Privacy Policy

GLOW — AI Skincare Analysis

Last Updated: March 29, 2026

This Privacy Policy explains how Peyton (“we,” “us,” or “our”) collects, uses, stores, and protects your personal information when you use the GLOW mobile application and related services (collectively, the “App”). Please read this Privacy Policy carefully before using the App.

By creating an account or using the App, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use the App.

1. Information We Collect

When you use the App, we may collect the following categories of information:

1.1 Information You Provide

• Account Information: Name, email address, and authentication credentials when you create an account (via email or Apple Sign-In).
• Skin Profile Data: Your responses to onboarding questions including age range, gender, skin type, skin concerns, sensitivities, budget preference, and experience level with skincare.
• Product Scan Data: Information about products you scan, including barcode data and ingredient lists.
• AI Chat Data: Messages and questions you submit through the AI skincare chat feature.
• Support Communications: Information you provide when contacting us for customer support.

1.2 Face Data (Photos)

GLOW allows you to take selfies using your device camera for AI-powered skin analysis.

• Purpose: Face photos are used solely to analyze visible skin conditions (such as acne, texture, dark spots, redness, enlarged pores, and other cosmetic concerns) and to generate a skin health score and personalized skincare recommendations.
• Face Geometry Data: During the scanning process, the App uses on-device face mesh technology (MediaPipe) to detect 468 facial landmarks. This face geometry data is used solely to guide the scanning process (ensuring proper face positioning, lighting, and stability) and is processed entirely on your device. Face geometry landmark data is never transmitted to our servers.
• Photo Transmission: Your face photo is transmitted to our AI analysis service provider to generate your skin analysis results. The photo is processed and then deleted from our analysis servers promptly after analysis is complete.
• On-Device Storage: Your face photos and scan results are stored on your device and in your encrypted user account so you can view your history and track progress over time.
• No Biometric Identification: We do not use face photos or face geometry data to identify you or any other person. We do not create facial recognition templates, faceprints, or any biometric identifiers used for identification purposes. Our analysis is limited to visible skin conditions.
• No Sale or Sharing: We do not sell, rent, trade, or share your face photos or face geometry data with any third parties for their own purposes. We do not use your face photos for advertising or marketing purposes.
• Deletion: Your face photos and associated analysis data are deleted when you delete your account. You may also delete individual scan results at any time within the App.

1.3 Information Collected Automatically

• Device Information: Device type, operating system, app version, unique device identifiers, and general device settings.
• Usage Data: Features you interact with, frequency and duration of use, screens visited, actions taken within the App, and crash or error logs.
• IP Address: Collected automatically when you use the App. We may derive approximate location (city/state level) from your IP address for the purpose of weather-aware skincare tips. We do not collect precise geolocation data.

1.4 Subscription and Transaction Data

• Payment Information: Subscription purchases are processed through Apple's App Store (or Google Play Store). We do not directly collect or store your credit card or payment information. Transaction data such as subscription status, plan type, and expiration dates are managed through our subscription management partner, RevenueCat.

2. Biometric Data Notice

IMPORTANT — PLEASE READ CAREFULLY

Certain jurisdictions, including the State of Illinois under the Biometric Information Privacy Act (740 ILCS 14/1, et seq.) (“BIPA”), regulate the collection and use of biometric data, which may include scans of face geometry.

During the skin scanning process, the App uses on-device face mesh technology to detect facial landmarks for the sole purpose of guiding the scan (face positioning, stability, and quality validation). This facial geometry data:

• Is processed entirely on your device and is never transmitted to, collected by, or stored on our servers
• Is used only for the duration of the active scanning session
• Is automatically discarded from device memory when the scanning session ends
• Is not used to identify you or any other individual
• Is not sold, leased, traded, or otherwise disclosed to any third party

Your face photo (a standard photograph, not a geometric scan) is transmitted to our AI service provider solely for skin condition analysis. This photo is processed and deleted from our analysis servers promptly after analysis is complete.

Biometric Data Retention and Destruction Policy:

• Face geometry data (facial landmarks): Retained in device memory only during the active scanning session. Automatically destroyed upon session completion. Never stored persistently on-device or on any server. Maximum retention: duration of a single scanning session (typically under 30 seconds).
• Face photos sent for analysis: Transmitted to our AI service provider, processed, and deleted from analysis servers within 24 hours of analysis completion.
• We will permanently destroy all biometric data when the initial purpose for collecting or obtaining such data has been satisfied, or within 3 years of the individual's last interaction with the App, whichever comes first.

Publicly Available Retention Schedule (as required by applicable biometric privacy laws): This Section 2 constitutes our publicly available biometric data retention policy and guidelines. We will permanently destroy all biometric identifiers and biometric information when the initial purpose for collecting such data has been satisfied, or within 3 years of the individual's last interaction with the App, whichever comes first. Face geometry data is destroyed within seconds (upon scanning session completion). Face photos sent for AI analysis are destroyed within 24 hours. Stored scan result photos are destroyed upon account deletion or manual deletion by the user.

Consent: By using the skin scanning feature for the first time, you provide your informed, written consent to the processing described in this section, including: (a) the specific purpose for which your face photo and face geometry data will be collected (skin condition analysis and scan guidance, respectively); and (b) the length of time for which such data will be collected, stored, and used (as specified in the retention schedule above). You may withdraw your consent at any time by discontinuing use of the scanning feature, and you may request deletion of all stored face photos by deleting your account or contacting us.

If you have questions about our biometric data practices, please contact us at the email address listed in Section 13.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To Provide the App's Core Features: Performing AI skin analysis, generating skin scores, building personalized skincare routines, analyzing product ingredients against your skin profile, and providing AI chat assistance.
• To Improve and Maintain the App: Monitoring App performance, diagnosing technical issues, analyzing usage patterns to improve features, and fixing bugs.
• To Manage Your Account: Creating and maintaining your account, authenticating your identity, and managing your subscription.
• To Communicate With You: Sending transactional notifications related to your account, subscription status, and App updates. If you opt in, sending push notifications with personalized skincare tips.
• To Ensure Security: Detecting and preventing fraud, abuse, and unauthorized access to the App.
• To Comply With Legal Obligations: Responding to legal requests and complying with applicable laws and regulations.

We do not use your personal information for third-party advertising or marketing purposes. We do not sell your personal information. We do not use your face photos, skin analysis data, or any personal information to train, fine-tune, or improve any artificial intelligence or machine learning models. Your data is used solely to provide you with the App's services.

4. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following limited circumstances:

4.1 Service Providers

We use trusted third-party service providers who process data on our behalf to deliver the App's functionality. These providers are contractually obligated to use your information only as necessary to provide services to us and to protect your information. Our current service providers include:

• Convex — Backend database and serverless infrastructure
• Clerk — User authentication and account management
• RevenueCat — Subscription management and billing analytics
• Google (Gemini AI) — AI-powered skin analysis and product ingredient analysis (photos are processed and not retained)
• Anthropic (Claude AI) — AI-powered routine generation and chat assistance (no photos are shared; only text-based skin profile data)
• PostHog — Privacy-focused product analytics
• Apple / Google — App Store and Play Store for subscription billing

4.2 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a law enforcement request.

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice within the App of any change in ownership or use of your personal information.

5. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account Data: Retained for the duration of your active account. Deleted within 30 days of account deletion.
• Face Photos and Scan Results: Stored in your account for progress tracking purposes. Deleted upon account deletion or when you manually delete individual scans.
• AI Analysis Data: Processed in real-time and deleted from analysis servers promptly after results are returned. Results are stored in your account.
• Usage Analytics: Retained in anonymized and aggregated form. Individual-level analytics data is retained for up to 12 months.
• Subscription Data: Transaction records may be retained for up to 3 years for accounting and legal compliance purposes.

6. Data Security

We implement industry-standard technical and organizational measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS/SSL) and at rest, secure authentication protocols, and access controls limiting data access to authorized systems.

However, no method of electronic storage or transmission over the internet is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. In the event of a data breach affecting your personal information, we will notify affected users without unreasonable delay and in accordance with applicable state and federal laws, including providing notification within 72 hours where required by law.

7. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

7.1 All Users

• Access and Portability: You can access your skin profile, scan history, and routine data within the App at any time.
• Correction: You can update your skin profile information and account details within the App.
• Deletion: You can delete your account and all associated data through the App's Settings screen. Account deletion is permanent and cannot be undone. Upon account deletion, we will delete or anonymize all personal information associated with your account within 30 days.
• Push Notifications: You can opt out of push notifications through your device settings at any time.
• Withdraw Consent: You may withdraw consent for face scanning by discontinuing use of the scanning feature.

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• No Sale of Personal Information: We do not sell your personal information as defined by the CCPA. We do not share your personal information for cross-context behavioral advertising.

To exercise your California privacy rights, please contact us at the email address listed in Section 13.

7.3 European Economic Area, UK, and Swiss Residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation:

• Legal Basis for Processing: We process your personal information based on: (a) your consent (for face scanning and optional push notifications); (b) performance of our contract with you (to provide the App's features); and (c) our legitimate interests (to improve and secure the App), where those interests are not overridden by your rights.
• Additional Rights: You have the right to access, rectification, erasure, restriction of processing, data portability, and the right to object to processing.
• Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise your rights, please contact us at the email address listed in Section 13. We will respond to your request within 30 days.

8. Do Not Track and Global Privacy Control

Some web browsers and devices transmit “Do Not Track” (DNT) or Global Privacy Control (GPC) signals. The App does not track users across third-party websites or services, does not serve targeted advertising, and does not sell or share personal information for cross-context behavioral advertising. As such, there is no tracking activity for DNT or GPC signals to opt out of within the App. We honor GPC signals as valid opt-out-of-sale requests to the extent required by the CCPA, although we do not engage in any sale or sharing of personal information.

9. Children's Privacy

The App is not intended for use by individuals under the age of 13 (or 16 for residents of the European Union). We do not knowingly collect personal information from children under these ages. If we become aware that we have collected personal information from a child under the applicable age threshold, we will take steps to delete that information promptly. If you believe a child under the applicable age has provided us with personal information, please contact us at the email address listed in Section 13.

10. Third-Party Links and Services

The App may contain links to third-party websites, products, or services (such as product recommendations linking to retailer websites). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information. This Privacy Policy applies solely to information collected through the App.

11. International Data Transfers

Your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction. By using the App, you consent to the transfer of your information to the United States and other countries. Where required by law, we ensure appropriate safeguards are in place to protect your information during international transfers.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of any material changes by posting the updated Privacy Policy within the App and updating the “Last Updated” date at the top of this page. For significant changes, we may also provide additional notice through email or an in-app notification. Your continued use of the App after such changes constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: support@getglowapp.com

We will respond to your inquiry within 30 days.

This Privacy Policy is effective as of the date listed at the top of this page.