Privacy Notice

Last updated: 29 May 2026

Gollava is operated by Philos Lab Ltd, a private company registered in England & Wales. This notice explains, in plain English, what personal data we collect when you use Gollava, why we collect it, how long we keep it, and the rights you have under UK GDPR.

1. Who we are

The data controller is Philos Lab Ltd. You can reach us at [email protected] for any privacy-related question.

ICO registration: application in progress before first live campaign — number to be published here on confirmation.

2. What we collect

We only collect what we need. Here's the full list:

Account & profile

Email — your account identifier.
Passkey credential — a public key bound to your device (Face ID / Touch ID / Windows Hello). We never see, store, or transmit a password or biometric template.
First name — for personalising the app.
Age range (e.g. 18–24, 25–34) — to match you to suitable campaigns and to age-gate restricted categories.
Skin type & postcode prefix — used to recommend products and to estimate regional demand. We never store the full postcode.

Sample & campaign data

Claim records — which campaigns you opted into, which products were dispensed, the device + slot + timestamp.
Survey responses — answers to in-flow questions before the sample drops, and to Day 7 / 30 / 60 follow-up check-ins.
Post-sample feedback — your honest take after living with the sample, including whether you bought the full size.

Behavioural & security signals

Behaviour events — taps, scrolls, and timing data within the app and at the kiosk. Used to improve UX and to detect automated abuse.
Device fingerprint signals — canvas/WebGL/audio/font hashes, browser metadata. Hashed before storage; never used outside of fraud detection.
IP intelligence — IP address hashed at ingestion, used for VPN/proxy/abuse detection and rate limiting. Never stored in raw form.
Behavioural biometrics — touch-trajectory variance and human-vs-bot score. Aggregated, never replayable.
Sybil-graph edges — similarity scores between accounts to surface link-farms and synthetic identities. Edge data only, no PII.
Face liveness records (Phase 2+, opt-in only) — anti-spoof signal for high-risk accounts. Face embeddings are hashed and auto-deleted after 30 days. Raw face images are never retained.

Communications & consent

Consent records — versioned record of the privacy/terms you accepted and when, including IP hash and user-agent at the time, so we can demonstrate compliance under UK GDPR Article 7.
Newsletter / drop alerts — only if you actively subscribed via the landing page or signed up to an account. Unsubscribe link in every email.
Adverse-event reports — if you report a reaction to a sample, we keep the report for safety follow-up and to notify the brand and (where statutorily required) MHRA.

3. Legal basis

For each category of processing we rely on one of the UK GDPR Article 6 bases:

Contract (Art. 6(1)(b)) — running your account and fulfilling the sample claim you requested.
Consent (Art. 6(1)(a)) — newsletter, profiling for recommendations, face liveness opt-in. Always opt-in, always withdrawable.
Legitimate interests (Art. 6(1)(f)) — fraud prevention, security, abuse detection, product analytics. Balanced against your rights; you can object.
Legal obligation (Art. 6(1)(c)) — cosmetic-safety reporting to MHRA, records for tax and accounting.

Special-category data (health-adjacent skin information, biometric liveness) is processed only with your explicit consent under Article 9(2)(a).

4. Where data is stored

Database, file storage, authentication: Supabase in AWS eu-west-2 (London).
Web hosting: Vercel, EU-preferred regions.
Email delivery: Supabase Auth SMTP for sign-in magic links and Resend / equivalent for newsletter.
Error monitoring: Sentry (EU), with IP scrubbing and body redaction.

All personal data is stored in the UK. Some operational metadata may transit through EU or US processors under the UK Addendum to standard contractual clauses.

5. Who we share data with

We share personal data only when one of these applies:

Brands — we share aggregate, anonymised insights about their campaigns only. We never share your individual identifying details, your email, or your responses to other brands. Cross-brand category benchmarks are only ever published in fully de-identified, k-anonymised form.
Sub-processors — Supabase, Vercel, Sentry, our email provider. All bound by data-processing agreements.
MHRA — if you report an adverse reaction, the safety report we are legally required to file may include the data points you provided about the reaction. Your identity is included only where statutorily required.
Legal authorities — only when required by valid court order or statutory request, and only to the minimum extent legally required.

We never sell your data. We never share it for third-party advertising.

6. How long we keep data

Data	Retention
Account + profile	While account is active; deleted within 30 days of account closure (except where law requires longer)
Claims + survey responses	While account is active + 90 days after closure
Behaviour events	24 months rolling
Fraud signals + device fingerprints	12 months rolling, longer for high-confidence abuse cases
Consent records + audit logs	3 years (UK GDPR demonstrability)
Adverse event reports	10 years (UK Cosmetics Regulation)
Newsletter subscribers	Until you unsubscribe; then suppression-list entry only (email hash) to honour your choice
De-identified aggregates	Indefinitely once anonymised beyond reversibility

7. Your rights

Under UK GDPR, you can:

Access — request a copy of the personal data we hold about you.
Rectify — ask us to correct anything inaccurate.
Erase — “right to be forgotten”. We delete or anonymise within 30 days, except where law requires longer (e.g. adverse-event reports).
Restrict — pause processing while a dispute is resolved.
Portability — receive your data in JSON.
Object — to processing based on legitimate interests, including profiling.
Withdraw consent — at any time, with no effect on past lawful processing.
Complain to the ICO — ico.org.uk.

Email [email protected] with your request. We respond within 30 days, extendable to 90 days for complex requests (with notification).

8. Children

Gollava is intended for users aged 18 and over. We do not knowingly collect data from anyone under 18. If we learn we've done so, we delete it. If you believe a child has used the service, email us immediately.

9. Cookies & local storage

We use strictly-necessary cookies and local storage for session management (passkey session, anti-CSRF) and for scan-flow state (your QR token, transient — clears on sign-out). We don't use third-party advertising, marketing, or analytics cookies on this app.

10. Profiling & automated decisions

We use profiling to recommend products and to score the risk of abuse. None of these automated decisions has a legal or similarly significant effect on you. During Shadow Mode (Phases 0–1) abuse scores are logged only — they never block a sample. Once Active Gating begins (Phase 2+), a high-risk score can deny a sample claim; you can request a human review by emailing [email protected].

11. Security

We encrypt data in transit (TLS 1.2+) and at rest (AES-256). Authentication uses passkeys (WebAuthn) — we never see or store a password. Database access is gated by row-level security so one user cannot read another's data, and every privileged action is recorded in an immutable audit log.

We notify affected users of any personal-data breach within 72 hoursof becoming aware, alongside the steps we've taken to contain it.

12. Changes to this notice

Material changes are notified by in-app banner at least 14 days before they take effect and by email to anyone with an active account. We keep a version history so you can see exactly what changed and when. Continued use after the effective date constitutes acceptance.

13. Contact

Privacy: [email protected]
General: [email protected]
Postal: Philos Lab Ltd, registered office — full address available on Companies House.