Privacy Policy

Ralli is built by GoodSisters — a small team that genuinely cares about your skin and your privacy. We collect only what we need to make the app work, we never sell your data, and we try to be straight with you about everything we do.

What we collect

When you create an account and use Ralli, we collect:

• Account information — your name, email address, and profile photo if you choose to add one.
• Skin profile — skin type and concerns you select during onboarding. This is used to personalise your experience.
• Product interactions — products you scan, add to your routine, love, or flag as breaking you out.
• Posts and ratings — anything you share to the feed or rate, including ingredients you paste or photograph.
• Messages — direct messages you send to other users.
• Usage data — how you interact with the app (which features you use, how often) to help us improve it.
• Device information — basic technical data like browser type, device type, and operating system, used to troubleshoot bugs and improve compatibility.
• Waitlist email — if you sign up to our pre-launch waitlist, we store the email address you provide along with the date and time you joined.

What we don't collect

• We do not collect payment information — we have no in-app purchases.
• We do not track your precise location (GPS, geolocation API, or background location).
• We do not access your camera roll beyond the specific photo you choose to share.
• We do not read your contacts.
• We do not use third-party advertising trackers, ad networks, or behavioral retargeting tools.
• We do not use third-party analytics platforms like Mixpanel, Heap, Amplitude, or Segment.
• We do not sell, rent, or trade your personal data to anyone — ever.

How we use your data

• To run and improve the Ralli app.
• To show you personalised content — your feed, product scores, and recommendations — based on your skin profile and activity.
• To let other users follow you, see your public posts, and message you.
• To calculate community ratings on products.
• To identify you as an admin if applicable and provide access to admin tools.
• To send you notifications about activity on your posts (likes, comments, new followers).
• To respond to your support requests and communicate with you about Ralli.
• To detect, prevent, and address fraud, abuse, security risks, and violations of our Terms of Service.

Cookies & tracking technologies

Ralli uses cookies and similar technologies only for essential app functions:

• Authentication cookies — set by Firebase Auth to keep you logged in.
• Session cookies — temporary cookies that remember your preferences during a single visit.
• Local storage — small bits of data stored in your browser to remember things like which insight category you saw last, so you don't see the same one twice in a row.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. You can disable cookies in your browser settings, but parts of Ralli (including signing in) will not work without them.

Who we share your data with

We use the following third-party services to run the app. These are "sub-processors" in privacy terminology — they handle data on our behalf, under contract, and only for the purposes described:

• Firebase (Google) — database, authentication, file storage, and hosting. Your account data, posts, lists, and messages are stored on Google Cloud servers.
• Vercel — hosts the Ralli website (theralliapp.com and app.theralliapp.com). Vercel processes basic request logs to deliver the site and protect against abuse.
• Anthropic — when you photograph a product or ingredient label, the image is sent to Anthropic's Claude API for analysis. Per Anthropic's API policy, the image and text are not stored by Anthropic beyond the request and are not used to train their models.
• Open Beauty Facts — a public ingredient database we query to look up product information. We send only a product barcode or name; we do not send any of your personal data.
• Amazon Associates — product "Shop" links may include our affiliate tracking tag. When you tap a link, you are taken to Amazon's website and Amazon's own privacy policy applies. We do not share any of your personal data with Amazon; only the affiliate tag is included in the URL.

We do not sell your personal data to advertisers or any third parties.

Where your data is stored

Your data is stored on Google Cloud servers operated by Firebase, primarily located in the United States. By using Ralli, you understand that your personal data may be transferred to, processed in, and stored in the United States, which may have different data protection laws than your country.

If you are in the European Economic Area, United Kingdom, or Switzerland, you should know that data transfers to the United States are made under appropriate safeguards (currently the EU-US Data Privacy Framework and standard contractual clauses where applicable).

AI processing

Ralli uses Anthropic's Claude AI to read ingredient labels from photos and help analyse product data. When you use this feature:

• The image you submit is sent to Anthropic's API for processing.
• Anthropic does not store the image or the response beyond the API request, and does not use your input to train their models.
• The extracted text is then stored in Ralli's database against the product, so other users querying the same product can see the same ingredient list.
• Ingredient text shown to you may have been processed by AI and may contain errors. We always recommend verifying the physical product label, especially for known allergens.

Your public profile

Your display name, profile photo, and any posts you make to the feed are visible to other Ralli users by default. You can set your product lists (Routine, Loved, Want to Try) to private in your profile settings at any time. Direct messages are visible only to you and the recipient.

Data retention & deletion

We keep your data for as long as your account is active. You can delete your account at any time in Profile → Settings → Delete account. When you delete your account:

• Your profile, posts, comments, messages, lists, and uploaded photos are removed from the app within 30 days.
• Some content — such as anonymized aggregate product ratings, anonymized usage statistics, and content required to be retained for legal or fraud-prevention reasons — may persist in aggregated or anonymized form.
• Backup copies of deleted data are purged from our backups within 90 days of deletion.
• If you contributed product corrections or community ratings that have become part of Ralli's product database, those contributions remain attached to the product (but no longer linked to your identity).

If you only want to leave the waitlist without joining Ralli, email us at theralliapp@gmail.com with the subject line "Remove from waitlist" and we'll delete your entry within 7 days.

Children's privacy

Ralli is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at theralliapp@gmail.com and we will delete it.

If you are between 13 and the age of majority in your jurisdiction (typically 18), you may only use Ralli with the involvement and consent of a parent or legal guardian. See our Terms of Service for more on age requirements.

California residents — your privacy rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you specific rights regarding your personal information.

You have the right to:

• Know what personal information we collect, use, disclose, and share, and the categories of sources and third parties.
• Access a copy of the specific personal information we have collected about you.
• Delete personal information we have collected about you (subject to certain exceptions).
• Correct inaccurate personal information.
• Opt out of sale or sharing of your personal information. Ralli does not sell or share your personal information for cross-context behavioral advertising.
• Limit the use of sensitive personal information — Ralli only uses sensitive information (such as your skin concerns) to provide the service, not for other purposes.
• Non-discrimination — we will not discriminate against you for exercising any of these rights.

To exercise any of these rights, email theralliapp@gmail.com with the subject line "California Privacy Request". We will respond within 45 days. We may need to verify your identity by asking you to confirm information already on file.

EU, UK & Swiss residents — your rights (GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent laws give you specific rights regarding your personal data:

• Right of access — request a copy of your personal data.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — request deletion of your data.
• Right to restrict processing — limit how we use your data in certain situations.
• Right to data portability — receive your data in a portable format.
• Right to object — object to certain uses of your data.
• Right to withdraw consent — where we process data based on your consent, you can withdraw it at any time.
• Right to lodge a complaint with your local data protection authority.

Our legal bases for processing your personal data under GDPR are: (a) your consent when you sign up and create an account; (b) contractual necessity to provide the service you requested; and (c) legitimate interest for operational purposes like fraud prevention and security.

To exercise any of these rights, email theralliapp@gmail.com with the subject line "GDPR Request". We will respond within 30 days.

Your rights (everyone)

Regardless of where you live, you can:

• Access, update, or correct your personal data directly in the app under Profile → Settings.
• Delete your account at any time under Profile → Settings → Delete account.
• Toggle your product lists between public and private.
• Block other users to prevent them from messaging or following you.
• Request a copy of your data or ask us a privacy question by emailing theralliapp@gmail.com.

Security

We take reasonable measures to protect your data:

• All connections between your device and Ralli use HTTPS encryption.
• Passwords are never stored in plain text — Firebase Auth handles authentication using industry-standard hashing.
• Access to user data within our team is limited to founders and is logged.
• We use Google Cloud's infrastructure security, including encryption at rest for stored data.

No system is 100% secure, however. If we become aware of a security incident that affects your personal information, we will notify you and the relevant authorities as required by applicable law.

Changes to this policy

We may update this policy from time to time. We'll update the date at the top when we do. For significant changes — for example, changes that expand the categories of data we collect or how we use it — we will notify you in the app or by email before the changes take effect.

Contact us

We genuinely read every privacy email. To contact us about anything in this policy — to exercise a right, ask a question, or report a concern:

• Email: theralliapp@gmail.com
• Mailing address: GoodSisters, San Francisco, California, USA (full address available upon request)

We respond to all privacy inquiries within 30 days, or sooner where required by law.