Privacy policy

Last updated: April 7, 2026

This policy explains how Scentrals (“we”, “us”, “our”) collects, uses, and shares personal information when someone uses the Scentrals mobile application, the scentrals.com website, and any related services (together, the “Services”).

1. Who we are

Scentrals is operated from Norway. For privacy inquiries, write to hello@scentrals.com.

2. Information we collect

2.1 Information the user provides

  • Account information: email address, display name, username, and optional profile details (such as bio and privacy preferences) provided during sign-up or while editing a profile.
  • User-generated content: reviews, ratings, photos (including review images and submission images), scent submissions, brand submissions, shelf items, wishlists, wear-tracking entries, and comments or likes posted inside the app.
  • Contact form submissions: name, email address, and message sent through the contact form on scentrals.com.

2.2 Information collected automatically

  • Authentication data: session tokens and related identifiers needed to keep the user signed in. Sign-in may use email/password or Google OAuth; the authentication provider may supply a name and email address.
  • AI-feature usage: when the user interacts with AI-powered features (such as scent research, scent recommendation chat, optional scent profile insights derived from aggregate collection statistics, or content suggestions), we log basic usage events (timestamp, feature used) to manage fair-use limits. The text of scent recommendation chat conversations is stored on our servers so history can load across devices and sessions; those chat rows and the usage logs are deleted when the account is deleted.
  • Technical data: app version, operating system, and platform type (iOS, Android, or web). We do not currently use third-party analytics or crash-reporting SDKs; if that changes, this section will be updated.
  • In-app subscriptions (iOS): when the user buys or manages a subscription in the iOS app, Apple processes payment and related account data under Apple’s privacy policy. We use RevenueCat, Inc. (United States) to validate purchases and keep subscription access in sync with our backend; RevenueCat receives pseudonymous identifiers (including the same internal user id we use in our database), purchase and renewal events, and technical data needed to confirm entitlements.

2.3 Information stored on the device

Certain preferences (such as language and theme) are stored locally on the device using encrypted storage. An authentication session is also kept on the device so the user does not have to sign in every time. A local cache of recently viewed data is maintained to improve performance. None of this leaves the device unless needed for authentication.

3. How we use information

We use personal information to:

  • Provide, maintain, and improve the Services (accounts, content, search, recommendations).
  • Authenticate users and keep accounts secure.
  • Display user-generated content to other users according to privacy settings chosen by the author.
  • Power AI-assisted features such as scent research, scent recommendation chat, optional personalized scent profile text (from aggregated stats, not raw messages), content translation, and image generation.
  • Provide optional paid subscription features in the iOS app, including confirming eligibility after an App Store purchase.
  • Respond to contact form messages and support requests.
  • Detect and prevent abuse, fraud, and security incidents.
  • Comply with applicable laws and legal obligations.

4. How we share information

We do not sell personal information. We share data only with the following categories of recipients, and only to the extent necessary:

Recipient Purpose
Supabase, Inc. (United States) Cloud database, authentication, file storage, and serverless functions that power the backend of the Services.
OpenAI, Inc. (United States) Processes prompts sent by our server-side functions to provide AI-powered scent research, content translation, and image generation. User account data is not sent to OpenAI; only the content of the specific request is transmitted.
Google (United States) Provides Google OAuth sign-in and Google Fonts on the website. When a user chooses to sign in with Google, Google shares the user’s name and email address with us.
Netlify, Inc. (United States) Hosts the scentrals.com marketing website and processes contact form submissions.
Apple Inc. (United States) Processes in-app subscription payments and related transaction data when the user purchases through the App Store on iOS.
RevenueCat, Inc. (United States) Subscription management and purchase validation for the iOS app; receives internal user identifiers and purchase lifecycle events as described in section 2.2.

We may also disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, safety, or property of Scentrals, our users, or the public.

5. Third-party links and affiliate offers

The Services may display links to third-party retailers or commercial offers related to scents. When a user follows such a link, the third party’s own privacy policy applies. We may earn a commission from qualifying purchases through affiliate links; this does not change the price for the user and does not require sharing additional personal data with the retailer beyond what the user provides directly.

6. Data retention

We keep personal information only as long as it is needed for the purposes described in this policy or as required by law:

  • Account and profile data: retained until the user deletes their account.
  • User-generated content: retained until the user removes it or deletes their account, unless a copy is required for legal or safety reasons.
  • AI usage logs: deleted when the account is deleted.
  • Contact form messages: kept for as long as necessary to handle the inquiry, then deleted.

7. Account deletion

Users can delete their account from the account settings screen in the app. Deletion removes the profile, associated content, and AI usage records. Some residual data (such as anonymized aggregated statistics) may remain where it is no longer linked to an identifiable person.

8. Security

We use reasonable technical and organizational measures to protect personal information, including encrypted storage for sensitive on-device data, secure HTTPS connections, and row-level security policies on the database. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

9. International data transfers

The Services are operated from Norway, but our infrastructure providers (Supabase, OpenAI, Google, Netlify) process data in the United States. When personal data is transferred outside the European Economic Area (EEA), we rely on recognized safeguards such as the EU–U.S. Data Privacy Framework or Standard Contractual Clauses as adopted by the European Commission.

10. Rights under GDPR and other laws

Users in the EEA, United Kingdom, and other jurisdictions with applicable data protection laws have the right to:

  • Access the personal data we hold about them.
  • Rectify inaccurate or incomplete data.
  • Erase personal data (“right to be forgotten”).
  • Restrict processing in certain circumstances.
  • Data portability — receive personal data in a structured, machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, contact hello@scentrals.com. We will respond within 30 days. We may need to verify identity before processing a request.

Users also have the right to lodge a complaint with their local data protection authority. In Norway, this is the Datatilsynet (datatilsynet.no).

11. Legal basis for processing (EEA users)

We process personal data on the following legal bases:

  • Performance of a contract: providing account features, content hosting, and other core functionality that the user signed up for.
  • Legitimate interests: improving the Services, preventing fraud, and ensuring security, where those interests are not overridden by the user’s rights.
  • Consent: where the user has given specific consent (for example, optional AI-powered features). Consent can be withdrawn at any time.
  • Legal obligation: where we are required by law to retain or disclose data.

12. Children

The Services are not directed at children under 13 (or the higher minimum age required by local law, such as 16 in some EEA countries). We do not knowingly collect personal information from children. If we learn that we have collected data from a child without appropriate consent, we will delete it promptly.

13. Cookies and similar technologies

The scentrals.com website does not use tracking cookies or third-party analytics scripts. A language preference may be stored in the browser’s local storage to remember the chosen language between visits. The contact form is processed by Netlify, which may set a minimal technical cookie; see Netlify’s privacy policy for details.

14. Changes to this policy

We may update this policy from time to time. When we do, we will update the “last updated” date at the top and, where appropriate, notify users inside the app. Continued use of the Services after changes constitutes acceptance of the updated policy, unless applicable law requires explicit consent.

15. Contact

Questions or concerns about this privacy policy or our data practices:
hello@scentrals.com