Privacy Policy

theformulator.ai — operated by Aurentis Science LLP

Last updated: 9 May 2026Effective date: 9 May 2026

1. Who We Are

theformulator.ai is a cosmetic formulation intelligence platform operated by Aurentis Science LLP (“we”, “us”, “our”). We provide AI-assisted formulation analysis, ingredient intelligence, and regulatory guidance to cosmetic industry professionals.

Data Controller / Data Fiduciary:
Aurentis Science LLP
Email: support@theformulator.ai

For the purposes of the EU General Data Protection Regulation (“GDPR”), Aurentis Science LLP is the data controller. For the purposes of India's Digital Personal Data Protection Act, 2023 (“DPDPA”), Aurentis Science LLP is the data fiduciary.

2. What Personal Data We Collect

We collect only the personal data necessary to provide our service.

Account data (provided by you at registration):

  • Full name
  • Email address
  • Password (stored only as a bcrypt hash — we cannot read your password)
  • Company or brand name
  • Job title or professional role
  • Company website or LinkedIn URL (optional)
  • How you heard about us (optional)

Formulation data (provided by you during platform use):

  • Product briefs you submit (product type, target markets, ingredient preferences, technical constraints)
  • Formulation outputs generated from your briefs
  • Ingredient lists submitted via text, OCR, or PDF upload
  • Refinement instructions for formulation variants
  • Feedback you provide on formulation quality

Automatically collected data:

  • IP address (used for regional pricing display and security)
  • Browser type and version
  • Pages visited and features used within the platform
  • Timestamps of account activity

Data we do NOT collect:

  • Payment card numbers or bank account details (processed entirely by our payment providers)
  • Biometric data
  • Government-issued identification numbers
  • Health or genetic data

3. How and Why We Process Your Data

We process personal data for the following purposes:

To provide our service: Creating your account, generating formulation reports from your briefs, delivering reports, managing your credit balance, and enabling formulation variant refinement. Under GDPR, the legal basis is performance of a contract. Under DPDPA, the basis is consent provided at registration.

To communicate with you: Sending transactional emails including welcome messages, password resets, and formulation delivery. Under GDPR, the legal basis is performance of a contract.

To display regional pricing: Using IP-based country detection to show prices in your local currency. Under GDPR, the legal basis is legitimate interest.

To protect the platform: Preventing fraud, abuse, and unauthorized access through rate limiting and security monitoring. Under GDPR, the legal basis is legitimate interest. Under DPDPA, this constitutes a legitimate use for security purposes.

To improve the platform: Analyzing aggregated, anonymized usage patterns to improve features and formulation quality. Under GDPR, the legal basis is legitimate interest.

To process payments: Sharing your name and email with our payment providers to process subscriptions and credit purchases. Under GDPR, the legal basis is performance of a contract.

To comply with law: Retaining account and transaction records as required by applicable tax and accounting regulations. Under GDPR, the legal basis is legal obligation.

We do NOT use your data for advertising, behavioral profiling, or sale to third parties. We do not engage in targeted advertising or tracking across websites.

4. How We Use AI to Process Your Data

Our platform uses artificial intelligence to analyze your formulation briefs and generate reports. When you submit a brief or upload ingredient data, portions of that data are sent to AI model providers for processing. All AI processing of user data occurs within the United States.

DeepInfra, Inc. (United States) — processes ingredient selection and analysis tasks. Your brief data and ingredient names are sent to their US-hosted inference API.

Anthropic, PBC (United States) — processes formulation generation, OCR from product label images, and PDF data extraction. Your brief data, uploaded images, and PDF content are sent to their API.

What is sent to AI providers:

  • Product type, target markets, ingredient names and concentrations from your briefs
  • Images of product labels (if you use the OCR deformulation feature)
  • PDF content from supplier technical data sheets you upload

What is NOT sent to AI providers:

  • Your email address, password, or account credentials
  • Your company name or personal name
  • Payment information

By using the platform, you acknowledge that formulation brief data is processed by these third-party AI systems within the United States.

5. Who We Share Data With

We share personal data only with service providers who process it on our behalf to deliver the service. We do NOT sell, rent, or trade your personal data.

Infrastructure and hosting:

  • Google Cloud Platform (Google LLC, United States) — hosts our application servers and database. All platform data is encrypted at rest and in transit.
  • Vercel Inc. (United States) — hosts our frontend application. Processes IP address and standard web request data through their global CDN.
  • Cloudflare, Inc. (United States) — provides security, DDoS protection, and DNS services. Processes IP addresses and request headers.

AI processing:

  • DeepInfra, Inc. (United States) — processes ingredient selection tasks from your briefs.
  • Anthropic, PBC (United States) — processes formulation generation, OCR, and PDF extraction from your submissions.

Communications:

  • Resend, Inc. (United States) — delivers transactional emails. Receives your email address and name.

Payments:

  • Razorpay Software Private Limited (India) — processes payments for customers in India. Receives your name, email, and transaction amount.
  • Dodo Payments (as applicable) — processes payments for international customers. Receives your name, email, and transaction amount.

We may also disclose data if required by law, regulation, court order, or to protect the safety and rights of our users, our company, or the public.

6. International Data Transfers

Our servers are located in the United States (Google Cloud Platform). If you access the platform from outside the United States, your data is transferred to and processed in the United States.

For EEA/UK users: These transfers are conducted in accordance with GDPR Chapter V. Our primary service providers (Google Cloud, Anthropic, DeepInfra, Vercel, Cloudflare, Resend) maintain appropriate transfer mechanisms including Standard Contractual Clauses where required.

For Indian users: As of the date of this policy, the Government of India has not restricted data transfers to any specific country under DPDPA Section 16(1). Should any such restriction be issued, we will comply accordingly.

7. Data Retention

We retain your data only as long as necessary for the purposes described in this policy.

Account data: Retained until you request deletion of your account, plus 90 days for backup recovery.

Formulation briefs and outputs: Retained until you delete your account or delete specific formulations within the platform.

Credit and payment transaction records: Retained for 7 years from the transaction date as required by applicable tax and accounting regulations.

Server access logs: Retained for 90 days, then automatically deleted.

When data is deleted, it is removed from active databases. Backup copies are purged within 90 days of deletion from active systems.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • All data in transit is encrypted via TLS (HTTPS)
  • All data at rest is encrypted on Google Cloud Platform
  • Passwords are stored using bcrypt hashing
  • API secrets and credentials are stored in Google Cloud Secret Manager
  • Rate limiting is applied to authentication and API endpoints
  • Input sanitization is applied to all user inputs processed by AI systems
  • Tenant isolation ensures users cannot access other users' data
  • JWT-based authentication with short-lived access tokens and longer-lived refresh tokens

No system is completely secure. In the event of a personal data breach, we will notify affected users and the relevant authorities promptly as required by applicable law, including the Data Protection Board of India and/or the relevant EU supervisory authority.

9. Your Rights

If you are in the EEA or United Kingdom (GDPR)

You have the right to: access your personal data and receive a copy; rectify inaccurate or incomplete data; erase your data; restrict processing in certain circumstances; receive your data in a portable, machine-readable format; object to processing based on legitimate interest; withdraw consent at any time; and lodge a complaint with your local data protection supervisory authority.

A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

If you are in India (DPDPA)

As a Data Principal, you have the right to: access information about the personal data being processed and a summary of processing activities; request correction and erasure of inaccurate or unnecessary personal data; receive grievance redressal within 30 days; nominate another individual to exercise your rights on your behalf in the event of death or incapacity; and withdraw consent at any time, with the understanding that withdrawal does not affect the lawfulness of prior processing.

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India.

How to exercise your rights

Email support@theformulator.ai with your request. We will verify your identity using the email address associated with your account and respond within 30 days.

10. Cookies

theformulator.ai uses only essential cookies required for the platform to function:

Authentication cookies keep you logged in to the platform. These are strictly necessary for the service to work and do not track you across websites.

Cloudflare may set a security cookie to distinguish human visitors from automated traffic. This is strictly necessary and does not track you across websites.

We do NOT use advertising cookies, analytics tracking cookies, social media cookies, or any third-party tracking technologies.

11. Children

theformulator.ai is a business-to-business platform designed for cosmetic industry professionals. We do not knowingly collect data from individuals under 18 years of age. If we become aware that we have collected data from a minor, we will delete it promptly and notify the relevant authority if required.

12. Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify registered users by email and update the “Last updated” date at the top of this policy. We encourage you to review this policy periodically.

13. Contact

For any questions, concerns, or requests related to this privacy policy or your personal data:

Email: support@theformulator.ai
Entity: Aurentis Science LLP

This privacy policy is provided in English. Where required under DPDPA, it will be made available in scheduled languages of the Indian Constitution upon request.