Trust and Security

Your data is yours.

We built Aamey privacy-first from the ground up. Here is exactly how we protect your biometric data, payments, and personal information.

๐Ÿงฌ

Biometric data (BIPA-compliant)

  • โœ“Face geometry processed on-device where possible.
  • โœ“Zero Data Retention (ZDR): biometric features used for rendering, not stored by default.
  • โœ“Explicit consent required before any biometric storage.
  • โœ“24-hour deletion SLA upon request โ€” data wiped from all systems.
  • โœ“Revoke consent at any time in Settings.
๐Ÿ’ณ

Payment security (PCI SAQ-A)

  • โœ“All payment card data handled exclusively by Stripe.
  • โœ“Aamey is PCI SAQ-A compliant โ€” we never see or store raw card numbers.
  • โœ“Stripe's infrastructure is PCI DSS Level 1 certified.
  • โœ“Refunds and disputes handled through Stripe's secure dashboard.
๐Ÿ›ก๏ธ

Privacy (PIPEDA + Quebec Law 25)

  • โœ“Personal data processed under Canadian privacy law (PIPEDA).
  • โœ“Quebec Law 25 compliant โ€” privacy impact assessments completed.
  • โœ“Data residency: personal data stored in Canada by default.
  • โœ“No data sold or licensed to third parties.
  • โœ“Right to access, correct, and erase your data at any time.
๐Ÿ”

Infrastructure security

  • โœ“All data encrypted in transit (TLS 1.3) and at rest (AES-256).
  • โœ“Private self-hosted infrastructure โ€” not shared cloud tenants.
  • โœ“Automated vulnerability scanning and dependency audits.
  • โœ“Access controls: role-based, least-privilege, audit-logged.

Sub-processors

Aamey uses the following trusted sub-processors to deliver our service. All sub-processors are bound by data processing agreements (DPAs).

Anthropic

AI language model (beauty chat, recommendations)

USA

Stripe

Payment processing and merchant of record

USA

MinIO

Object storage (images, media, exports)

Canada (self-hosted)

Redis

Session caching and real-time features

Canada (self-hosted)

PostgreSQL

Primary application database

Canada (self-hosted)

Resend

Transactional email delivery

USA

Certifications

PCI SAQ-A

Active

Payment card data handled by Stripe only.

BIPA Compliance

Active

Illinois Biometric Information Privacy Act.

PIPEDA

Active

Canadian federal privacy law.

Quebec Law 25

Active

Quebec provincial privacy law.

SOC 2 Type II

Pending

Audit in progress โ€” estimated 2026.

ISO 27001

Pending

Information security management standard.

Security questions?

Contact our privacy and security team at [email protected]

Looking to report a vulnerability? View our responsible disclosure policy

Joorus Inc. ยท 250 Consumers Road, Suite 719, Toronto, ON M2J 4V6 ยท GST 712534965RT0001