness: When permitted (including after you approve App Tracking Transparency on supported devices), we send app events — such as opens, completions, subscriptions, or purchases — to TikTok's Business SDK to attribute installs and optimize marketing. This does not show ads inside the App.

We do not use your data for behavioral profiling for marketing unrelated to attributing campaigns you’ve seen nor for any purpose unrelated to providing or improving the App.

6. Third parties we share data with

Beyond the AI providers listed in Section 4, we share limited data with the following service providers as necessary to operate the App:

6.1 Apple Inc. (App Store Connect)

What: Subscription transactions, in-app purchases, app analytics, crash diagnostics (only if you opted into sharing analytics with developers in iOS Settings).

Privacy Policy: https://www.apple.com/legal/privacy/

6.2 RevenueCat, Inc.

What: Subscription state management, receipt validation, anonymous user identifiers tied to your subscription.

Privacy Policy: https://www.revenuecat.com/privacy/

6.3 Google (Firebase Cloud Messaging)

What: Firebase Cloud Messaging (FCM) delivers push notification tokens/messages between our backend and Apple’s push gateway. Notifications are transactional (e.g. reminders, product updates).

Privacy Policy: https://firebase.google.com/support/privacy

6.4 Bugsnag (SmartBear monitoring tools)

What: Crash and error telemetry (logs, stack traces, device/OS/app version identifiers) — not your facial photos.

Privacy Policy: Bugsnag / SmartBear Privacy Policy

6.5 Amplitude Inc.

What: Anonymous product analytics — feature usage, funnel events, session lengths. Photos are not sent to Amplitude.

Privacy Policy: https://amplitude.com/privacy

6.6 TikTok Technology Limited (TikTok Business / Events SDK)

What: When TikTok measurement is initialized, the TikTok Business SDK collects in-app events — for example installs, sessions, completions, subscriptions, purchases, and custom milestones — plus device/IP-related metadata TikTok assigns for attribution. Events can include hashed or pseudonymous identifiers your device shares with TikTok servers (for example domains such as analytics.tiktok.com and business-api.tiktok.com used for measurements).

Important: This integration is not TikTok account login or the consumer TikTok “For You” app. If you authorize tracking on Apple devices, TikTok may also receive the Identifier for Advertisers (IDFA) for cross-app attribution in line with Apple’s rules.

If you deny tracking, the SDK still operates in reduced measurement modes compliant with Apple's policies; TikTok defines how probabilistic attribution works in its documentation.

Purpose: Measure installs and ROI from marketing campaigns, attribute conversions from ads you may have interacted with externally, improve media spend efficiency.

Privacy Policy: Refer to TikTok’s commercial product privacy materials for TikTok For Business (TikTok for Business Privacy Policy — exact URL paths may vary; see the Terms & Policies section on TikTok for Business).

6.7 Sales, brokers, and in-app advertisements

We don’t rent your identifiable profile to brokers. The App remains free of invasive third‑party banners. Partner SDKs described above—including TikTok measurement—receive only the categories of telemetry each policy section lists.

7. Advertising measurement & App Tracking Transparency (iOS)

7.1 App Tracking Transparency (ATT)

Apple requires apps to obtain permission before accessing the Identifier for Advertisers (IDFA) for cross-app measurement. After you finish color analysis in onboarding we may present an educational pre-prompt explaining why opt‑in matters, followed by Apple's system ATT dialog if tracking is still not determined.

If you tap “Allow” on Apple’s prompt: TikTok measurement may use the IDFA (and comparable signals) alongside other event data described in §6.6.
If you tap “Ask App Not to Track” or bypass the measurement prompt (“Not now”): We do not call the system ATT request at that moment, and TikTok relies on aggregated or limited attribution paths without IDFA.
To change IDFA permission later: Open iOS Settings → Privacy & Security → Tracking → toggle tracking for “Vella Studio”.

7.2 Relationship to Apple's privacy manifests

Vella Studio’s App Store binaries declare TikTok domains that participate in Apple's privacy manifest requirements (analytics.tiktok.com, business-api.tiktok.com) alongside our App Privacy Questionnaire disclosures in App Store Connect.

8. Where data is stored and for how long

8.1 On-device storage (your phone)

Most of your data — photos, generated images, color analysis results, makeup preferences, subscription cache — is stored locally on your iOS device. We do not maintain a copy of this data on our servers. If you delete the App, this data is permanently deleted with it.

8.2 Backend processing (transient)

When you use an AI feature, your photo passes through our backend infrastructure (hosted on Google Cloud) on its way to the AI provider. The photo is held in memory only as long as needed to forward the request and is not written to persistent storage.

8.3 AI provider retention

See Section 4 for each provider's specific retention period. In summary: Replicate (~1 hour), OpenAI (up to 30 days), Google (up to 30 days). After these periods, the data is deleted by the provider.

8.4 Analytics, attribution, and crash data

Anonymous analytics (Amplitude), error telemetry (Bugsnag), TikTok measurement events when enabled, plus campaign receipts are retained per each vendor’s schedules (typically 14–24 months for analytics backends unless deprecated earlier). TikTok aggregates or deletes attribution data pursuant to TikTok retention policies disclosed in TikTok Business documentation.

8.5 Subscription records

Subscription transaction records are retained as required by tax and accounting law (typically 7 years in Australia).

9. Your rights and choices

Depending on where you live, you have rights under the Australian Privacy Act, EU/UK GDPR, CCPA, and other privacy laws. Globally, we offer the following choices to all users:

9.1 Within the App

Revoke AI consent: Settings → Privacy & AI → Revoke AI permissions
View what AI providers do: Settings → Privacy & AI → How AI is used
Delete generated content: Delete individual entries from your "My Looks" gallery (where available), or delete the entire app to remove all locally stored data
Disable notifications: Settings → Notifications
Disable anonymous product analytics: Settings → Privacy & AI → Anonymous analytics (toggle off)
iOS measurement / ATT: After onboarding, revisit iOS Settings → Privacy & Security → Tracking to disallow cross-app attribution for “Vella Studio”.

9.2 By contacting us

You can email info@mobisec.lk to:

Request access to any personal data we hold about you
Request correction of inaccurate data
Request deletion of your data (right to erasure)
Request portability — a machine-readable copy of your data
Object to processing on legitimate-interest grounds
Withdraw consent previously given
Lodge a complaint with us before going to a regulator

We respond within 30 days for most requests. We may need to verify your identity before responding (typically by asking you to send a request from the email tied to your subscription, if applicable).

10. International data transfers

Vella Studio is operated from Australia, but our service providers—including AI partners and US-based measurement platforms such as TikTok for Business—may process data internationally, primarily in the United States. When you use AI features, your photos are transferred internationally to AI providers as described in Section 4.

For users in the EU, UK, and other jurisdictions with cross-border data restrictions, transfers are protected by:

Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable
UK International Data Transfer Agreement (IDTA) for transfers from the UK
EU-US Data Privacy Framework certifications held by our US-based providers, where applicable
Your explicit consent, where you have opted into AI processing knowing the providers are US-based

For users in Australia, transfers comply with Australian Privacy Principle 8 (cross-border disclosure) — we take reasonable steps to ensure overseas recipients handle your data consistent with the Australian Privacy Principles.

11. Region-specific rights

11.1 Australia (Privacy Act 1988 & APPs)

If you are in Australia, you have rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles. You can:

Access and correct your personal information
Make a complaint to us, then to the Office of the Australian Information Commissioner (OAIC) if unresolved
Opt out of receiving direct marketing communications

11.2 European Union (GDPR)

If you are in the EU, you have rights under the General Data Protection Regulation (GDPR), including:

The right to access, rectification, erasure, restriction of processing, and data portability
The right to object to processing based on legitimate interests
The right to withdraw consent at any time
The right to lodge a complaint with your national supervisory authority

Our legal bases for processing include: (a) your consent (including AI uploads and TikTok/ad measurement whenever valid consent frameworks apply); (b) performance of a contract (to deliver the subscribed App); (c) our legitimate interests (product improvement, attribution reporting at an aggregate level).

11.3 United Kingdom (UK GDPR)

UK residents have substantially the same rights as EU residents under the UK GDPR. You may also lodge a complaint with the UK Information Commissioner's Office (ICO).

11.4 California (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

Right to know: Request what personal information we've collected about you in the past 12 months
Right to delete: Request deletion of your personal information
Right to correct: Request correction of inaccurate personal information
Right to opt out of sale or sharing: We don't sell covered information for money. If you authorize App Tracking, certain device identifiers may be disclosed to TikTok for cross-context advertising measurement; you may opt out by withholding tracking authorization in iOS Settings or within Apple’s ATT dialog, limiting tracking as explained in Sections 6 and 7.
Right to limit use of sensitive personal information: The photos you upload may be considered sensitive personal information. We use them only to provide the AI features you requested.
Right to non-discrimination: We will not deny services or charge differently because you exercised these rights.

Categories of personal information collected in the past 12 months (examples): Identifiers (UUID, advertiser IDs when permitted); commercial/subscription identifiers (via RevenueCat); internet or electronic network activity (in-app telemetry, TikTok Events & Amplitude funnel events without photos); coarse geolocation (IP-derived locality); biometric-adjacent photos when you voluntarily run AI workflows; inferred preferences derived from uploads.

We do not knowingly collect personal information from California consumers under 16 without opt-in consent.

11.5 Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA)

Residents of these states have rights similar to California consumers:

Right to access, correct, delete, and obtain a portable copy of personal data
Right to opt out of “sale”, profiling, or targeted ads where applicable — we don’t monetize catalogs. If TikTok attribution constitutes processing under local law once you authorize tracking, you may withdraw permission using Apple Tracking controls referenced in Sections 7 and vendor policies.
Right to opt out of profiling that produces legally significant effects — Vella Studio's AI does not perform such profiling
Right to appeal a denial of a privacy request — appeal decisions are made within 45–60 days depending on your state

11.6 Brazil (LGPD)

Brazilian residents have rights under the Lei Geral de Proteção de Dados Pessoais (LGPD), including access, correction, deletion, anonymization, portability, and the right to withdraw consent at any time. International transfers from Brazil are governed by LGPD-compliant mechanisms including standard contractual clauses and your explicit consent.

11.7 Other jurisdictions

If you are in a jurisdiction not specifically listed, you may still have privacy rights under your local law. Please contact us at info@mobisec.lk to exercise them and we will respond consistent with applicable law.

12. Children's privacy

Vella Studio is intended for users aged 17 and older. The App is rated 17+ on the Apple App Store. We do not knowingly collect personal information from children under 13 (or 16 in the EU/UK, or other ages where applicable law sets a higher threshold).

If you are a parent or guardian and believe your child under the relevant age has provided us personal information, please contact us at info@mobisec.lk and we will promptly delete that information.

13. Security

We protect your data using industry-standard security measures, including:

Encryption in transit: All communications between the App, our backend, and AI providers use TLS 1.2 or higher
On-device storage: Most of your data never leaves your device
Restricted server access: Backend infrastructure is access-controlled and audited
No persistent server-side photo storage: Photos are not written to disk on our servers
Vetted AI partners: We use only commercial-tier APIs with contractual data protection commitments

No system is perfectly secure. If we ever experience a data breach affecting your personal information, we will notify you and applicable regulators as required by law (typically within 72 hours under GDPR).

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Notify you within the App (e.g., a one-time banner or modal on app open)
Where required by law, ask for your renewed consent

If you continue using the App after a change takes effect, you accept the updated policy.

15. Contact us

For any privacy questions, requests, or complaints, please contact:

LSA Management (Services) Australia Pty Ltd
Attn: Privacy Officer
24B Andrew Street
Mount Waverley, VIC 3149
Australia

Email: info@mobisec.lk

We aim to respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with your local data protection authority.