PRANA Beauty & Wellness ("PRANA", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what personal information we collect, why we collect it, how we use it, and your rights in relation to it. It applies to all visitors to www.pranabeauty.com and customers who purchase our products.

By using our Website or purchasing our products, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use our Website or services.

1. Who We Are

PRANA Beauty & Wellness is a direct-to-consumer Ayurvedic skincare brand headquartered in New York, USA. We operate the website at www.pranabeauty.com and sell our products through our website and authorised third-party marketplaces. For privacy enquiries, contact us at admin@pranawellness.shop.

2. Information We Collect

Information you give us directly

We collect the following information directly from you:

• Name and email address — account creation, checkout, email sign-up
• Shipping address — for order delivery
• Payment information — processed by Shopify, we do not store card data
• Phone number — optional for SMS shipping updates
• Skin type and concerns — dosha quiz, skin profile (optional)
• Facial image — AI Skin Scanner, real-time only, never stored
• Product reviews and feedback — post-purchase (optional)
• Communications with us — email and contact form submissions

Information collected automatically

When you visit our Website, we automatically collect:

• IP address and approximate geographic location
• Browser type, operating system, device type
• Pages visited, time spent, links clicked, referring URL
• Cookie identifiers and session data
• Purchase history and browsing behaviour

Information from third parties

We receive information from:

• Shopify — order and payment processing
• Amazon — if you purchase through Amazon
• Klaviyo — email engagement data
• Meta (Facebook/Instagram) — ad interactions
• Google — search and ad interactions

3. How We Use Your Information

We use your information for the following purposes:

• Processing and fulfilling orders
• Sending order and shipping confirmations
• Customer service and responding to enquiries
• Managing your account and loyalty programme
• Delivering personalised ritual recommendations
• AI Skin Scanner — real-time skin analysis
• Sending marketing emails (with consent)
• Improving our products and Website
• Fraud prevention and security
• Compliance with legal obligations

We do not use your information for automated decision-making that produces legal or similarly significant effects, except where you have explicitly requested personalised recommendations.

4. AI Skin Scanner — Biometric Data

When you use the AI Skin Scanner, a single image frame from your camera or an uploaded photo is converted to a base64 string in your browser and transmitted directly to Anthropic's Claude Vision API over an encrypted HTTPS connection. The API returns skin marker scores (a text result) which is used to display your ritual recommendation. The image data is then permanently discarded.

Consent requirement

You must provide explicit written consent before the Scanner will process your image. This consent satisfies:

• Illinois BIPA (740 ILCS 14) — written release requirement
• California CCPA/CPRA — sensitive personal information consent
• Federal COPPA — age verification (18+ required)

What is retained

The only data retained from a Scanner session is: (a) the text result (your dosha classification and skin marker labels), held in browser session memory only; and (b) if you voluntarily provide your email address, that email address and your dosha result are stored in Klaviyo with your consent. No image or biometric data is retained under any circumstances.

5. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to operate the Website, remember your preferences, analyse traffic, and deliver relevant advertising.

You can control cookie preferences through your browser settings or through the cookie preference centre on our Website. Note that opting out of certain cookies may affect Website functionality.

6. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes. We share your information only in the following limited circumstances:

• Service providers who help us operate our business
• Legal requirements — if required by law, court order, or governmental authority
• Business transfers — in the event of a merger, acquisition, or sale of assets
• Protection of rights — where necessary to protect the rights, property, or safety of PRANA, our customers, or the public
• With your consent — for any other purpose with your explicit consent

7. Third-Party Service Providers

We use the following third-party service providers:

• Shopify — e-commerce platform, payment processing, order management
• Anthropic (Claude API) — AI Skin Scanner image analysis
• Klaviyo — email marketing and transactional email delivery
• Google Analytics — website traffic analysis
• Meta (Facebook) — advertising performance measurement
• Amazon — marketplace sales
• UPS / USPS / DHL — order fulfilment and shipping

All third-party service providers are contractually required to process your data only for the purposes we specify, to maintain appropriate security standards, and to comply with applicable privacy law.

8. Data Retention

We retain your data for the following periods:

• Facial image (AI Scanner) — zero retention, discarded immediately
• Order and transaction records — 7 years from order date
• Customer account data — duration of account + 2 years after last activity
• Email address (marketing) — until unsubscribe or deletion request
• BIPA consent records — 3 years from consent date
• Website analytics data — 26 months (Google Analytics default)
• Customer service communications — 3 years from last contact

When data is no longer needed, we securely delete or anonymise it. You may request earlier deletion of your personal data by contacting us.

9. Security

We implement industry-standard security measures including:

• HTTPS/TLS encryption for all data transmitted
• Payment card data processed by Shopify Payments — we never store full card numbers
• Access controls limiting which team members can access customer data
• Shopify's PCI DSS-compliant infrastructure

No method of internet transmission or electronic storage is 100% secure. While we use commercially reasonable measures, we cannot guarantee absolute security.

10. Your Privacy Rights

All PRANA customers have the following baseline rights:

To exercise any of these rights, contact us at admin@pranawellness.shop with your name, email address, and the specific right you wish to exercise. We will respond within 1–3 business days and fulfil verified requests within the applicable legal timeframe.

11. California Residents — CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you specific rights regarding your personal information.

Categories of personal information collected in the last 12 months

• Identifiers (name, email, IP address, account ID)
• Commercial information (purchase history, products considered)
• Internet and electronic activity (browsing behaviour on our Website)
• Sensitive personal information (facial image data — transient, never stored)
• Inferences drawn to create a profile (dosha type, skin type, product preferences)

Your California rights

• Right to know — request disclosure of categories and specific pieces of personal information collected
• Right to delete — request deletion of personal information, subject to exceptions
• Right to correct — request correction of inaccurate personal information
• Right to opt out of sale/sharing — PRANA does not sell personal information
• Right to limit use of sensitive personal information — zero-retention architecture satisfies this by default
• Right to non-discrimination — we will not discriminate against you for exercising any CCPA right

To submit a California privacy rights request: email admin@pranawellness.shop with subject line "California Privacy Rights Request". We will respond within 45 days (with one 45-day extension available if required).

12. Illinois Residents — BIPA

If you are an Illinois resident and use our AI Skin Scanner, the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14) gives you specific rights.

Our BIPA compliance commitments:

• We obtain your explicit written consent before processing any facial image
• We maintain a publicly available written policy establishing our retention and destruction schedule
• We do not sell, lease, trade, or profit from your biometric data
• We do not disclose biometric data to any third party without consent, except as required by law
• Your facial image is destroyed immediately upon completion of each scan — zero retention
• Data in transit is protected by HTTPS/TLS encryption

For BIPA-specific enquiries, contact admin@pranawellness.shop with subject line "BIPA Privacy Request".

13. Children's Privacy — COPPA

Our Website and AI Skin Scanner are not directed at children under the age of 13. We do not knowingly collect personal information from anyone under 13. Users of the AI Skin Scanner must confirm they are 18 or older before the feature will operate.

If we learn that we have inadvertently collected personal information from a child under 13, we will delete it immediately. If you believe a child under 13 has provided us with personal information, please contact us at admin@pranawellness.shop with subject line "COPPA Notice" and we will respond within 1–3 business days.

14. Email & Marketing Communications

We send two types of email:

• Transactional emails — order confirmations, shipping notifications, ritual guides requested by you
• Marketing emails — new products, ritual guidance, seasonal recommendations, promotional offers (with consent)

Every marketing email includes a clear unsubscribe link. You can also unsubscribe by emailing admin@pranawellness.shop. We comply with the CAN-SPAM Act.

We do not share or sell your email address to any third party for their own marketing purposes.

15. Links to Third-Party Websites

Our Website may contain links to third-party websites including social media platforms, media publications, and partner retailers. These links are provided for your convenience. PRANA has no control over the content or privacy practices of third-party sites and is not responsible for their privacy policies. We encourage you to review the privacy policy of any third-party site you visit.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the effective date at the top of this page and, where appropriate, notify you by email or by a prominent notice on our Website.

Your continued use of our Website or services after the effective date of any revised Privacy Policy constitutes your acceptance of the changes. We encourage you to review this Policy periodically.

17. Contact Us & Rights Requests

When submitting a rights request, please include your full name, the email address associated with your account, and a clear description of your request. We will verify your identity before processing any access, deletion, or correction request.