Privacy Policy

GLOW — AI Skincare Analysis

Last Updated: April 24, 2026

This Privacy Policy explains how Peyton (“we,” “us,” or “our”) collects, uses, stores, and protects your personal information when you use the GLOW mobile application and related services (collectively, the “App”). Please read this Privacy Policy carefully before using the App.

By creating an account or using the App, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use the App.

1. Information We Collect

When you use the App, we may collect the following categories of information:

1.1 Information You Provide

• Account Information: Name, email address, and authentication credentials when you create an account (via email, Apple Sign-In, or Google Sign-In).
• Skin Profile Data: Your responses to onboarding questions including age range, gender, skin type, skin concerns, sensitivities, budget preference, and experience level with skincare.
• Product Scan Data: Information about products you scan, including barcode data and ingredient lists.
• AI Chat Data: Messages and questions you submit through the AI skincare chat feature.
• Skin Diary Data: If you use the skin diary feature, we collect self-reported entries including mood, water intake, sleep quality, sun exposure, and physical activity. This data is used to personalize your skincare tips and track patterns over time.
• Support Communications: Information you provide when contacting us for customer support.
• Guarantee Claim Data: If you submit a 55-Day Money Back Guarantee claim, we collect photos of product purchase receipts or proof of ownership that you upload through the App, along with a snapshot of your engagement history (routine completion records, scan dates, diary entry dates) at the time of your claim submission.

1.2 Face Data (Photos)

GLOW allows you to take selfies using your device camera for AI-powered skin analysis.

• Purpose: Face photos are used solely to analyze visible cosmetic skin conditions (such as acne, texture, dark spots, redness, enlarged pores, and other cosmetic concerns) and to generate a skin health score and personalized skincare recommendations. The App does not detect, screen for, or diagnose skin cancer, melanoma, or any other medical condition.
• Face Geometry Data: During the scanning process, the App uses on-device face mesh technology (MediaPipe) to detect 468 facial landmarks. This face geometry data is used solely to guide the scanning process (ensuring proper face positioning, lighting, and stability) and is processed entirely on your device. Face geometry landmark data is never transmitted to our servers. Face geometry data is never linked to your name, email, account, or other personal information.
• Photo Transmission: Your face photo is transmitted to our AI analysis service provider to generate your skin analysis results. The photo is processed and deleted from our systems promptly after analysis is complete. Our AI provider (Google) may retain API data for up to 55 days for safety monitoring per their retention policy (see Section 4.1).
• On-Device Storage: Your face photos and scan results are stored on your device and in your encrypted user account so you can view your history and track progress over time.
• No Biometric Identification: We do not use face photos or face geometry data to identify you or any other person. We do not create facial recognition templates, faceprints, or any biometric identifiers used for identification purposes. Our analysis is limited to visible skin conditions.
• No Sale or Sharing: We do not sell, rent, trade, or share your face photos or face geometry data with any third parties for their own purposes. We do not use your face photos for advertising or marketing purposes.
• Deletion: Your face photos and associated analysis data are deleted when you delete your account. You may also delete individual scan results at any time within the App.

1.3 Information Collected Automatically

• Device Information: Device type, operating system, app version, unique device identifiers, and general device settings.
• Usage Data: Features you interact with, frequency and duration of use, screens visited, actions taken within the App, and crash or error logs. We associate usage data with your account identity (including email and name) for analytics purposes through our analytics provider, PostHog.
• Location Data: With your permission, the App collects your device's approximate geographic coordinates (latitude and longitude) using your device's location services. This data is used solely to provide weather-aware skincare tips tailored to your local conditions. Location data is collected at low accuracy (city-level precision) and is stored in your account. You can deny or revoke location permission at any time through your device settings, and the App will continue to function without location-based tips. We do not use your location data for advertising or tracking purposes.
• Push Notification Tokens: If you enable push notifications, we collect a device-specific notification token to deliver personalized skincare tips and account notifications. This token does not contain personal information and is deleted when you disable notifications or delete your account.

1.4 Subscription and Transaction Data

• Payment Information: Subscription purchases are processed through Apple's App Store (or Google Play Store). We do not directly collect or store your credit card or payment information. Transaction data such as subscription status, plan type, and expiration dates are managed through our subscription management partner, RevenueCat.

2. Biometric Data Notice

IMPORTANT — PLEASE READ CAREFULLY

Certain jurisdictions, including the State of Illinois under the Biometric Information Privacy Act (740 ILCS 14/1, et seq.) (“BIPA”), regulate the collection and use of biometric data, which may include scans of face geometry.

During the skin scanning process, the App uses on-device face mesh technology to detect facial landmarks for the sole purpose of guiding the scan (face positioning, stability, and quality validation). This facial geometry data:

• Is processed entirely on your device and is never transmitted to, collected by, or stored on our servers
• Is used only for the duration of the active scanning session
• Is automatically discarded from device memory when the scanning session ends
• Is not used to identify you or any other individual
• Is never linked to your name, email, account, or other personal information
• Is not sold, leased, traded, or otherwise disclosed to any third party

Your face photo (a standard photograph, not a geometric scan) is transmitted to our AI service provider solely for cosmetic skin condition analysis. This photo is processed and deleted from our systems promptly after analysis is complete. Our AI provider may retain API data for up to 55 days for abuse monitoring and safety purposes (see Section 4.1).

Biometric Data Retention and Destruction Policy:

• Face geometry data (facial landmarks): Retained in device memory only during the active scanning session. Automatically destroyed upon session completion. Never stored persistently on-device or on any server. Maximum retention: duration of a single scanning session (typically under 30 seconds).
• Face photos sent for analysis: Transmitted to our AI service provider, processed, and deleted from our systems within 24 hours of analysis completion. Our AI provider (Google) may retain API data, including transmitted photos, for up to 55 days for abuse monitoring and safety purposes per their data retention policy (see Section 4.1), after which it is permanently deleted.
• We will permanently destroy all biometric data when the initial purpose for collecting or obtaining such data has been satisfied, or within 3 years of the individual's last interaction with the App, whichever comes first.

Publicly Available Retention Schedule (as required by applicable biometric privacy laws): This Section 2 constitutes our publicly available biometric data retention policy and guidelines. We will permanently destroy all biometric identifiers and biometric information when the initial purpose for collecting such data has been satisfied, or within 3 years of the individual's last interaction with the App, whichever comes first. Face geometry data is destroyed within seconds (upon scanning session completion). Face photos sent for AI analysis are destroyed within 24 hours. Stored scan result photos are destroyed upon account deletion or manual deletion by the user.

Consent: By using the skin scanning feature for the first time, you provide your informed, written consent to the processing described in this section, including: (a) the specific purpose for which your face photo and face geometry data will be collected (cosmetic skin condition analysis and scan guidance, respectively); and (b) the length of time for which such data will be collected, stored, and used (as specified in the retention schedule above). If we materially change the disclosures in this section (for example, by changing our AI analysis service provider), we will present the updated disclosure and request your consent again before any further scanning. Consent is also re-requested when you use the App on a new device or after reinstallation. You may withdraw your consent at any time by discontinuing use of the scanning feature, and you may request deletion of all stored face photos by deleting your account or contacting us.

Compliance With Other Biometric Privacy Laws: In addition to Illinois BIPA, we comply with all applicable state and federal biometric privacy laws, including the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code § 503.001), the Washington Biometric Identifier statute (RCW 19.375), and any similar laws enacted after the date of this Privacy Policy. Our biometric data practices described in this section are designed to meet or exceed the requirements of all such laws.

If you have questions about our biometric data practices, please contact us at the email address listed in Section 13.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To Provide the App's Core Features: Performing AI skin analysis of cosmetic skin conditions, generating skin scores, building personalized skincare routines, analyzing product ingredients against your skin profile, and providing AI chat assistance. The App analyzes only cosmetic skin concerns such as acne, texture, pores, dark spots, and pigmentation. The App does not detect, screen for, or diagnose skin cancer, melanoma, precancerous conditions, or any other disease or medical condition.
• To Improve and Maintain the App: Monitoring App performance, diagnosing technical issues, analyzing usage patterns to improve features, and fixing bugs.
• To Manage Your Account: Creating and maintaining your account, authenticating your identity, and managing your subscription.
• To Communicate With You: Sending transactional notifications related to your account, subscription status, and App updates. If you opt in, sending push notifications with personalized skincare tips.
• To Ensure Security: Detecting and preventing fraud, abuse, and unauthorized access to the App.
• To Evaluate Guarantee Claims: If you submit a money-back guarantee claim, we use your engagement history (routine completions, scans, diary entries) and uploaded receipt photos to verify eligibility under our 55-Day Money Back Guarantee program.
• To Comply With Legal Obligations: Responding to legal requests and complying with applicable laws and regulations.
• To Support the App Through Affiliate Revenue: Product recommendation links within the App may direct you to third-party retailers. If you make a purchase through these links, we may earn a commission. This affiliate relationship does not influence which products are recommended or how products are scored. See Section 4.2 for details.

We do not use your personal information for third-party advertising or marketing purposes. We do not sell your personal information. We do not use your face photos, skin analysis data, or any personal information to train, fine-tune, or improve any artificial intelligence or machine learning models. Your data is used solely to provide you with the App's services.

4. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following limited circumstances:

4.1 Service Providers

We use trusted third-party service providers who process data on our behalf to deliver the App's functionality. These providers are contractually obligated to use your information only as necessary to provide services to us and to protect your information. Our current service providers include:

• Convex — Backend database and serverless infrastructure
• Clerk — User authentication and account management (may collect IP addresses and device identifiers for fraud prevention and security purposes)
• RevenueCat — Subscription management and billing analytics
• Google (Gemini AI) — AI-powered skin analysis, product ingredient analysis, routine generation, and chat assistance (photos and text data are processed and may be retained by Google for up to 55 days for abuse monitoring and safety purposes, after which they are deleted; data is not used by Google to train or improve AI models on paid API tiers). GLOW uses providers' privacy-respecting modes; image inputs are not used to train models.
• Anthropic (Claude) — Secondary AI provider used for medical-content safety classification on chat and product-analysis text. Claude inputs submitted via the API are not used to train default Anthropic models per Anthropic's Commercial Terms of Service.
• OpenRouter — AI API routing service that forwards requests to our AI analysis providers (receives text-based skin profile data and, for skin analysis, face photos; does not independently store or process data beyond transit). GLOW uses providers' privacy-respecting modes; image inputs are not used to train models.
• Cloudflare Images — Image hosting and content delivery network for face photos, scan results, AI-generated previews, and skin diary photos (encrypted at rest; images are deleted from Cloudflare when you delete your account or the corresponding entry). Cloudflare does not access, use, or train AI/machine-learning models on customer image content per its Customer Terms and Data Processing Addendum.
• kie.ai — AI-powered “Clear Skin Preview” image generation. When you use the Clear Skin Preview feature, your face photo is sent to kie.ai to generate a synthetic preview image showing reduced visible skin concerns. The preview is AI-generated for illustration only and is not a medical prediction or guarantee of results. kie.ai processes the photo and deletes it from their systems within 24 hours. The generated preview image is then stored in your account on Cloudflare Images.
• Resend — Transactional email delivery (receives your email address and email content for purchase confirmations, renewal reminders, trial-ending notices, deletion confirmations, and similar account-related messages; does not retain email content beyond delivery)
• Sentry — Error monitoring and crash reporting (receives application stack traces, device metadata, and limited account identifiers; personally identifiable information is automatically scrubbed before transmission)
• PostHog — Privacy-focused product analytics
• WeatherAPI — Weather data for location-aware skincare tips (receives approximate geographic coordinates; does not receive any personal information)
• UPCitemdb — Product barcode lookup service for the in-app product scanner (receives only the scanned barcode digits; receives no personal information)
• Apple / Google — App Store and Play Store for subscription billing
• Amazon Associates — Affiliate product links. When you tap a product purchase link, you are directed to Amazon.com. Amazon may collect data about your visit in accordance with their own privacy policy. We receive aggregate commission reports but do not receive personally identifiable information about individual purchases.

4.2 Affiliate Relationships

The App contains affiliate links to third-party retailers, including Amazon. When you tap a product link and make a purchase, we may earn a commission from the retailer. This affiliate relationship does not influence which products are recommended, how products are scored, or any AI-generated analysis. Our product recommendations and fit scores are based solely on ingredient science and your skin profile. When you tap an affiliate link, the retailer (such as Amazon) may collect information about your visit, including the referring link, in accordance with their own privacy policy. We do not share your personal information, skin profile, or analysis data with affiliate partners. For more details, see Section 7 of our Terms of Service.

4.3 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a law enforcement request.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice within the App of any change in ownership or use of your personal information.

5. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account Data: Retained for the duration of your active account. Deleted within 30 days of account deletion.
• Face Photos and Scan Results: Stored in your account for progress tracking purposes. Deleted upon account deletion or when you manually delete individual scans.
• AI Analysis Data: Processed in real-time and deleted from analysis servers promptly after results are returned. Results are stored in your account.
• Chat Messages: Stored in your account for your reference. Deleted upon account deletion or when you manually delete individual conversations.
• Skin Diary Entries: Stored in your account for progress tracking. Deleted upon account deletion.
• Saved Products, Streaks, Badges, and Weekly Summaries: Stored in your account for as long as your account is active. Deleted upon account deletion.
• Location Data: Stored in your account for weather-aware tips. Deleted upon account deletion or when you revoke location permission.
• Push Notification Tokens: Stored while notifications are enabled. Deleted when you disable notifications or delete your account.
• Usage Analytics: Retained in anonymized and aggregated form. Individual-level analytics data is retained for up to 12 months.
• Subscription Data: Transaction records may be retained for up to 3 years for accounting and legal compliance purposes.
• Guarantee Claim Data: Guarantee claim records (including uploaded receipt photos, eligibility snapshots, and claim status) are retained for 3 years from the date of submission for fraud prevention, legal compliance, and dispute resolution purposes. Receipt photos are deleted when the claim record expires, unless required by applicable law.

6. Data Security

We implement industry-standard technical and organizational measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS/SSL) and at rest, secure authentication protocols, and access controls limiting data access to authorized systems.

However, no method of electronic storage or transmission over the internet is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. In the event of a data breach affecting your personal information, we will notify affected users without unreasonable delay and in accordance with applicable state and federal laws, including providing notification within 72 hours where required by law.

7. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

7.1 All Users

• Access and Portability: You can access your skin profile, scan history, and routine data within the App at any time.
• Correction: You can update your skin profile information and account details within the App.
• Deletion: You can delete your account and all associated data through the App's Settings screen. Account deletion is permanent and cannot be undone. Upon account deletion, we will delete or anonymize all personal information associated with your account within 30 days.
• Push Notifications: You can opt out of push notifications through your device settings at any time.
• Withdraw Consent: You may withdraw consent for face scanning by discontinuing use of the scanning feature.

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• No Sale of Personal Information: We do not sell your personal information as defined by the CCPA. We do not share your personal information for cross-context behavioral advertising.

To exercise your California privacy rights, please contact us at the email address listed in Section 13.

7.3 European Economic Area, UK, and Swiss Residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation:

• Legal Basis for Processing: We process your personal information based on: (a) your consent (for face scanning, approximate location data for weather-aware tips, AI data sharing with third-party providers, and optional push notifications); (b) performance of our contract with you (to provide the App's features); and (c) our legitimate interests (to improve and secure the App), where those interests are not overridden by your rights.
• Additional Rights: You have the right to access, rectification, erasure, restriction of processing, data portability, and the right to object to processing.
• Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise your rights, please contact us at the email address listed in Section 13. We will respond to your request within 30 days.

7.4 Washington Residents (My Health My Data Act)

If you are a Washington resident, the Washington My Health My Data Act (“MHMDA”) provides additional protections for consumer health data, which may include skin analysis scores and concern assessments generated by the App.

• Collection and Use: We collect and use skin analysis data solely to provide the App's core features as described in Section 3. We do not sell consumer health data.
• Consent: By using the skin analysis features, you consent to the collection and processing of skin-related data as described in this Privacy Policy.
• Deletion: You may request deletion of all consumer health data by deleting your account through the App's Settings screen or by contacting us at the email address in Section 13.

To exercise your rights under the MHMDA, please contact us at the email address listed in Section 13.

7.5 Maryland Residents (Maryland Online Data Privacy Act)

If you are a Maryland resident, the Maryland Online Data Privacy Act (“MODPA”) provides additional protections for sensitive data, which may include biometric data and health-related data such as skin analysis scores.

We collect and process sensitive data only as strictly necessary to provide the App's core analysis and recommendation features described in Section 3. We do not sell sensitive data. You may exercise your rights under MODPA, including the right to access, correct, and delete your data, by contacting us at the email address listed in Section 13.

8. Do Not Track and Global Privacy Control

Some web browsers and devices transmit “Do Not Track” (DNT) or Global Privacy Control (GPC) signals. The App does not track users across third-party websites or services, does not serve targeted advertising, and does not sell or share personal information for cross-context behavioral advertising. As such, there is no tracking activity for DNT or GPC signals to opt out of within the App. We honor GPC signals as valid opt-out-of-sale requests to the extent required by the CCPA, although we do not engage in any sale or sharing of personal information.

9. Children's Privacy

The App is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under the age of 16. If we become aware that we have collected personal information from a child under the age of 16, we will take steps to delete that information promptly. If you are between the ages of 16 and 18, you must have the consent of a parent or legal guardian to use the App. If you believe a child under 16 has provided us with personal information, please contact us at the email address listed in Section 13.

10. Third-Party Links and Services

The App may contain links to third-party websites, products, or services (such as product recommendations linking to retailer websites). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information. This Privacy Policy applies solely to information collected through the App.

11. International Data Transfers

Your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction. By using the App, you consent to the transfer of your information to the United States and other countries.

We are based in the United States. If you access GLOW from the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States and other countries that may not provide the same level of data protection as your home country.

Where we transfer personal data from the EEA, UK, or Switzerland to a country not deemed adequate by the European Commission or the UK Information Commissioner's Office, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum to the SCCs. We have entered into Data Processing Addenda incorporating SCCs with our service providers (including Convex, Cloudflare, Anthropic, OpenRouter, Google, Resend, Sentry, PostHog, RevenueCat, and Clerk) to ensure adequate protection of personal data in connection with cross-border transfers.

You may request a copy of the safeguards we use by contacting support@glowskincare.app.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of any material changes by posting the updated Privacy Policy within the App and updating the “Last Updated” date at the top of this page. For significant changes, we may also provide additional notice through email or an in-app notification. Your continued use of the App after such changes constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: support@glowskincare.app
Chapel Hill, NC, United States

We will respond to your inquiry within 30 days.

This Privacy Policy is effective as of the date listed at the top of this page.