Privacy Policy

The data controller responsible for your personal data is:

• Provide AI-powered skin analysis and personalized skincare recommendations
• Generate aging simulations based on your facial photos
• Scan and analyze skincare product ingredients
• Track your skin health progress over time
• Monitor moles and skin features (Pro+ subscribers)
• Process payments and manage your subscription
• Send skincare tips and product updates (with your consent)
• Improve our AI models and service quality (using anonymized, aggregated data only)
• Comply with legal obligations and respond to lawful requests

We share your data with the following third-party processors, strictly for the purposes described:

Our third-party processors — Google, Replicate, RevenueCat, Supabase, Expo, and Vercel — are based in the United States. When your data is transferred outside the European Economic Area (EEA), these transfers are protected by:

• The EU-US Data Privacy Framework (for certified processors)
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Additional technical and organizational safeguards including encryption in transit and at rest

As a data subject, you have the following rights under the General Data Protection Regulation:

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA):

• Right to Know — You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purpose, and the categories of third parties with whom we share it
• Right to Delete — You may request deletion of your personal information. Use the "Delete My Account" feature in your Privacy Dashboard or contact us at privacy@glowai.app
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights
• Right to Opt-Out of Sale — GlowAI does not sell your personal information to third parties. We share data with processors only as described in Section 4, strictly for providing our services
• Do Not Track — GlowAI honors Do Not Track (DNT) browser signals. When we detect a DNT signal, we disable optional analytics tracking

To exercise your California privacy rights, contact us at privacy@glowai.app with the subject line "CCPA Request". We will verify your identity and respond within 45 days.

When you first use GlowAI, you are asked to grant consent for specific data processing activities. You can manage these at any time:

• Grant or withdraw consent — Visit your Privacy Dashboard to toggle individual consents on or off
• Required consents — Skin Analysis consent is required for core functionality. Withdrawing it will disable skin analysis features
• Effect of withdrawal — Withdrawing consent stops future processing but does not affect the lawfulness of processing performed before withdrawal
• Audit trail — All consent decisions are logged with timestamps for regulatory compliance

We retain your data for the minimum period necessary:

• Account data — retained until you delete your account
• Progress photos — automatically deleted after 90 days
• Aging simulations — automatically deleted after 30 days
• Analysis results — retained until account deletion
• Mole check data — retained until account deletion
• Water intake data — retained until account deletion
• Goal tracking data — retained until account deletion
• Push notification tokens — retained until token is deactivated or account deletion
• Notification logs — retained for 90 days
• Payment records — retained as required by tax and financial regulations (typically 7 years)
• Consent records — retained for the duration of your account plus 3 years
• Data processing logs — retained for 3 years for regulatory compliance

When you delete your account, all data is permanently removed after a 30-day grace period, except where retention is required by law.

We implement appropriate technical and organizational measures to protect your data:

• Encryption at rest — all data stored in our database and file storage is encrypted
• Encryption in transit — all communications use HTTPS/TLS
• Row-Level Security (RLS) — database policies ensure users can only access their own data
• EXIF stripping — location and device metadata is removed from uploaded photos
• No PII in AI requests — facial photos sent to AI processors do not include your name, email, or other identifying information
• Secure authentication — passwords are hashed using bcrypt; sessions use short-lived JWTs with automatic refresh

GlowAI is not intended for use by children under the age of 13. We do not knowingly collect personal data from children under 13. Our registration process requires users to be at least 13 years old. If we become aware that we have collected data from a child under 13, we will delete that data promptly. If you believe a child under 13 has provided us with personal data, please contact us at privacy@glowai.app.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the version number and date at the top of this page
• Notify you via email or an in-app notification
• Request re-consent where required by law

We encourage you to review this policy periodically. Continued use of GlowAI after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

• Email: privacy@glowai.app
• General inquiries: contact@glowai.app

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

Version 1.1.0 — Last updated: March 31, 2026