Privacy Web Addendum
This Web Addendum supplements the Reverse Ageineer Privacy Policy (the “Main Policy”) and describes data processing practices specific to the web-based skin quiz funnel hosted at quiz.reverseageineer.com. The Main Policy applies in full to all data processing by the Service. This Web Addendum addresses only those practices that are unique to, or differ in implementation from, the mobile application.
In the event of a conflict between this Web Addendum and the Main Policy, the Main Policy shall prevail.
1. Scope
This Web Addendum applies to data processing that occurs while you interact with the web-based quiz funnel at quiz.reverseageineer.com. The funnel permits prospective users to complete a multi-question skin assessment and an optional camera-based or upload-based facial image analysis without first creating an account. Following completion of the assessment, you may elect to create an account in order to retain your results and access ongoing features through the Reverse Ageineer mobile application.
2. Categories of Data Processed on the Web Funnel
2.1 IP Address (Security and Abuse Prevention)
The Service processes the IP address of each request reaching the quiz funnel for two purposes only:
(a) Bot Detection. Cloudflare Turnstile performs an invisible challenge to verify that requests originate from genuine browsers rather than automated scripts. This challenge requires Cloudflare to receive your IP address.
(b) Rate Limiting. The Service enforces per-IP rate limits to prevent abuse of the unauthenticated funnel:
- A maximum of five (5) face-scan requests per IP address per twenty-four (24) hour period;
- A maximum of five (5) Haut.AI subject-creation requests per IP address per twenty-four (24) hour period; and
- A maximum of five hundred (500) result-polling requests per IP address per twenty-four (24) hour period.
For rate-limiting purposes, the Service maintains a database table named anon_quiz_events recording (i) the IP address, (ii) the event type, and (iii) the timestamp of each rate-limited action. Records in this table are automatically deleted after seven (7) days by a scheduled cleanup job and are not associated with any user identity, account, or persistent identifier.
The IP address is not used for advertising, profiling, geolocation, behavioral targeting, or analytics of any kind.
2.2 Aggregate Page Interaction Metrics (Cookieless)
The Service uses Vercel Web Analytics to collect aggregate page-view counts and quiz-funnel progression statistics. This implementation:
(a) sets no cookies of any kind;
(b) does not employ device or browser fingerprinting techniques;
(c) reports only aggregate, anonymized metrics (e.g., “300 sessions reached step 12”) and does not produce individual-user records or identifiers; and
(d) is governed by Vercel’s Privacy Policy.
You may verify the absence of analytics cookies by inspecting the Cookies storage of quiz.reverseageineer.com in your browser’s developer tools.
2.3 Error Telemetry (Failure-Conditional, Redacted)
The Service uses Sentry to capture client-side JavaScript errors and, when an error occurs, a redacted replay of the page state in the sixty (60) seconds preceding the error. This telemetry is configured as follows:
(a) Sessions in which no error occurs are not recorded. Replay capture is conditioned on a thrown error.
(b) All visible text content is masked before transmission to Sentry. Each text node on the page is replaced with non-identifying placeholder characters prior to transmission.
(c) All form inputs are masked. Quiz answers, uploaded image data, and any other input value are not transmitted in replay payloads.
(d) Retention. Sentry retains error events and replays in accordance with the Service’s plan-level retention configuration (currently thirty (30) days).
(e) Sentry processing is governed by Sentry’s Privacy Policy.
2.4 Anonymous Quiz Session Records
To permit prospective users to complete the skin assessment without creating an account in advance — and to allow the results to be retained if and only if the user subsequently registers — the Service maintains short-lived anonymous quiz session records on its servers. The data flow is as follows:
(a) Anonymous Session Identifier. Upon beginning the quiz, your browser generates a randomly-generated session identifier (a Universally Unique Identifier, or UUID) and persists it in localStorage solely to permit the quiz to resume across page reloads within the same browser. The session identifier is not transmitted to any third party other than as required to persist the session record described in paragraph (b) and is not otherwise correlated with any persistent identifier on the Service’s side.
(b) Session-Keyed Storage. Quiz responses (e.g., self-reported skin type, primary concerns), the analysis results returned by Haut.AI, and the corresponding Haut.AI subject UUID are persisted on the Service’s database (Supabase) keyed by the anonymous session UUID. No user-identifying data — including email, name, IP address, or device fingerprint — is associated with this record while the session remains anonymous. The IP rate-limit records described in Section 2.1 are maintained in a separate table and are not joined with anonymous session records.
(c) Retention of Anonymous Session Records. Anonymous session records are retained for fourteen (14) days following session creation and are automatically deleted thereafter by a scheduled cleanup job, unless an account is created within that window pursuant to paragraph (d).
(d) Account Linking on Registration. If you create an account within fourteen (14) days of completing the quiz, the anonymous session record will be migrated to your account upon registration: the data will be associated with your authenticated user identity and stored in the Service’s principal data tables governed by the Main Policy, and the standalone anonymous session record will be deleted. From the point of account creation forward, the Main Policy governs all data processing in respect of that data.
(e) No Email or Marketing Use. While a session remains anonymous, no marketing or transactional email is sent. The Service does not collect an email address from anonymous quiz visitors.
2.5 Facial Image Data
If you elect to use the camera-based or upload-based scan, your facial image is processed as follows:
(a) Your browser uploads the image directly to Haut.AI’s content delivery network via a single-use signed URL. The image does not transit the Service’s edge functions.
(b) Haut.AI processes the image and returns analysis results (numerical metrics, mask URLs, and a restored aligned face image URL) to the Service’s edge functions, which forward the results to your browser.
(c) The Service may persist the analysis results — but not the original facial image — to its own storage systems, keyed by the anonymous session UUID described in Section 2.4(a), for the retention period specified in Section 2.4(c). The original facial image continues to be hosted by Haut.AI under Haut.AI’s Privacy Policy.
(d) For each anonymous quiz session, the Service generates a single-use, randomly-generated identifier (a Haut.AI subject UUID) and supplies it to Haut.AI as the “subject ID” required by Haut.AI’s interface. This identifier is not associated with any user account, email address, device fingerprint, or other identifying data on the Service’s side while the session remains anonymous.
(e) If you create an account within the retention period described in Section 2.4(c), the analysis results — and, where applicable, the restored aligned face image and any associated mask images — will be migrated to your account record and stored in accordance with the Main Policy.
3. Retention Periods
| Category | Retention |
|---|---|
anon_quiz_events (IP rate-limit records) | Seven (7) days, automatically deleted |
| Anonymous quiz session records (quiz responses + analysis results, see Section 2.4) | Fourteen (14) days, automatically deleted, unless migrated to an account on registration |
| Sentry error events and redacted replays | Thirty (30) days (Sentry plan default) |
| Vercel Analytics aggregate metrics | Twelve (12) months rolling (Vercel plan default) |
| Quiz responses (browser memory) | Until session termination (tab close, navigation away) |
Anonymous session UUID (browser localStorage) | Until you clear your browser’s site data, or fourteen (14) days, whichever occurs first |
| Facial image (Haut.AI servers) | Per Haut.AI’s Privacy Policy |
4. Third-Party Service Providers
The Service engages the following third-party processors for the operation of the web funnel:
| Provider | Function | Privacy Policy |
|---|---|---|
| Cloudflare, Inc. | Bot detection (Turnstile) | Cloudflare |
| Vercel, Inc. | Web hosting, cookieless analytics | Vercel |
| Functional Software, Inc. (Sentry) | Error telemetry, redacted replay | Sentry |
| Supabase, Inc. | Database, edge function hosting | Supabase |
| Haut.AI OÜ | Facial image analysis | Haut.AI |
Each of the foregoing providers acts as a data processor under a written data processing agreement with the Service. None operates as an independent data controller in respect of the data described in this Web Addendum.
The Service does not engage any advertising network, marketing pixel, retargeting service, or third-party tracking technology in connection with the web funnel. The Service does not sell or otherwise share data with third parties for advertising purposes.
5. Cookies and Similar Technologies
The web funnel sets no cookies of any kind. The Service relies on:
(a) cookieless server-side analytics (Vercel Web Analytics), which derives aggregate metrics from anonymized request signals;
(b) per-request invisible bot challenges (Cloudflare Turnstile), which do not require persistent client-side state; and
(c) a single anonymous session UUID stored in localStorage for the limited purpose described in Section 2.4(a) (quiz resume across page reloads).
You may verify the use of localStorage and the absence of cookies, third-party storage, and tracking technologies through your browser’s developer tools.
6. Your Rights
Where applicable, the rights described in the Main Policy (including, where applicable, rights of access, correction, deletion, portability, restriction, and objection under the EU General Data Protection Regulation, the United Kingdom General Data Protection Regulation, the California Consumer Privacy Act as amended, and the Brazilian Lei Geral de Proteção de Dados) apply to data processed in connection with the web funnel.
6.1 Anonymous Quiz Visitors
If you have completed the quiz but have not created an account, you may exercise the following rights in respect of the anonymous session record described in Section 2.4:
Right to Access. Furnish your anonymous session UUID, available in your browser’s localStorage for quiz.reverseageineer.com under the key rev_quiz_session_id, to app@reverseageineer.com. The Service will provide a copy of the data associated with that session within thirty (30) days.
Right to Deletion. Furnish your anonymous session UUID to app@reverseageineer.com with a request for deletion. The Service will delete the corresponding session record within thirty (30) days. Anonymous session records are also automatically deleted after fourteen (14) days as described in Section 2.4(c).
Limitations. The Service is unable to identify, retrieve, modify, or delete a specific anonymous session record without the corresponding session UUID, because no user-identifying data is associated with the record. If you have lost access to the browser session containing the UUID, the record will be automatically deleted upon expiration of the retention period.
The seven-day IP rate-limit records described in Section 2.1 are not associated with any user identity and cannot be retrieved or selectively deleted on request. They are automatically deleted upon expiration of the retention period.
6.2 Authenticated Users
If you have created an account, the rights and procedures set forth in the Main Policy apply to all data associated with your account, including (where applicable) any data linked from a prior anonymous quiz session under the flow described in Section 2.4(d). To exercise any right or to make a privacy-related request as an authenticated user, follow the procedures specified in the Main Policy or use the in-application account-deletion functionality.
6.3 General Contact
To exercise any right or to make a privacy-related request, contact app@reverseageineer.com.
7. Children’s Privacy
The web funnel is not directed to, and the Service does not knowingly collect data from, individuals under the age of thirteen (13). If you believe that the Service has inadvertently collected data from a child under thirteen (13), please contact app@reverseageineer.com, and the Service will promptly delete such data.
8. Changes to This Web Addendum
The Service may revise this Web Addendum from time to time. Material changes will be communicated by revising the Effective Date appearing at the top of this document and posting the revised version at this URL. As the Service does not maintain an email address for anonymous quiz visitors, no individual notification will be provided in the absence of an account.
9. Contact
For questions, concerns, or privacy-related requests:
- Email: app@reverseageineer.com
- Main Privacy Policy: reverseageineer.com/pages/app-privacy-policy
- Account Deletion: reverseageineer.com/pages/delete-account