GlowOS Privacy Policy

Effective: 21 April 2026 Last updated: 1 May 2026 (v1.6 — chat report storage)

This Privacy Policy explains how GlowOS collects, uses, shares, and protects personal information when you use the GlowOS mobile application ("GlowOS", the "App", "we", "us", or "our"). It is written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA), Brazil's Lei Geral de Proteção de Dados (LGPD), Japan's Act on the Protection of Personal Information (APPI), South Korea's Personal Information Protection Act (PIPA), and Singapore's Personal Data Protection Act (PDPA).

We have tried to write this in plain English. Legal terms appear where they are necessary. If anything is unclear, email us at privacy@glowos.app and we will explain.

1. Who we are

GlowOS is operated by Compounding Flow Inc. (the "Controller"), a corporation organized under the laws of the United States.

Item	Detail
Controller	Compounding Flow Inc.
State of incorporation	[to be confirmed]
Privacy contact	privacy@glowos.app
Data Protection Officer	Not appointed — GlowOS does not meet the thresholds under GDPR Article 37 that would require a DPO. You may contact the privacy address above for any data-protection matter.
EU representative (GDPR Art. 27)	Not yet appointed. GlowOS processes facial photographs via Google Gemini to generate AI avatars; to the extent this processing excludes us from the Art. 27(2)(a) exception, an EU representative will be appointed before GlowOS is generally released in the EU. Pre-release users located in the EEA may contact the privacy address above for any GDPR-related request.
UK representative (UK GDPR Art. 27)	Same posture as above, for UK users.

2. What personal information we collect

GlowOS collects only what is needed to run the App. We group what we collect into the categories below.

2.1 Account information

Email address (once you upgrade from an anonymous session to a named account, via email/password, Sign in with Apple, or Sign in with Google)
Display name (optional, chosen by you)
Anonymous session identifier and creation timestamp
IANA timezone (e.g. America/New_York), captured on first launch so scheduled notifications fire at the right local hour

2.2 Skincare survey information

Skin type (dry, oily, combination, sensitive, or normal)
Primary skin concern (acne, anti-aging, hydration, brightening, sensitivity, or none)
Whether you wear makeup daily
Preferred morning and evening routine durations
Wake and bedtime

This information lets GlowOS build an appropriate routine for you. It is self-reported. We do not collect clinical or diagnostic medical information. It is not shared with healthcare professionals.

2.3 Selfie and generated avatar images

If you choose to generate an AI character during onboarding, GlowOS asks you to upload a selfie. That image is transmitted to Google's Gemini model ("Nano Banana") to generate a stylised portrait and three alternate "states" (clear skin, some blemishes, many blemishes). The generated images are stored in our cloud storage and displayed in the App as your avatar.

Input selfie: transmitted to Google for generation; not retained in our storage after the generation call completes (Google's retention for generative-AI requests is governed by Google's privacy policy linked in section 4)
Generated avatars: stored in our Supabase Storage bucket under URLs scoped to your account, until you delete them or your account

You may skip the selfie step entirely and use one of our preset avatar images; in that case no image of your face is processed.

Generated avatars are not biometric identifiers used for recognition or authentication — they are stylised drawings, not a face template. We do not perform facial recognition.

2.4 Behavioural information

Completion status of individual steps in your morning and evening routines
Routine completion dates
Streaks, streak freezes, and XP totals
Weekly quest progress
Products you scan or manually add to your "shelf"
Usage events tied to AI calls (e.g. which AI model was used, whether the call succeeded, cost and latency — used for our own reliability monitoring; this data is tied to your user ID)

2.5 Subscription and payment information

Whether you have an active premium ("GlowOS Gold") subscription
Subscription renewal or expiry date
A subscriber ID issued by our payments processor (RevenueCat)

We do not collect or store your credit card number, bank account, or Apple ID password. All payment processing is handled by Apple (App Store) and RevenueCat.

2.6 Device and push-notification information

An Expo-issued push notification token
Device operating system and locale (as reported by Apple's StoreKit when you make a purchase)

2.7 Product-scan information

When you scan a barcode or take a photo of a product:

The barcode number
The product photo, used in two ways:
- For ingredient recognition (transient). Sent to our AI providers (see section 4); not retained server-side after the recognition call completes.
- For your shelf display (persistent, only when you choose "Take Photo Instead"). When you identify a product by photo rather than by barcode, GlowOS uploads the compressed photo to a private user-scoped folder (shelf-photos/<your user id>/...) so we can show your own photo of that product on the shelf detail screen instead of a stock image. Photos are stored in a public-read bucket with unguessable URLs (the bucket can't be enumerated; only someone with the exact URL can fetch the file). Deleting the shelf item or your account removes the underlying photo file. Photos taken via the barcode path are not stored.
The identified product name, brand, category, and ingredient list
An AI confidence score for the match

2.8 Conversational AI advisor ("Talk to GlowOS")

GlowOS includes an in-app chat where you can ask questions about your shelf, your routine, or general skincare. The feature is in beta and replies may have errors — for medical questions (diagnosing conditions, drug interactions, pregnancy/breastfeeding, anything for users under 16) the AI is instructed to refuse and redirect you to a dermatologist or doctor.

When you send a chat message:

Your message text and a snapshot of context — your shelf items + ingredients + healthiness ratings + flagged concerns, your AM and PM routines, your skin profile (skin type, concerns, goals, age band, makeup preference), your current streak and Aura — are sent to our AI provider (Anthropic, Claude Haiku model, see section 4) to compute the reply.
We do not routinely store your message text or the AI's reply on our servers. Conversations are ephemeral — closing the app discards the history. Anthropic's handling of the message is governed by their API privacy terms (linked in section 4).
We do log per-message metadata in our ai_usage table: which model ran, how long it took, computed cost, success/failure flag, and your user ID. This metadata powers the daily-message-credit limits below. We do not log message content in routine telemetry.
Daily message limits: free tier 5 messages/day, Glow Gold 50 messages/day. Refresh at midnight UTC.

Two narrow exceptions store reply content:

Reports. If you tap "Report this reply" on an assistant message and pick a reason ("Wrong advice", "Feels unsafe", "Off-topic", "Something else"), we save the first 500 characters of that reply, the reason category, and your user ID into a private chat_reports table so we can review it. Your report is the explicit consent (GDPR Art. 6(1)(a)) for this storage. We do not store reports you don't submit.
Safety surveillance. A regex-based classifier scans every assistant reply for patterns that suggest a medical claim slipped through (explicit diagnoses, prescription drug recommendations, pregnancy/breastfeeding safety claims, definitive cure language). If any pattern matches, we log the matched pattern names + a 500-character excerpt of the reply into the ai_usage metadata column. This is to detect and fix model-quality regressions; the reply is still shown to you (no censoring in V1). We treat this as a legitimate-interest basis (GDPR Art. 6(1)(f)) — preventing harmful AI output is a real interest of yours and ours.

Legal basis is contract performance under GDPR Art. 6(1)(b) (the chat is a feature of the GlowOS service you've signed up for). If you'd rather not use the chat, simply don't open it — every other feature of the App works without invoking it.

2.9 Information we do not collect

Location: GlowOS does not request GPS, Bluetooth-beacon, or coarse-location permission. The only location-adjacent value we store is your IANA timezone, which is sent by your device OS without exposing GPS coordinates.
Contacts, calendar, photo-library indexes, call history, SMS: none of these.
Advertising identifiers: GlowOS does not use the iOS IDFA or the Android Advertising ID. We do not show ads and we do not participate in advertising networks.
Analytics/telemetry from third-party SDKs: GlowOS does not embed PostHog, Mixpanel, Amplitude, Segment, Firebase Analytics, Facebook SDK, or any similar tracker.
Sensitive categories under GDPR Art. 9 (race, religion, sexual orientation, political views, health diagnoses, genetic or biometric data for identification purposes): none of these.

3. How we use your information, and the legal basis

GDPR and UK GDPR require us to identify a lawful basis for each processing activity. LGPD requires the same (called a "legal hypothesis"). The table below maps each purpose to the data we use and the legal basis we rely on.

Purpose	Data used	GDPR / UK basis	LGPD basis
Create and maintain your account	Email, display name, auth tokens	Contract (Art. 6(1)(b))	Execution of contract
Generate and display your AI avatar	Selfie, generated images	Consent (Art. 6(1)(a))	Consent
Build personalised skincare routines	Survey answers, shelf items, routine logs	Contract (Art. 6(1)(b))	Execution of contract
Track streaks and gamification feedback	Routine logs, streaks, XP, quests	Legitimate interests (Art. 6(1)(f))	Legitimate interests
Send push notifications	Push token, timezone	Consent (via OS permission prompt)	Consent
Process subscription payments	Subscriber ID, entitlement status	Contract (Art. 6(1)(b))	Execution of contract
Legal obligations, disputes, terms enforcement	All relevant data	Legal obligation (Art. 6(1)(c)) + legitimate interests	Legal obligation / regulatory
Improve App reliability	Aggregated AI usage counters	Legitimate interests (Art. 6(1)(f))	Legitimate interests
Security — detect abuse, prevent fraud	Account and session metadata	Legitimate interests (Art. 6(1)(f))	Credit protection / security

We do not use your personal information for automated decision-making with legal or similarly significant effects on you (GDPR Art. 22). The AI-generated avatar is a creative output, not a decision about you.

We do not sell your personal information, and we do not "share" it in the technical CCPA sense (i.e. for cross-context behavioural advertising).

4. Who we share your information with (subprocessors)

GlowOS does not sell your personal information and does not rent or lease it. We share it only with the service providers listed below, and only to the extent each one needs to perform its service. Each of these providers is contractually obliged to protect your information.

Subprocessor	Role	What we send	Location
Supabase, Inc.	Database, authentication, file storage	All personal information above — primary backend	United States
Railway Corp.	Hosts our Node.js backend API	Whatever the backend needs per request (user ID, routine data, product photos during scanning)	United States
OpenAI, L.L.C.	Product recognition from photos; personalised routine generation	Product photos during scanning (not retained after response); aggregated routine context	United States
Google LLC — Gemini API ("Nano Banana")	Generate AI avatar from your selfie	The selfie and our generation prompt. See Google's Gemini API Terms for how Google handles API inputs on the tier we use.	United States
Google LLC — Sign in with Google	Authenticate you if you choose Google sign-in	Google email, Google user ID, and whatever you consent to share at sign-in	United States
Apple Inc. — Sign in with Apple, Push Notifications, App Store	Apple sign-in; iOS push; App Store purchases	Hashed relay email (at most), opaque Apple user ID, APNs device token	United States
RevenueCat, Inc.	Manage subscriptions (receipts, entitlements)	Your GlowOS user ID; Apple purchase receipts	United States
Expo, Inc.	Relay push notifications to Apple / Google	Expo push token, notification payload	United States
Open Food / Open Beauty Facts	Look up ingredients from a barcode	Only the barcode number — no user identifier	France

We review new subprocessors for privacy and security. We update this list when we add or remove a subprocessor; material changes are announced per section 11.

We do not share your personal information with:

Advertisers or advertising networks
Data brokers
Insurance companies or employers
Governmental authorities, except when required by a valid legal process (court order, subpoena, lawful warrant). If we ever receive such a request, we will notify you unless legally prohibited from doing so.

5. How long we keep your information

Data	Retention
Account information (email, display name, user ID)	For as long as your account is active. Deleted within 30 days of an account deletion request.
Survey answers, routine preferences, avatar	Same as above — tied to account lifetime.
Routine logs, streaks, XP, quests, shelf items	Same as above.
AI usage logs (cost monitoring, no content)	Retained while your account is active. Deleted within 30 days of an account deletion request.
Push send logs	Retained while your account is active. Deleted within 30 days of an account deletion request.
Subscription receipts	As long as applicable tax and payments laws require (typically 5–7 years in the US).
Backups	Operational backups are retained for up to 30 days and then overwritten. A deletion request is honored in the production database immediately and backups are purged within the 30-day rolling window.

If you have not been active for 24 months and we are not required to keep your data for legal reasons, we may delete your account after a 30-day warning email.

6. International data transfers

GlowOS is operated from the United States and most of our subprocessors are in the United States. If you use GlowOS from the European Economic Area, the United Kingdom, Switzerland, Brazil, Japan, South Korea, or Singapore, your personal information will be transferred to the United States and possibly other jurisdictions.

We rely on the following transfer mechanisms:

EU/EEA → US: the European Commission's Standard Contractual Clauses (2021), plus supplementary technical measures (TLS 1.2+ in transit, encryption at rest, access controls).
UK → US: the UK's International Data Transfer Addendum (IDTA) to the EU SCCs.
Brazil → US: SCCs and the explicit or contractual basis required by ANPD for the purpose.
Japan, South Korea, Singapore → US: contractual safeguards substantially equivalent to the above, plus the operator-side protections required by APPI, PIPA, and PDPA respectively.

Where a subprocessor participates in the EU–US Data Privacy Framework (such as Google), we rely on that additional mechanism.

You may request a copy of the relevant transfer safeguards by emailing the privacy contact above.

7. Your rights

You have rights over your personal information. The exact catalogue depends on where you live — see section 12 for region-specific rules — but at minimum, everyone using GlowOS has the right to:

Access: ask us what personal information we have about you, and receive a copy in a commonly used electronic format.
Rectification: ask us to correct information that is inaccurate or incomplete.
Erasure (the "right to be forgotten"): ask us to delete your account and associated personal information. Some data may be retained where we have a legal obligation (e.g. tax records tied to purchases).
Restriction: ask us to stop processing your data in certain circumstances (e.g. while we verify an accuracy dispute).
Portability: receive your personal information in a structured, machine-readable format, and ask us to transmit it to another controller where technically feasible.
Objection: object to processing based on our legitimate interests (section 3).
Withdraw consent: where we process on the basis of your consent (e.g. selfie upload, push notifications), withdraw it at any time. Withdrawal does not affect the lawfulness of processing already carried out.
Not be subject to solely automated decisions that produce legal or similarly significant effects — as noted above, we do not make such decisions.
Lodge a complaint with your local data protection authority (see section 12).

How to exercise a right: email privacy@glowos.app from the email on your account. For anonymous (not-yet-signed-up) users, include your in-app "user ID" (visible in Profile → Account once you sign in) so we can locate your data. We respond within 30 days of a verified request. We do not charge a fee unless the request is manifestly unfounded or excessive.

Account deletion: self-service in-app account deletion is not yet available. To delete your account and the associated personal information, email privacy@glowos.app from the address on your account (or, for anonymous users, include your in-app user ID in the email). We will complete the deletion within 30 days of a verified request. A self-service flow will be added to the App; that change will be announced in the policy changelog when it ships.

8. Children

GlowOS is not directed to children under 13 years of age (or the equivalent minimum "digital consent" age in your jurisdiction — 16 in several EU member states, 14 in South Korea and Brazil, and so on). We do not knowingly collect personal information from children under that age.

If you are a parent or guardian and believe your child has created an account, email privacy@glowos.app and we will delete the account and associated data.

If you are between the minimum age and the age of majority in your jurisdiction, a parent or guardian should review this Privacy Policy with you.

9. Security

We take reasonable technical and organisational measures to protect your personal information:

All network traffic between the App, our backend, and subprocessors is encrypted in transit (TLS 1.2 or higher).
Data at rest in Supabase is encrypted using AES-256.
Row-Level Security policies in Supabase restrict access via the application API so that each authenticated user can read only their own records. Our production service-role key can technically read any user's data; we restrict its use to system operations (background jobs, webhooks, explicit support investigations) and admin access is limited and logged.
Passwords (for email/password accounts) are never stored — authentication is handled by Supabase Auth using a salted one-way hash.
We follow the principle of least privilege for backend access. Admin access is limited and logged.
We do not log personal information (email, selfie, routine content) in plaintext application logs.

No system is perfectly secure. If we ever detect a security incident that affects your personal information, we will notify you and the appropriate regulator as required by applicable law (GDPR Art. 33 — 72 hours; CCPA; LGPD; etc.).

10. Cookies, local storage, and tracking

GlowOS is a native mobile app and does not use cookies. It does use device local storage (specifically, React Native AsyncStorage) to remember your Supabase session token and a small number of UI preferences such as whether you have dismissed the "streak saved" banner. These are strictly necessary to operate the App.

The App does not use any cross-app tracking. iOS App Tracking Transparency (ATT) is not prompted because we do not track.

The website at https://glowos.app uses Cloudflare hosting. Cloudflare may process your IP address and User-Agent for abuse detection and caching as a data processor on our behalf. The site does not set advertising or analytics cookies.

11. Changes to this policy

We may update this Privacy Policy. When we do:

The "Last updated" date at the top will change.
Material changes will be announced at least 30 days in advance via email to the address on your account, so you have time to review them and, if you disagree, delete your account before they take effect. We may additionally surface a notice in the App.
A change history is maintained in the project repository; you can see the full diff of every revision.

12. Region-specific rights

The following sections add to your rights from section 7 — they do not replace them.

12.1 European Economic Area (EU), United Kingdom, and Switzerland — GDPR & UK GDPR

In addition to the rights in section 7, you have the right to lodge a complaint with your national data protection authority. A list is available at edpb.europa.eu for the EEA, ico.org.uk for the UK, and edoeb.admin.ch for Switzerland.

We rely on the following GDPR legal bases (see section 3): contract, consent, legitimate interests, and legal obligation.

Our processing of your data in Google Gemini (selfie → avatar) is based on your explicit consent. You can withdraw that consent at any time by deleting your avatar in the App or by emailing the privacy contact.

12.2 California — CCPA / CPRA

Under the California Consumer Privacy Act (as amended by the California Privacy Rights Act), California residents have the rights in section 7 plus:

Right to know: what categories and specific pieces of personal information we have collected about you in the past 12 months, the sources, the purposes, and the categories of third parties we shared it with.
Right to delete: request that we delete your personal information, subject to statutory exceptions.
Right to correct: request that we correct inaccurate personal information.
Right to opt out of "sale" or "sharing": GlowOS does not sell or share your personal information for cross-context behavioural advertising. We have no "Do Not Sell or Share My Personal Information" link because there is nothing to opt out of — but you can still submit such a request at the privacy contact and we will confirm the non-sale status in writing.
Right to limit use of sensitive personal information: the CCPA defines a narrow category of "sensitive personal information". We do not use the limited sensitive categories we do handle (precise geolocation — not collected; financial account — not collected; the contents of communications — not applicable) for inferring characteristics about you.
Right to non-discrimination for exercising your rights. We do not offer price incentives tied to data sharing.

Categories of personal information collected in the past 12 months (per Cal. Civ. Code § 1798.140): identifiers; customer records; internet or network activity; geolocation data (timezone only, coarse); audio/visual (avatar images and selfies); commercial information (purchase history); inferences drawn from any of the above (routine recommendations).

"Shine the Light" request (Cal. Civ. Code § 1798.83): we do not share personal information with third parties for their own direct marketing. N/A.

12.2b Illinois — Biometric Information Privacy Act (BIPA)

Illinois has specific protections for biometric identifiers and biometric information under BIPA (740 ILCS 14). GlowOS asks you to upload a facial photograph during onboarding if — and only if — you choose to generate an AI-styled avatar. The following describes our handling of this data for Illinois residents:

What happens to your photograph: The selfie is transmitted to Google's Gemini API for the sole purpose of generating a stylised avatar portrait. GlowOS does not persist the original photograph on its own servers beyond the duration of the API call. No biometric identifier template, face-geometry scan, or faceprint is extracted or stored by GlowOS.
Affirmative action required: Uploading a selfie is always initiated by you. GlowOS does not capture facial images silently or passively. You may skip the selfie step entirely and pick one of GlowOS's preset avatar images instead — in that case no image of your face is processed.
Third-party processing: For details on how Google processes inputs to its Gemini API, please review Google's privacy policy and the Gemini API Terms. GlowOS encourages Illinois residents to review those documents before generating an AI avatar.
Destruction schedule: Any transient cache of a facial image on GlowOS infrastructure (e.g. in HTTP request buffers) is purged within 24 hours of the generation call. The generated avatar image — a stylised drawing, not a biometric identifier — is retained in your account until you delete it or your account.
Opting out / withdrawing consent: You may at any time delete your generated avatar via Profile → Avatar → Regenerate (which overwrites the existing avatar) or by requesting full account deletion as described in section 7.

If you are an Illinois resident and wish to exercise any right under BIPA, email privacy@glowos.app.

12.3 Brazil — LGPD

You have the rights in section 7 plus the right to request information about the public and private entities with which we have shared your personal data, and the right to a clear explanation of automated decisions (we do not make any). You may contact Brazil's Autoridade Nacional de Proteção de Dados (ANPD) if you believe your rights have been violated.

12.4 Japan — APPI

We handle personal information in accordance with the Act on the Protection of Personal Information. You may request disclosure, correction, suspension of use, or deletion of your retained personal data by contacting the privacy address. Complaints may be submitted to Japan's Personal Information Protection Commission (PPC).

12.5 South Korea — PIPA

You have the rights in section 7 plus the specific right to suspend processing. The minimum age at which a child can consent to personal-information processing in Korea is 14; below that age, we require verified parental consent, which in practice means we do not register users under 14. Complaints may be filed with South Korea's Personal Information Protection Commission (PIPC).

12.6 Singapore — PDPA

You have the right to access and correction under the PDPA. You may withdraw consent to any purpose of collection, use, or disclosure. Please submit requests to the privacy address above. Complaints may be raised with the Personal Data Protection Commission (PDPC).

13. Contact us

Privacy email	privacy@glowos.app
Postal mail	Compounding Flow Inc. — [address to be confirmed]
Response time	Within 30 days of a verified request

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority — see section 12.

Changelog — v1.6 — 1 May 2026 — Updated section 2.8 with two narrow exceptions to "we don't store reply content": user-initiated reports of bad replies (chat_reports table; consent basis) and an automated safety-classifier surveillance log (ai_usage.metadata for matched-pattern entries; legitimate-interest basis). Both store at most 500 characters of the reply. v1.5 — 1 May 2026 — Added section 2.8 disclosing the new in-app conversational AI advisor ("Talk to GlowOS"): user message + shelf/profile context sent to Anthropic per their API terms; conversation history is ephemeral (not stored server-side); only per-message metadata is logged for daily-credit accounting. Renumbered the previous "Information we do not collect" section to 2.9. v1.4 — 1 May 2026 — Updated section 2.7 to disclose persistent storage of product photos taken via the "Take Photo Instead" flow (uploaded to a private per-user folder in the shelf-photos bucket; deleted on shelf-item or account deletion). The barcode path remains photo-less; the AI-recognition transient processing is unchanged. v1.3 — 30 April 2026 — Updated section 1 to identify the Controller as Compounding Flow Inc. (a US corporation); removed the prior sole-proprietor / "LLC pending formation" framing now that the corporate entity is in place; updated postal-mail row in section 13. v1.2 — 27 April 2026 — Added section 2.8 disclosing the opt-in Top-100 leaderboard. v1.1 — 22 April 2026 — Tightened entity/controller identity; corrected retention periods; clarified account deletion process; added Illinois BIPA section; softened EU/UK representative language to pre-release posture; clarified scope of service-role data access; removed unsupported in-App notice commitment; replaced unverifiable Gemini-training claim. v1.0 — 21 April 2026 — Initial publication.