This Privacy Policy explains how Moonlit ("Moonlit," "we," "us," or "the App"), operated by Codeful (the "Company"), collects, uses, stores, and protects your information when you use our iOS application and related services. By using Moonlit you agree to this policy.
If anything below is unclear, contact us at support@vibeland.app before continuing to use the app.
Moonlit is built around a single principle: your face stays with you. Selfies, scores, and routine notes are stored on your device and (if you enable iCloud) in your personal iCloud Private Database. We do not run a server that holds your photos, identifies you, or builds a profile on you for advertising.
1. What we collect
1.1 Information you provide
- Selfies — one photo per day, captured during the in-app capture window. Stored on your device and (optionally) in your personal iCloud Private Database. Never uploaded to Moonlit's servers.
- Profile fields — age range, skin type, primary concern axis, and (optional) hormonal-cycle anchor. Used to set baselines and tailor on-device recommendations.
- Routine entries — products you log via on-device OCR (Apple Vision) or manual input, including any notes or reactions you record. Stored on device.
- Subscription receipts — when you start a free trial or purchase a subscription, Apple sends us a transaction receipt and entitlement state.
1.2 Information collected automatically
- Device identifier — Moonlit uses Apple's App Group and iCloud Container identifiers to keep your data in sync between the iPhone app, the Apple Watch app, and the home-screen widget. These identifiers are scoped to your Apple ID.
- Anonymous diagnostics — if you opt in to "Help improve Moonlit," we receive aggregated, anonymized counts (e.g., "axis-detection failed 3 times"). No selfies or personal identifiers are included.
1.3 What we do not collect
- We do not collect your location.
- We do not access your contacts, microphone, or your camera roll beyond the photo you capture inside the app.
- We do not ship advertising SDKs (no Mixpanel, Segment, Amplitude, Facebook SDK, AppsFlyer, Branch, or similar) and do not perform cross-app or cross-site tracking.
- We do not read your HealthKit data unless you explicitly grant permission, and even then only the categories listed in Section 6.
- We do not use your selfies or routine data to train any AI model.
2. How we use your information
| Purpose | Data used |
|---|---|
| Run the app on your device | Profile, routine entries, on-device scores |
| Score 6 axes from a single selfie | The selfie you just captured (on-device for OpenCV-based axes; encrypted, ephemeral request for ML-based axes — see Section 5) |
| Compute change vs yesterday and 30-day trend | Your past on-device score history |
| Suggest one nightly action and one product | Your axis weakness and routine entries — fully on-device |
| Verify your subscription tier | Apple receipt, anonymous Apple ID-scoped subscriber identifier |
| Sync your data to your private iCloud | Encrypted SwiftData store and selfies in your personal iCloud Private Database |
| Reply to your support requests | Email and any details you choose to send |
We do not sell or rent your data. We do not use your photos or scores for advertising. We do not use your data to train AI models.
3. Where your data lives
- Selfies — encrypted on your device (iOS Data Protection) and, if you enable iCloud, stored in your personal iCloud Private Database. Apple cannot read these. Moonlit cannot read these.
- Scores, routine, and profile — stored locally in SwiftData on your device, mirrored to your iCloud Private Database when you enable iCloud sync.
- Subscription state — Apple's StoreKit infrastructure keeps subscription receipts under your Apple ID. We receive only the entitlement state.
- Notification schedule — local UNUserNotificationCenter requests, scheduled by the app on your device. They do not require any server.
4. Third parties
We deliberately use a small, audited set of third-party services. None of them are advertising or analytics networks.
| Service | Purpose | Data received |
|---|---|---|
| Apple iCloud | Optional sync of your data between your devices, scoped to your Apple ID | Encrypted SwiftData blobs and selfies — accessible only to you, under your Apple ID |
| Apple StoreKit / App Store (Apple Inc.) | All payments, free trial, and subscription state | Apple-issued transaction receipt; entitlement status |
| Apple HealthKit (optional, Section 6) | Reads menstrual-cycle anchors on your device, with your explicit permission | Stays on your device — never transmitted to Moonlit |
| Apple Vision (on-device, system framework) | Face cropping, ingredient-label OCR | Runs on your device — nothing leaves it |
| Hugging Face Inference Endpoints / OpenAI API (server-side ML, anonymized) | Score certain axes (acne, redness, oiliness, hydration, texture, pigmentation) when a model call is required for the current scan | An anonymized, ephemeral image request; no account identifier, name, email, location, or other photo. Providers are contractually bound not to retain or train on this data. |
We share only the minimum each service needs to do its job. Where required, we have signed Data Processing Agreements. We do not sell or rent data to third parties for any purpose.
5. Skin analysis & AI
Moonlit's nightly scoring uses a hybrid pipeline:
- On-device steps — Apple Vision face detection / cropping, OpenCV-based color and texture metrics, and on-device feature extraction. These never leave your phone.
- Server-assisted steps (when required) — for ML-based axes (e.g., refined acne or pigmentation scoring), an anonymized, encrypted image request is sent to a model endpoint. The request contains no account identifier and is not retained.
Important AI-related notes:
- The score is a self-comparison number (0 – 100, only against your own past). It is not a medical, dermatological, or clinical grading. It is not equivalent to any clinician's grading scale (Hayashi, GAGS, IGA, etc.).
- Moonlit is not a diagnostic, screening, or treatment device. It does not detect skin cancer, diagnose disease, or replace a dermatologist visit.
- Your selfies are never used for face recognition, identity verification, biometric matching, ARKit Face ID, or any biometric template.
- We do not retain server-side images, do not derive identifiers from them, and do not use them to train any AI model.
6. Apple HealthKit (optional)
Moonlit can optionally read the following HealthKit categories only after you grant explicit permission:
- Menstrual flow — to estimate your current cycle phase and adjust on-screen hints (luteal-phase acne risk, follicular-phase tolerance). Used on-device only.
- Cycle length — derived from menstrual entries, used for the same on-device adjustments.
HealthKit data does not leave your device. We do not transmit it to our servers, do not log it, and do not share it with any third party. You can revoke HealthKit permission at any time in iOS Settings → Health → Data Access & Devices → Moonlit.
7. Children & age
Moonlit is intended for adults. You must be at least 13 years old (16 in the European Economic Area) to use Moonlit. The app discusses adult skin concerns (hormonal acne, cycle phases, post-acne pigmentation) and is not designed for younger users. We do not knowingly collect data from children under the applicable age. If you believe a minor has used Moonlit, contact us and we will delete the associated data.
8. Your rights
Depending on where you live, you may have the right to:
- Access the data Moonlit holds about you. Because almost everything is on your device, the in-app Settings → My Data screen shows you exactly what exists.
- Delete all your Moonlit data. Settings → Delete all data is the single tap that wipes selfies, scores, routine entries, and the on-device store. iCloud copies are deleted via Apple's standard propagation.
- Port your data. The export feature gives you a JSON archive of your scores and routine entries.
- Withdraw consent for HealthKit, anonymous diagnostics, and any future optional integrations from in-app Settings at any time.
- Lodge a complaint with your local data-protection authority (in the EU/EEA, your DPA; in California, the AG; in Korea, the Personal Information Protection Commission).
9. Retention & deletion
- Selfies, scores, and routine entries persist on your device until you delete them. There is no automatic server-side retention period because we do not store these on a server.
- An optional auto-delete after 30 days setting will clear selfies older than 30 days (scores remain so trends still work).
- Apple StoreKit retains your subscription receipt under your Apple ID per Apple's policy.
- Anonymized server diagnostic logs (if you opt in) are retained for at most 30 days.
- Support emails are retained for 2 years for follow-up and dispute resolution.
10. Security
- iOS Data Protection encrypts your local files at rest.
- Network requests use TLS 1.3.
- iCloud transport and at-rest encryption is provided by Apple.
- We minimize the surface — no ad SDKs, no tracking SDKs, no analytics SDKs, no third-party crash-reporting SDKs.
- Server-side ML calls send anonymized, ephemeral image bytes and are not stored.
No system is perfectly secure. If you discover a vulnerability, please email support@vibeland.app and we will respond promptly.
11. International transfers
Apple's iCloud and StoreKit infrastructure may store your data in regions outside your country of residence, in accordance with Apple's policies. When we make ML inference calls, the request is processed by the model provider's regional endpoint (typically the US or EU). All such transfers rely on standard contractual clauses or equivalent safeguards.
12. Changes to this policy
We may update this policy from time to time. Material changes will be announced inside the app and dated at the top of this page. Continued use of Moonlit after a revision constitutes acceptance of the updated policy.
13. Contact
For privacy questions or data requests, contact support@vibeland.app.
Operator — Codeful (Republic of Korea)
App — Moonlit
Site — moonlit.vibeland.app