Privacy Policy
Contour (the “App”) and www.contourplan.com (the “Site”) are operated by Vivid Walks Ltd, trading as Contour (“we”, “us”, “our”).
This policy explains what personal data we collect when you use our app and website, how we use it, who we share it with, and the rights you have over it. We are committed to handling your data lawfully and transparently under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
Vivid Walks Ltd is the data controller responsible for your personal data.
- Company: Vivid Walks Ltd (trading as Contour)
- Company number: 15500028
- Contact for privacy matters: lasheen@vividwalks.com
If you have any questions about this policy or how we use your data, please contact us at the email above.
2. What this policy covers
This policy applies to:
- The Contour mobile app (face yoga and gua sha sessions, progress tracking, personalised plans)
- Our website and onboarding funnel, including the quiz
- Interactions that begin on social media (for example when you comment a keyword on TikTok or Instagram and we reply by direct message)
It does not cover third-party services we link to or social platforms themselves (TikTok, Instagram, Apple), which have their own privacy policies.
3. The personal data we collect
3.1 Information you give us
- Account details: your name and (optionally) your email address. We create your account automatically when you start using the app — there is no password to set, and you can use the app without giving us an email.
- Onboarding quiz responses: your selected face areas, goals, training duration preferences, skin type and skin concerns, and your emotional or motivation check-in answers.
- Promo or creator codes you enter (for example CONT01), which tell us which creator or campaign referred you.
- Communications: messages you send us by email, or through messaging tools such as ManyChat when you start a conversation from a social post.
3.2 Face scan / camera
Our onboarding includes an optional face scan step that uses your device camera to help you position your face. Any image captured is handled only on your device — it is never uploaded to or stored on our servers, and we do not extract, measure or analyse facial geometry or any other biometric data from it. Because no facial image or facial geometry ever leaves your device, we do not hold biometric data about you.
Camera access is controlled by your device permissions. You can skip this step entirely, and you can revoke camera access at any time in your device settings.
3.3 Subscription and payment data
We sell subscriptions (free-trial-led monthly, three-month and six-month plans). Payments are handled by our payment partners, not by us directly:
- In-app purchases (iOS): processed by Apple through the App Store and managed through RevenueCat. Apple handles your card details; we receive subscription status, transaction identifiers and entitlement information, not your full card number.
- In-app purchases (Android): processed by Google through the Google Play Store and managed through RevenueCat. Google handles your card details; we receive subscription status, transaction identifiers and entitlement information, not your full card number.
We keep records of your subscription status, plan, renewal dates and the promo code applied, partly to meet our legal accounting and tax obligations.
3.4 Usage and device data
When you use the app or site we automatically collect:
- Device type, operating system and app version
- In-app activity such as sessions started and completed, streaks and feature use
- App diagnostics and crash data
- General location inferred from your IP address (country or region, not precise location)
3.5 Tracking, attribution and advertising data
- App Tracking Transparency (ATT): on iOS we ask your permission before tracking you across other companies' apps and websites. If you decline, we do not carry out that cross-app tracking.
- Attribution and analytics tools (for example AppsFlyer, where enabled) help us understand which campaigns and creators drive installs and subscriptions, and how features perform. These may use device or advertising identifiers, subject to your ATT choice.
4. How we use your data and our legal bases
Under UK GDPR we must have a lawful basis for each use of your data. The main ones are:
| What we do | Why | Lawful basis |
|---|---|---|
| Create and run your account, deliver sessions and plans | To provide the service you signed up for | Performance of a contract |
| Personalise your plan from your quiz answers | To give you a relevant programme | Contract, and explicit consent for any health-related answers |
| Process payments and manage subscriptions | To take payment and give you access | Contract; legal obligation for financial records |
| Analyse usage and improve the product | To run and improve our service | Legitimate interests |
| Attribute installs and subscriptions to campaigns and creators | To run our business and pay creators fairly | Legitimate interests, and consent where tracking identifiers are used |
| Send you marketing | To tell you about features and offers | Consent |
| Prevent fraud and keep the service secure | To protect you and us | Legitimate interests; legal obligation |
Where we rely on legitimate interests, we have weighed our interests against your rights and you can object at any time (see section 9).
5. Special category data (health, wellbeing and biometric)
Some information you give us may be special category data under UK GDPR — for example your skin concerns and any wellbeing or emotional check-in answers. (We do not process facial biometric data — see section 3.2.)
We only process this kind of data where you have given us your explicit consent, which you provide during onboarding and can withdraw at any time by contacting us. Withdrawing consent does not affect processing we carried out before you withdrew it, and may mean we can no longer provide a personalised plan.
6. Who we share your data with
We do not sell your personal data. We share it only with service providers who help us run Contour, and only as far as needed. These include:
- Supabase — secure database, authentication and media storage (hosted in the EU)
- Apple, Google and RevenueCat — in-app purchases and subscription management
- ManyChat — messaging when you start a conversation from a social post
- AppsFlyer and analytics providers — attribution and product analytics (where enabled)
- Professional advisers (accountants, lawyers) and authorities where we are legally required to disclose
Each provider is bound by contract to protect your data and use it only on our instructions, except where they act as a controller in their own right (such as Apple and Google for payment processing).
7. International transfers
Our primary database (Supabase) is hosted in the EU (West). Some providers, such as RevenueCat, ManyChat and AppsFlyer, may process data in the United States or elsewhere outside the UK.
Where data leaves the UK, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or transfers to countries with UK adequacy status. You can ask us for more detail on the safeguards in place.
8. How long we keep your data
We keep your personal data only as long as we need it:
- Account and profile data: while your account is active, and for a short period after you close it.
- Subscription and payment records: for at least 6 years to meet UK tax and accounting requirements.
- Face scan images: not retained by us — any camera image is processed on your device and is never stored on our servers.
- Analytics and tracking data: typically 12 months, then deleted or anonymised.
When we no longer need your data we delete it securely or anonymise it so it can no longer identify you.
9. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Correct data that is wrong or incomplete
- Erase your data (“right to be forgotten”)
- Restrict how we use your data
- Object to processing based on legitimate interests, and to direct marketing
- Portability — receive certain data in a portable format
- Withdraw consent at any time, where we rely on consent
To exercise any of these, contact us at lasheen@vividwalks.com. We will respond within one month. There is normally no charge.
If you are unhappy with how we handle your data you can complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
We would appreciate the chance to resolve your concern first.
10. Marketing
We will only send you marketing emails or messages where you have agreed, or where permitted by law for similar products to ones you already use. You can opt out at any time using the unsubscribe link in any message or by contacting us. Opting out of marketing does not stop essential service messages such as receipts and account notices.
11. Children
Contour is intended for adults and is not directed at children. We do not knowingly collect data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. How we keep your data secure
We use technical and organisational measures to protect your data, including encryption in transit, access controls, and row-level security on our database. No system is completely secure, but we take reasonable steps to protect your information and to notify you and the ICO of any serious breach where required.
13. Changes to this policy
We may update this policy from time to time. We will post the updated version here with a new “Last updated” date, and where changes are significant we will tell you in the app or by email.
14. Contact us
Vivid Walks Ltd (trading as Contour)
Email: lasheen@vividwalks.com