lib/legal.ts.This Privacy Policy applies to our websites, mobile applications, services, and other offerings that link to this policy (collectively, the “Services”). It explains how Glow Up Girl, Inc. (“Glow Up Girl,” “we,” “our,” or “us”) collects, uses, stores, and protects your personal data.
What this Privacy Policy Covers
To offer the Services, Glow Up Girl may collect Personal Data from prospects, app users, and website visitors. By using or accessing our Services, you acknowledge the practices described in this Privacy Policy regarding how we collect, use, and share your information.
This Privacy Policy covers how we treat Personal Data gathered when you access or use our Services. “Personal Data” means any information that identifies or relates to a particular individual and includes information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws, rules or regulations. This Privacy Policy does not cover the practices of companies we don't own or control or people we don't manage.
Personal Data
Categories of Personal Data We Collect
Identity and Profile Information
- Nickname or display name (real name not required)
- Email address (optional)
- Profile photo (optional)
- Age range, skin goals, and self-reported skin type and concerns
Face Photos and Skin Imagery
- Photos of your face that you upload or capture for skin analysis (your “Skin Photos”).
- Skin Photos may contain biometric information such as facial features. We use these photos solely to generate your personalized skin assessment and progress tracking inside the Services. We do not use facial recognition for identification, we do not match your photos against any external database, and we do not sell or license your Skin Photos to third parties.
Skin Analysis Output
- Glow score, sub-scores, and skin concern flags generated from your Skin Photos
- Routine recommendations and product categories surfaced to you
- Day-by-day progress data and before/after pairings
Purchase and Subscription Data
- Subscription tier, billing cycle, and renewal status
- Payment method (last 4 digits only) and transaction history
- Receipts and entitlement records, processed through the Apple App Store, Google Play Store, or our subscription provider
Marketing Data
- Lead Information
- Information Related to Marketing Campaigns
- Engagement Metrics
- For clarity, your Skin Photos, glow scores, and personal routine details are not deemed Marketing Data.
Social Media Data (if you connect third-party accounts)
- If you sign in using Google or Apple, we receive only the authentication credentials needed to verify your identity (e.g., account identifier and email address).
- We do not auto-populate your name, profile photo, or other profile information from these services unless you choose to.
- Authentication tokens and account identifiers.
Web and App Analytics
- Usage Statistics
- Performance Metrics
- User Behavior
Device IP/Data
- Device ID
- Type of device, operating system, and browser used to access the Services
- Push-notification tokens (if you opt in to push notifications)
- Approximate location derived from your IP address — we do not collect precise GPS location.
Cookies
- Cookie ID
- Cookie Types (e.g., Session, Persistent)
Customer Support Data
- Support inquiries
- Customer service communications
- Feedback and reviews
Other Identifying Information You Voluntarily Provide
- Identifying information submitted by you in emails, messages, survey responses, or other content you share with the Services
Sensitive Personal Data
Given the personal nature of the Services, we may collect the following types of information:
- Photographs of your face and skin
- Inferences about your skin characteristics
- Self-reported information about your skin, age, or routine
We recognize the sensitive nature of this content and treat it with the heightened care described in this Policy. In some jurisdictions, biometric information receives special legal protection; where applicable, we obtain your express consent before processing such information, and you may withdraw that consent at any time by deleting your account.
Categories of Sources of Personal Data
You
- When you sign up for our Services or request more information.
- When you provide such information directly to us.
- When you create an account or use our Services.
- When you make a purchase or complete a transaction.
- When you participate in promotions, surveys, or contests.
- When you voluntarily provide information in free-form text boxes through the Services.
- When you send us an email or otherwise contact us.
- When you use the Services and such information is collected automatically.
- Through Cookies (defined in the “Cookies and Tracking Technologies” section below).
Third Parties
- Vendors: We may use analytics, subscription, and AI providers to deliver, analyze, and improve how you interact with the Services. We may also receive information from third parties that help us provide you with customer support.
How We Use Your Data
Providing, Customizing and Improving the Services
- Creating and managing your account.
- Generating your glow score and personalized skincare routine from your Skin Photos.
- Processing purchases; managing your subscription.
- Providing you with the products, services, or information you request.
- Assessing your service needs and preferences.
- Meeting or fulfilling the reason you provided the information to us.
- Providing support and assistance for the Services.
- Improving our Services, including through research, analytics, and product development.
- Personalizing the Services, website content, and communications based on your preferences.
- Fraud protection, security, and debugging.
- Carrying out other business purposes stated when collecting your Personal Data or as otherwise set forth in applicable data privacy laws.
Advertising and Marketing the Services
- Advertising, marketing, and selling the Services.
Corresponding with You
- Responding to correspondence that we receive from you, contacting you when necessary or requested, and sending you information about Glow Up Girl or the Services.
- Sending emails, push notifications, and other communications according to your preferences.
Meeting Legal Requirements and Enforcing Legal Terms
- Fulfilling our legal obligations under applicable law, regulation, court order, or other legal process, such as preventing, detecting, and investigating security incidents and potentially illegal or prohibited activities.
- Protecting the rights, property, or safety of you, Glow Up Girl, or another party.
- Enforcing any agreements with you.
- Responding to claims that any posting or other content violates third-party rights.
- Resolving disputes.
If we collect additional categories of Personal Data or use your Personal Data for materially different purposes, we will update this Privacy Policy accordingly.
Legal Basis for Processing
If you are located in the European Economic Area (“EEA”), the United Kingdom, or Switzerland, we process your Personal Data based on the following legal grounds under applicable data protection law:
| Purpose of Processing | Legal Basis | Categories of Data |
|---|---|---|
| Providing and maintaining the Services, including creating your account and enabling core features | Performance of our contract with you | Identity, Profile, Skin Photos, Purchase, Usage, Technical |
| Generating skin analysis from your Skin Photos | Performance of our contract with you; Consent (where required for biometric/sensitive data) | Skin Photos, Skin Analysis Output |
| Processing payments and subscription transactions | Performance of our contract with you | Identity, Purchase, Payment |
| Responding to inquiries and providing customer support | Performance of our contract with you; Legitimate interests (quality service) | Identity, Customer Support, Usage |
| Personalizing your experience and improving recommendations | Legitimate interests; Consent (where required for sensitive data) | Profile, Usage, Technical, Skin Analysis Output |
| Safety, security, and fraud prevention | Legitimate interests; Compliance with legal obligations | Identity, Usage, Technical |
| Marketing and advertising our Services | Consent (for electronic marketing); Legitimate interests | Identity, Marketing, Usage, Technical |
| Complying with legal obligations | Compliance with legal obligations | All categories as required |
| Establishing, exercising, or defending legal claims | Legitimate interests | All categories as relevant to the claim |
Where we rely on legitimate interests as a legal basis, we have balanced our interests against your fundamental rights and freedoms. Where we rely on consent, you have the right to withdraw your consent at any time by contacting us or adjusting your settings. Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal.
How We Share Your Personal Data
The categories of Personal Data described above may be shared with the following recipients for the purposes described in this Policy. We disclose your Personal Data to the categories of service providers and other parties listed in this section.
Service Providers. These parties help us provide the Services or perform business functions on our behalf. They include:
- Hosting, technology, and communication providers.
- Security and fraud prevention consultants.
- Payment and subscription processors (Apple, Google, RevenueCat).
- Support and customer service vendors.
Marketing and Advertising Partners. We work with advertising partners to promote Glow Up Girl on third-party platforms. These partners receive only technical identifiers (such as device IDs or hashed email addresses) to measure campaign effectiveness. We do not share your Skin Photos, glow scores, or routine details with any marketing or advertising partner.
Analytics Partners. These parties provide analytics on web traffic or usage of the Services.
Third-Party Service Providers
We use third-party services to operate Glow Up Girl, including, without limitation:
Backend & Hosting. Convex provides our real-time database and serverless backend. Data is encrypted in transit and at rest.
AI Services. We use Google Generative AI (Gemini) to power skin analysis from your Skin Photos and to generate personalized routine recommendations. When you submit a Skin Photo, the image is sent to Google for processing under their data processing terms. We do not allow these providers to use your photos to train their general-purpose models.
Subscriptions. RevenueCat manages subscription entitlements and receipt validation across the Apple App Store and Google Play Store.
Push Notifications. OneSignal delivers push notifications. Your device push token is shared with OneSignal for delivery.
Analytics. We may use product-analytics and attribution providers to understand how users interact with our Services. Where required, we obtain your consent before activating these providers.
These providers may have their own privacy policies governing their use of your Personal Data.
Legal Obligations
We may share any Personal Data that we collect with third parties in conjunction with any of the activities set forth under “Meeting Legal Requirements and Enforcing Legal Terms” in the “How We Use Your Data” section above.
Government and Law Enforcement Requests
We may disclose Personal Data to government authorities or law enforcement officials when required by law, regulation, or valid legal process (such as a subpoena, court order, or search warrant), or when necessary to protect the safety of any person.
Business Transfers
All of your Personal Data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy, or other transaction in which that third party assumes control of our business (in whole or in part).
No Data Selling
We do not sell your Personal Data. If our privacy practices change materially, we will notify you in accordance with applicable law.
Aggregated and Anonymous Data
We may create aggregated, de-identified, or anonymized data from the Personal Data we collect, including by removing information that makes the data personally identifiable to a particular user. We may use such aggregated, de-identified, or anonymized data and share it with third parties for our lawful business purposes, including to analyze and improve the Services and promote our business.
Cookies and Tracking Technologies
We use cookies and similar technologies (such as pixels and SDKs) to operate and improve our Services, analyze usage, and measure advertising effectiveness. You can manage cookie preferences through your browser settings.
Opt-Out Preferences
Marketing Communications
You can opt out of receiving marketing emails by clicking the “unsubscribe” link in any marketing email or by contacting us at support@glowupgirl.app. Even if you opt out of marketing emails, we may still send you transactional messages about your account or purchases.
Push Notifications
You can disable push notifications at any time in your device settings or in the Glow Up Girl app settings.
Targeted Advertising
You can opt out of targeted advertising by adjusting your preferences in your account settings, using browser-based opt-out tools such as the Digital Advertising Alliance's opt-out page at https://optout.aboutads.info/, or by enabling the Global Privacy Control (GPC) signal in your browser, which we honor as a valid opt-out request.
AI-Assisted Features
Glow Up Girl uses AI to analyze your Skin Photos and generate personalized routine and progress content. We do not use your Skin Photos or skin analysis output to train general- purpose AI models, and we do not share them with third-party AI providers other than as described above to deliver the Service. AI-generated content may not always be accurate; it is not a substitute for professional dermatological advice.
Approximate Location
We may infer approximate location (e.g., country or region) from your IP address to localize content and comply with regional regulations. We do not collect precise GPS location.
Data Retention
We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, provide our Services, comply with legal obligations, resolve disputes, and enforce our agreements.
| Data Category | Retention Period | Rationale |
|---|---|---|
| Active account and profile data | Duration of account + 30 days after closure | Provide Services and allow reasonable account recovery |
| Skin Photos and skin analysis output | Duration of account; deleted within 30 days of account closure | Core service functionality; privacy protection after departure |
| Purchase and transaction history | 7 years after transaction | Order history, refund eligibility, and legal compliance |
| Payment information | Duration of account or as required by payment processor | Process transactions, refunds, and handle disputes |
| Customer service records | 3 years after resolution | Customer service quality, dispute resolution, and legal claims |
| Consent records | 3 years after consent given or withdrawn | Demonstrating compliance with consent requirements |
| Security logs and audit trails | 1 year | Security monitoring, incident investigation, and fraud prevention |
| Marketing preferences and suppression lists | Until you opt out or close your account | Honoring your communication preferences |
| Aggregated / de-identified data | Indefinitely | No longer identifiable; used for analytics and service improvement |
Your Deletion Rights
You can delete your account and request deletion of your Personal Data at any time through your account settings or by contacting support@glowupgirl.app. We will process deletion requests in accordance with applicable law, except where retention is required (such as for tax or accounting purposes).
After You Close Your Account
Glow Up Girl uses a two-layer deletion process:
Layer 1 — Active systems: When you delete your account or content, we immediately remove access from our active systems so it is no longer accessible.
Layer 2 — Backups: Deleted data may persist in backups, archives, and disaster recovery systems for a reasonable period as necessary for fraud prevention, legal compliance, system integrity, and dispute resolution. Backup data is not accessible in normal operations.
Data Security
We implement industry-standard security measures to protect your Personal Data from unauthorized access, use, disclosure, alteration, and destruction, including employee training, confidentiality obligations, and access controls limiting data access to personnel who need it.
You can help protect your data by:
- Choosing strong, unique passwords and enabling MFA when available.
- Keeping your account credentials confidential.
- Logging out after using shared devices.
- Promptly reporting any suspected unauthorized access to support@glowupgirl.app.
International Data Transfers
We operate globally, which means your Personal Data may be transferred to, stored, and processed in countries other than your country of residence, including the United States. When we transfer Personal Data out of the EEA, the UK, or Switzerland, we implement appropriate safeguards such as the Standard Contractual Clauses approved by the European Commission or the UK Information Commissioner's Office.
The entity responsible for your Personal Data under this Privacy Policy is Glow Up Girl, Inc., located at [Company address — TODO before launch].
Children's Privacy
Our Services are not intended for children under 18 years of age. We do not knowingly collect Personal Data from children under 18. If you are a parent or guardian and believe your child has provided us with Personal Data, please contact us at support@glowupgirl.app so we can delete that information.
Your Privacy Rights
Depending on where you live, you may have certain rights regarding your Personal Data, including the right to access, correct, delete, port, and restrict processing of your data, as well as the right to opt out of certain data uses.
| Your Right | How to Exercise It |
|---|---|
| Access or Know — confirm whether we process your Personal Data and receive a copy | Submit a request at support@glowupgirl.app. |
| Correction — correct inaccurate or incomplete Personal Data | Update most data directly in your account settings; or contact support@glowupgirl.app. |
| Deletion — request deletion of your Personal Data | Delete your account in-app or contact support@glowupgirl.app. |
| Portability — receive your data in a structured format | Email support@glowupgirl.app to request a portable copy. |
| Opt-Out — opt out of targeted advertising and any “sale” or “sharing” | Adjust settings; enable Global Privacy Control (GPC) in your browser. |
| Restrict or Object — object to or restrict certain processing | Contact support@glowupgirl.app. |
| Withdraw Consent — withdraw consent previously given (e.g., for biometric processing) | Update settings or contact support@glowupgirl.app. Withdrawal does not affect prior lawful processing. |
| Non-Discrimination | We will not deny services, charge different prices, or provide different quality for exercising your privacy rights. |
State Law Privacy Rights
California Resident Rights
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with rights to know, delete, correct, opt out of “sale” or “sharing,” limit the use of sensitive personal information, and non-discrimination. We do not sell your Personal Data for monetary consideration; certain analytics and advertising uses may constitute “sharing” under California law. To exercise these rights, contact support@glowupgirl.app.
Biometric Information (Illinois BIPA, Texas CUBI, Washington H.B. 1493)
Some U.S. states (including Illinois, Texas, and Washington) regulate biometric identifiers. Glow Up Girl does not use facial recognition for identification and does not create or store mathematical biometric templates derived from your Skin Photos. To the extent any feature is deemed to process biometric information, we obtain your consent at the point of collection and retain such data only as long as necessary to provide the feature.
Consumer Health Data (Washington / Nevada)
If you reside in Washington or Nevada, certain data we process (such as skin-condition inferences) may be considered “consumer health data” under the Washington My Health My Data Act or Nevada SB 370. We obtain your consent before collecting and sharing such data and honor your right to withdraw that consent.
Other U.S. State Privacy Rights
If you are a resident of Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have additional rights to access, correct, delete, port, and opt out of certain data uses, as well as a right to appeal denials. To exercise these rights or to appeal, contact support@glowupgirl.app with “Privacy Request” in the subject line.
EEA, UK, and Switzerland Resident Rights
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the GDPR or equivalent laws, including the rights described above as well as the right to lodge a complaint with your local data protection authority. EEA residents can find their authority at edpb.europa.eu; UK residents can contact the ICO at ico.org.uk; Swiss residents can contact the FDPIC at edoeb.admin.ch.
How to Exercise Your Rights
To exercise any of your privacy rights, email us at support@glowupgirl.app with “Privacy Request” in the subject line. To protect your privacy, we will verify your identity before fulfilling your request by asking you to confirm account information we already hold. You may designate an authorized agent to submit requests on your behalf; we may require proof of authorization. We will respond within the timeframes required by applicable law.
Changes to this Privacy Policy
We're constantly trying to improve our Services, so we may need to change this Privacy Policy from time to time. We will alert you to any such changes by placing a notice on the www.glowupgirl.app website, by sending you an email, and/or by other means. If you use the Services after any changes have been posted, that means you agree to the changes.
Contact Information
If you have any questions or comments about this Privacy Policy, please contact us:
Email: support@glowupgirl.app
Mailing Address: [Company address — TODO before launch]