How we protect your data

Nyuki AI Technologies ("Nyuki AI", "we", "our", or "us") operates an AI-powered parapharmacy platform that bridges skin diagnostics with local pharmacy inventory across Cameroon. Our services include a mobile application for clients, a tablet interface for pharmacy staff, and a web dashboard for pharmacy owners and managers.

This Privacy Policy explains how we collect, use, share, and protect your personal data when you use any of our services. By using Nyuki AI, you agree to the practices described in this policy.

Registered address: Douala, Cameroon · Contact: privacy@nyukiai.com

Account Information

• ›Name, email address, and phone number provided during registration
• ›Gender and date of birth (used to personalise diagnostic results)
• ›Preferred language (English or French)
• ›Profile photo (optional)

Skin & Health Data

• ›Facial and skin photographs taken or uploaded during the diagnostic session
• ›AI-generated skin analysis results: skin type, hydration score, oiliness score, texture score, acne count, pore analysis, wrinkle score, and skin age estimation
• ›Skin concerns you report (e.g. acne, hyperpigmentation, sensitivity)
• ›Your personalised skincare routine recommendations
• ›Diagnostic history over time

Commerce & Loyalty Data

• ›Order history and product purchases
• ›Nyuki Club loyalty points balance and transaction history
• ›Cart items and saved preferences
• ›QR Pass sessions (60-second expiry tokens)

Device & Usage Data

• ›Device type, operating system, and app version
• ›IP address and general location (city/country level)
• ›Session activity logs for security and troubleshooting
• ›Push notification preferences

Pharmacy Staff Data

If you are a pharmacy employee using the Nyuki AI staff interface, we additionally collect your role, shift activity, and a secure passcode used for point-of-sale authentication.

• ›Deliver your AI skin diagnostic and generate personalised product recommendations
• ›Display your diagnostic history and track skin progress over time
• ›Process orders and manage your loyalty points
• ›Send transactional emails (order confirmation, password reset, skincare follow-ups)
• ›Send push notifications with your consent (new diagnostics, loyalty milestones, pharmacy updates)
• ›Enable pharmacy staff to view your AI report during in-store visits (with your QR Pass consent)
• ›Improve and train our AI models in aggregate, anonymised form — never using your identifiable images
• ›Comply with applicable law and respond to lawful requests from authorities

We do not use your skin images or health data for advertising, profiling for third-party marketing, or sale to any commercial party.

Nyuki AI uses best-in-class AI providers to deliver our diagnostic service. When you submit a skin scan, your image may be processed by:

OpenRouter / Anthropic (Vision AI)

Your skin image is sent to OpenRouter (which routes requests to large language models including Anthropic Claude) for visual skin analysis. These providers process your image solely to return the analysis result. Images are not retained by the AI provider after processing.

AILabTools (Clinical Skin Metrics)

We use AILabTools to extract clinical-grade skin metrics (acne count, pore score, wrinkle score, skin age). This provider receives your image, processes it, and returns numerical metrics. Images are not stored by AILabTools.

Contabo Object Storage (S3)

Your processed images and documents are stored in an encrypted Contabo S3-compatible bucket located in the European Union (EU2 region). Access is controlled and restricted to authorised Nyuki AI systems only.

Expo (Push Notifications)

If you opt in to push notifications on the mobile app, your Expo push token is stored and used solely to deliver notifications from Nyuki AI to your device. No personal content is shared with Expo beyond the device token.

IONOS (Email)

Transactional emails (welcome, password reset, skincare follow-ups) are sent via IONOS SMTP. Email addresses are used only for delivery purposes.

Important: Nyuki AI does not sell your personal data, skin images, or health information to any third party. AI providers listed above act as data processors and are bound by data processing agreements that prohibit retention or secondary use of your data.

We share your information only in the following limited circumstances:

• ›With the pharmacy you visit — the pharmacy staff can view your AI diagnostic report during an in-store session only when you present your QR Pass. Your full account data is never visible to pharmacy staff.
• ›With service providers listed in Section 4 who process data on our behalf under strict contractual obligations
• ›When required by Cameroonian law, court order, or to protect the rights and safety of users
• ›In the event of a merger or acquisition, your data may be transferred — you will be notified in advance

We never share your data with advertisers, data brokers, or for profiling purposes.

• ›Active account data is retained for as long as your account is active
• ›Skin diagnostic images and results: retained during account lifetime and deleted within 30 days of account deletion
• ›QR Pass session tokens: automatically purged 1 hour after expiry
• ›Deleted accounts: your account data is permanently purged 90 days after deletion (GDPR-aligned purge cycle)
• ›Loyalty points history: retained for 7 years for financial record-keeping compliance
• ›Login activity logs: retained for 12 months for security auditing

You may request early deletion of your account and all associated data at any time by contacting privacy@nyukiai.com.

You have the following rights regarding your personal data:

• ›Right to access — request a copy of all data we hold about you
• ›Right to rectification — correct inaccurate or incomplete data
• ›Right to erasure — request deletion of your account and all personal data
• ›Right to data portability — receive your diagnostic history and account data in a machine-readable format
• ›Right to withdraw consent — withdraw consent to push notifications or marketing emails at any time
• ›Right to restrict processing — request that we limit how we use your data while a complaint is under review
• ›Right to object — object to processing based on legitimate interest

To exercise any of these rights, contact us at privacy@nyukiai.com. We will respond within 30 days.

• ›All data is transmitted over HTTPS with TLS encryption
• ›Skin images are stored in encrypted cloud storage with restricted access controls
• ›Passwords are hashed using bcrypt — they are never stored in plain text
• ›Refresh tokens use a selector + verifier pattern: the verifier is bcrypt-hashed so a database breach cannot produce valid tokens
• ›QR Pass tokens expire after 60 seconds and are invalidated on use
• ›Security events are logged and monitored via Sentry error tracking

While we implement industry-standard safeguards, no system is completely secure. We will notify you promptly if a breach affecting your personal data occurs.

Nyuki AI is not directed at or intended for use by individuals under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will promptly delete that information.

Users aged 13–17 may use the service with verifiable parental consent.

Nyuki AI is headquartered in Cameroon. Your data may be processed by our AI providers in the United States and the European Union. When data is transferred internationally, we ensure it is protected by appropriate safeguards, including:

• ›Data Processing Agreements (DPAs) with all third-party processors
• ›Storage on EU-based servers (Contabo EU2 region) where possible
• ›AI providers who comply with applicable data protection standards

We may update this Privacy Policy from time to time to reflect changes in our services, technology, or applicable law. When we make material changes, we will notify you via email or a prominent in-app notice at least 14 days before the change takes effect.

The current version of this policy is always available at nyukiai.com/privacy. Continued use of our services after the effective date constitutes acceptance of the updated policy.

If you have questions, concerns, or requests relating to this Privacy Policy or your personal data, please reach out: