Legal
Privacy Policy
Last updated: April 2026
Dewcode is a community-driven skincare ranking platform built for India. This policy explains what personal information we collect, how we use it, and what control you have over it. We try to keep this readable — not buried in legalese.
1. What We Collect and Why
We only collect information that is necessary to run the platform.
| What we collect | Why |
|---|---|
| Email address | Account creation, login, and email verification. We do not send marketing emails unless you explicitly opt in. |
| Display name | Shown on your public reviews and profile. |
| Password | Never stored in plaintext. Handled entirely by Supabase Auth using bcrypt hashing. |
| Skin type, age range, skin concerns, budget range | Collected during onboarding to personalise rankings and filter recommendations for you. Never shared with brands. |
| City | Used to show you local Air Quality Index (AQI) data relevant to your skincare routine, and to calibrate climate-zone filters. |
| Product reviews and scores | Core of the ranking system. Your reviews are public — attached to your display name, not your email. |
| Wishlist and routine | Stored to persist your saved products and AM/PM skincare routine across sessions. |
| Helpful votes and review reports | Used to weight reviewer credibility in the ranking formula and to moderate low-quality content. |
| Affiliate link clicks | When you click a buy link, we log the product, retailer, and destination URL to measure which affiliate partners are useful. No personal identifiers are attached to this log. |
2. Cookies
We use one first-party cookie:
glowrank_auth — httpOnly, Lax, Secure (production)
Duration: 7 days | Purpose: marks your browser as authenticated so server-side route protection works
We do not use advertising cookies, third-party tracking pixels, or analytics cookies (e.g. Google Analytics). The only session tracking is the auth presence cookie above.
3. Third-Party Services
We rely on a small number of external services to run the platform:
Supabase
Handles authentication (email/password, email verification). Your credentials are stored in Supabase's managed infrastructure. Supabase is GDPR-compliant and SOC 2 Type II certified. See supabase.com/privacy.
WAQI (World Air Quality Index)
When you view AQI data, your city name is sent to the WAQI API to fetch current air quality readings. No other personal data is transmitted. See waqi.info/privacy.
Affiliate retailers (Nykaa, Amazon, etc.)
Buy links on product pages are affiliate links. Clicking one takes you to the retailer's site. What that retailer tracks is governed by their own privacy policy — we have no control over it. We only log the click event on our end (product, retailer, URL) without attaching your identity.
4. How We Use Your Data
- To operate your account and authenticate your sessions
- To personalise rankings by your skin type, climate zone, and budget
- To show relevant AQI data for your city
- To compute and publish community rankings — your scores feed the formula
- To detect and remove spam reviews via automated signals
- To measure affiliate partner performance (aggregated, not per-user)
We do not sell your data to brands, share your skin profile with advertisers, or use your information for anything outside of running this platform.
5. What Is Public vs. Private
| Public (visible to anyone) | Private (only you) |
|---|---|
| Display name Review text and scores Review helpful votes received | Email address Skin type, concerns, budget City Wishlist Routine |
6. Data Retention
Your account data is retained for as long as your account is active. If you delete your account, your personal data (email, skin profile, city) is removed. Your published reviews may be retained in anonymised or aggregated form to preserve the integrity of historical rankings — they will no longer be attributed to your name.
Affiliate click logs are retained for up to 12 months for reporting purposes, and contain no personal identifiers.
7. Your Rights
You can, at any time:
- Access or update your skin profile, display name, and city from your Settings page
- Delete your reviews from the My Reviews page
- Export or delete your account by emailing us at the address below — we will action it within 30 days
If you are located in a jurisdiction with specific data protection rights (including the EU/EEA under GDPR, or India under the DPDP Act 2023), those rights apply in addition to the above.
8. Security
Passwords are never stored in plaintext — authentication is managed by Supabase using industry-standard bcrypt hashing. Session cookies are httpOnly and Secure, preventing client-side JavaScript from reading them. All traffic between your browser, our frontend, and our API is encrypted over HTTPS.
No system is perfectly secure. If you discover a vulnerability, please email us responsibly before disclosing it publicly.
9. Changes to This Policy
If we make material changes, we will update the "Last updated" date at the top of this page. Continued use of Dewcode after changes are posted means you accept the updated policy. For significant changes we will make a reasonable effort to notify registered users via email.
10. Contact
Questions, data requests, or concerns — reach us at mvspavan001@gmail.com. We aim to respond within 5 business days.