← Back to homeVIRTÚLegal

Privacy

Privacy Policy

Effective May 4, 2026

VIRTÚ (“we,” “us,” or “our”) operates the website bevirtu.com and the VIRTÚ facial analysis service (the “Service”). This Privacy Policy explains what information we collect, how we use it, and the choices you have. This Service is not directed to children under 18; please do not use it if you are under 18.

1. Information we collect

We collect the following categories of information:

  • Account information. First name, last name, email address, and a password-less sign-in token. You provide this when you start an analysis.
  • Photos and questionnaire responses. Photos of your face that you upload, and answers you provide about your skin, lifestyle, and goals. This information is the basis of your analysis.
  • Payment information. Card details and billing address are submitted directly to our payment processor (Stripe). We do not store full card numbers; we only retain the last four digits, card brand, and Stripe payment identifiers.
  • Usage and device data. IP address, user-agent, referring URL, page views, ad campaign identifiers (UTM parameters, fbclid), and cookie identifiers (e.g. _fbp, _fbc). We use this for security, fraud prevention, and ad attribution.
  • Communications. Emails you send us and any support messages or replies.

2. How we use your information

We use the information we collect to:

  • Generate and deliver your personalized facial analysis report and protocol.
  • Process your payment and send order confirmations and receipts.
  • Send transactional emails such as sign-in links, report-ready notifications, and refund confirmations.
  • Improve the accuracy and quality of our analysis (in aggregate, non-identifying form).
  • Detect and prevent fraud, abuse, and security incidents.
  • Measure the performance of our advertising and optimize ad delivery (see §4).
  • Comply with legal obligations.

3. How your photos are handled

Your photos are sensitive. We treat them with the following safeguards:

  • Photos are stored in private cloud storage (Supabase) that is not publicly accessible.
  • Photos are accessed only by our backend systems, the licensed aesthetician reviewing your analysis, and you (via signed, time-limited URLs after authentication).
  • Photos are sent to a foundation-model provider (Anthropic) solely to assist the aesthetician in generating measurements, and are not used by that provider to train models.
  • You may request deletion of your photos at any time by emailing hello@bevirtu.com. We will delete them within 30 days unless retention is required by law.
  • We do not sell your photos. We do not publish them. We do not share them with advertisers.

4. Advertising and analytics

We use the Meta (Facebook) Pixel and Conversions API to measure advertising performance. When you visit our site, we send Meta pseudonymous information about your visit, including IP address, user-agent, and ad-click identifiers, plus a hashed (SHA-256) version of your email if you provide it. We use this information solely to measure and optimize our ads.

We may add additional analytics tools (e.g. PostHog) over time. Any additional providers will be added to this Policy.

5. Service providers we share data with

We share information with the following providers strictly to operate the Service:

  • Stripe — payment processing
  • Supabase — database and file storage
  • Resend — transactional email delivery
  • Anthropic — language and vision model used by our aestheticians
  • Meta (Facebook / Instagram) — advertising attribution and conversion measurement
  • Vercel — application hosting and observability

Each of these providers is bound by its own data-protection terms and processes your information only on our instructions. We do not sell your personal information.

6. Cookies

We use a small number of first- and third-party cookies for authentication, security, and ad attribution (notably _fbp and _fbc from Meta). You can disable cookies in your browser settings, though some site features may not work without them.

7. Your rights

Depending on where you live, you may have the right to access, correct, delete, or export the personal information we hold about you, and to object to or restrict certain processing. California residents have additional rights under the CCPA, including the right to know what we collect and to request deletion. EU/UK residents have rights under GDPR.

To exercise any of these rights, email hello@bevirtu.com from the address associated with your account. We will respond within 30 days.

8. Data retention

We retain your account information and analysis report for as long as your account is active. Photos are retained for 12 months after your most recent analysis unless you request earlier deletion. Payment records are retained for 7 years to comply with tax and accounting rules. We delete or anonymize information sooner where we no longer have a lawful basis to retain it.

9. Security

We use industry-standard safeguards including TLS encryption in transit, at-rest encryption on stored photos and database tables, role-based access controls, and audit logging. No system is perfectly secure; if we detect a breach affecting your data we will notify you and the relevant authorities as required by law.

10. International transfers

We are based in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. and other countries where our service providers operate.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated Policy at this URL and update the “Effective” date at the top. For material changes we will also notify you by email.

12. Contact

For privacy questions, email hello@bevirtu.com.

Questions? Email hello@bevirtu.com.