Data Safety — GlowAI

This page provides a clear summary of the data GlowAI collects, shares, and how it is protected. It mirrors the information declared in our Google Play Data Safety section and Apple App Privacy labels.

Data Collected

Personal Information

Required

Name — Account identification and display

Required

Email address — Authentication and account recovery

Required

Age — Skin health age calculation and age-appropriate content

Required

Gender — Personalized skincare recommendations

Required

Skin type — Tailored analysis and routine recommendations

Optional

Weight — Water intake recommendations (Pro+)

Photos & Media

Required

Facial selfies — AI skin analysis and identity verification

Optional

Profile photo — Account personalization

Optional

Mole photos — Mole monitoring and ABCDE assessment (Pro+)

Optional

Product photos — Ingredient scanning via OCR

Health & Fitness Data

Required

Skin analysis scores — 12-metric skin health assessment

Optional

Mole check results — ABCDE scores and alert levels (Pro+)

Optional

Water intake logs — Hydration tracking and skin correlation

Optional

Skin health goals — Goal management and progress tracking (Pro+)

Optional

Fitzpatrick classification — Skin tone assessment for personalized risk analysis (Pro+)

Financial Information

Optional

Subscription status — Feature access and tier management

Optional

Purchase receipts — Processed by App Store / Google Play via RevenueCat — GlowAI does not store payment card details

Device & App Data

Optional

Push notification token — Delivering push notifications

Optional

Device platform (iOS/Android) — Platform-specific notification delivery

Optional

Device name — Token management and deduplication

Consent & Audit Records

Required

Consent decisions — GDPR compliance and audit trail

Required

IP address (at consent time) — Consent verification and fraud prevention

Required

User agent (at consent time) — Consent audit trail

Data Shared with Third Parties

GlowAI shares data with the following processors strictly for providing services. We do not sell your data.

Google Gemini AI

Data: Facial photos (EXIF stripped, no name/email attached)

Purpose: Skin analysis scoring, mole ABCDE assessment

Retention: Not stored by Google — processed and discarded

Replicate AI

Data: Facial photos (EXIF stripped)

Purpose: Aging simulation generation

Retention: Processed and discarded — results stored by GlowAI for 30 days

RevenueCat

Data: User ID, subscription events, product IDs

Purpose: Subscription lifecycle management across App Store and Google Play

Retention: Per RevenueCat retention policy

Supabase

Data: All user data (encrypted at rest)

Purpose: Database hosting, authentication, file storage

Retention: Until account deletion + grace period

Expo

Data: Push notification tokens, device platform

Purpose: Push notification delivery

Retention: Until token deactivated

Vercel

Data: Request metadata, server logs

Purpose: Application hosting and delivery

Retention: Per Vercel retention policy

Security Practices

✓

Data encrypted in transit

All data transmitted between your device and our servers uses HTTPS/TLS encryption.

✓

Data encrypted at rest

All data stored in our database and file storage is encrypted at rest.

✓

EXIF metadata stripped

Location and device metadata is automatically removed from all uploaded photos before processing.

✓

No PII in AI requests

Your name, email, and account details are never sent to AI processors — only the photo itself.

✓

Row-Level Security

Database policies enforce that each user can only access their own data.

✓

Secure authentication

Passwords are hashed using bcrypt. Sessions use short-lived JWTs with automatic refresh.

Data Deletion

You can request deletion of your account and all associated data at any time:

In-app: Go to Privacy & Data settings and tap "Request Account Deletion"
On web: Visit your Privacy Dashboard and use the "Delete My Account" feature
By email: Send a request to privacy@glowai.app

Deletion requests include a 30-day grace period during which you can cancel the request. After the grace period, all data is permanently and irreversibly deleted, except where retention is required by law (e.g., payment records for tax purposes).