Privacy Policy
Last Updated: April 28, 2026
Our Core Privacy Commitment
We built Glowly to help your skin, not to sell your data. We do not sell your personal information. We do not store biometric face templates (face prints). You own your data and can delete it at any time.
Data Controller: Glowly is operated by Use It Engineering, a company registered in the Republic of Albania (NUIS / Tax ID: M52230053G), with its registered address at Tiranë, Rr. e Dibrës, Ndërtesa nr. II, nr. 225, pasuria nr. 7/91. For any privacy-related questions, contact us at info@glowlyme.com.
⚠️ Important Medical Disclaimer
Glowly is NOT a medical device and does NOT provide medical advice.
The analysis, recommendations, and content provided by Glowly are for informational and educational purposes only. Our AI technology uses probabilistic models which can make mistakes and may not accurately detect all skin conditions.
Never use Glowly for diagnosis. If you have a specific skin concern, suspicious mole, rash, or persistent issue, please consult a certified dermatologist or medical professional.
1. Information We Collect
1.1 Information You Provide
- Account Information: Email address, name (optional), and encrypted password.
- Skin Profile: Skin type (e.g., Oily, Dry), concerns (e.g., Acne, Wrinkles), product preferences, and allergies.
- Routine Data: Skincare products you use, your morning/night routines, and product notes.
- Face Photos: Photos you explicitly take or upload for AI analysis. These are encrypted in transit and at rest.
1.2 Device Permissions & Technical Data
We request specific permissions to provide core features:
- Camera: Used only when you initiate a skin scan. We do not access the camera in the background.
- Photo Library: Used only if you choose to upload an existing photo for analysis.
- Device Data: Device model, OS version, and approximate location (derived from IP address) for analytics and troubleshooting.
- Usage Analytics: Anonymous data on how you navigate the app (e.g., "Screen A visited", "Button B clicked") to help us improve user experience.
2. Face Data: How We Process Your Photos
🧬 No Biometric Identification
Glowly analyzes your photos to detect skin characteristics (such as acne, redness, wrinkles, and texture).
We DO NOT create, store, or use biometric face templates (face prints) for identification. We are not a facial recognition system, and we never use your photos to identify you, unlock devices, or train face-recognition models. Your photos are strictly used for skincare analysis.
2.1 Face Data Summary
This summary describes our collection, use, disclosure, sharing, and retention of face data.
- What face data we collect: Photos of your face that you explicitly capture or upload through the app for skin analysis. We do not access your camera or photo library in the background.
- How we use it: Each photo is sent to our AI provider (Google Gemini API) to detect visible skin characteristics — texture, acne, redness, wrinkles, hydration cues — and to generate skin scores and skincare recommendations. No facial recognition, identification, or biometric template is performed.
- Disclosure & sharing: The photo is transmitted only to Google (as our AI processor) for transient analysis, and stored only on our private AWS S3 bucket during processing. Photos are never shared with advertisers, data brokers, or any third party for marketing, training, or profiling.
- Google retention: Glowly is approved by Google for an exception to the standard Gemini API abuse-monitoring logging policy. Under that exception, Google does not log or retain the prompts (your photo) or responses for our project. Photos are processed transiently by Google and discarded after the analysis completes.
- Storage location: AWS S3 (private bucket, AES-256 encryption at rest, TLS 1.2+ in transit). Only the resulting text-based analysis (scores, recommendations) is retained in our PostgreSQL database. The photo itself is never stored in our database.
- Retention: Photos are automatically deleted from Glowly's S3 immediately after analysis completes — typically within 5–10 minutes, and in rare retry cases within up to 1 hour. Encrypted disaster-recovery backups are overwritten within 90 days.
2.2 What Other Information We Send With Each Analysis
To produce relevant skincare recommendations, each AI request includes — alongside the photo — a small set of skincare-context fields from your profile:
- Your skin type and skin reactivity (e.g., dry, oily, sensitive)
- Your skin concerns, goals, and known allergies
- Your age and gender (for skincare relevance only)
- Names of products in your current routine (no purchase data)
- Aggregated lifestyle averages you have provided (e.g., average sleep hours, water intake, stress level)
- Your preferred app language
We do NOT send your name, email address, account ID, password, payment information, precise location, IP address, device identifiers, or any other directly identifying information to our AI provider. The AI provider receives only the photo and the skincare context above — it has no way to identify you.
2.3 Health Connect (Android Sleep Schedule)
On Android, Glowly offers an optional, opt-in feature that uses Google Health Connect to time skincare reminders to your sleep schedule. This feature is not available on iOS.
- Where to find it: Profile → Routine Reminder Setup → smart timing. It is off by default and you may turn it off at any time.
- What we read: Android sleep session records only — your bedtime and wake time samples for the last 7 days. We do not read steps, heart rate, weight, workouts, menstrual data, or any other Health Connect category.
- Read-only: Glowly never writes data to Health Connect.
- On-device aggregation: sleep samples are aggregated on your device into your average weekday and weekend bedtime and wake time (e.g.
23:30/07:00). Only the resulting schedule is sent to our backend — raw Health Connect samples never leave your device. - Use: the schedule is used to time evening skincare reminders before your typical bedtime and morning reminders shortly after you wake.
- Sharing: Health Connect data is never shared with our AI provider (Google Gemini), with advertisers, or with any other third party. It is used only by Glowly's reminder scheduling.
- Storage & retention: the aggregated schedule is stored in our PostgreSQL database alongside your account and is deleted when you delete your account. We do not back up or otherwise persist raw Health Connect samples.
- Revoking access: you can revoke at any time via Android Settings → Health Connect → App permissions → Glowly. Revocation takes effect immediately; previously-aggregated schedules are retained until you delete your account.
3. Third-Party Service Providers
We use trusted third-party services to operate Glowly. The following is a list of our current key service providers. We may update this list from time to time as our technology evolves, ensuring all new providers adhere to the same strict security standards.
| Service Provider | Purpose | Data Shared |
|---|---|---|
| Google (Gemini API) | AI Image & Text Analysis | Photo + skincare context (skin type, concerns, allergies, age, gender, routine product names). No name, email, or account identifiers. |
| AWS (Amazon) | Secure Cloud Storage | Encrypted photos & database backups |
| RevenueCat | Subscription Management | Anonymous User ID, Purchase history (No credit card info) |
| Mailjet | Email Delivery | Email address, Name |
| Google Analytics | App Analytics | Anonymized usage data, Device info |
| Sentry | Crash Reporting | Error logs, Device info (for debugging) |
4. Data Retention & Deletion
We retain your data only as long as your account is active or as needed for legal reasons.
- Account Deletion: If you delete your account via the app settings, your personal information is immediately removed from our active production database.
- Photo Deletion: Face photos are automatically deleted from Glowly's cloud storage immediately after analysis completes — typically within 5–10 minutes, and in rare retry cases within up to 1 hour. Google, our AI processor, also does not log or retain your photo (we have an exception to their standard Gemini API abuse-monitoring logging policy). Only analysis results (text data such as scores and recommendations) are retained for progress tracking.
- Backups: Encrypted database backups are retained for disaster recovery for up to 90 days and then overwritten.
5. Your Privacy Rights (GDPR & CCPA)
Regardless of where you live, we extend these rights to all users:
✓ Right to Access
Ask us for a copy of all data we hold about you.
✓ Right to Forget
Request permanent deletion of your account and data.
✓ Right to Correct
Update inaccurate information in your profile.
✓ Right to Portability
Get your data in a structured, common format.
To exercise these rights: Use the "Delete Account" option in the app settings, or email us at info@glowlyme.com. We respond to verified requests within 30 days.
6. Security
We use industry-standard security measures:
- Encryption: Data is encrypted in transit (HTTPS/TLS 1.2+) and photos are encrypted at rest in AWS S3.
- Access Control: Strict least-privilege access controls for our engineering team.
- Payment Security: We do not process or store credit card numbers. All payments are handled securely by Apple (App Store) or Google (Play Store).
7. International Transfers
Glowly operates globally. Your data may be transferred to and processed in the United States or other countries where our service providers (such as AWS and Google) operate. We rely on adequacy decisions and Standard Contractual Clauses (SCCs) to ensure your data remains protected.
8. Children
Glowly is not directed to children under 13 globally, or under 16 in the European Union. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will delete it promptly.
9. Contact Us
Email: info@glowlyme.com
Operated by: Use It Engineering, NUIS M52230053G — Tiranë, Rr. e Dibrës, Ndërtesa nr. II, nr. 225, pasuria nr. 7/91, Albania