Privacy Policy

Last updated: April 21, 2026

This Privacy Policy describes how Glowmax ("we", "us", "our") collects, uses, stores, shares, and protects information when you use the Glowmax mobile application (the "App") and related services. By using the App, you agree to the practices described in this Policy.

1. Information We Collect

We collect the following categories of information when you use the App:

1.1 Contact Information

• Email address: collected when you create an account (via email/OTP, Google Sign-In, or Apple Sign-In). Apple's "Hide My Email" relay addresses are supported.

1.2 User Content

• Photos: photographs of your face that you capture with the App's camera or select from your device's photo library for the purpose of AI-powered facial analysis.

1.3 Identifiers

• User ID: a backend-assigned account UUID linked to your email and session.
• Device identifiers: AppsFlyer's attribution identifier ("AppsFlyer ID"), and, only if you grant permission via the App Tracking Transparency prompt, Apple's Identifier for Advertisers ("IDFA").

1.4 Purchases

• Subscription data: your App Store transaction identifier, product identifier, and subscription status. Payment card details are handled by Apple and are never collected by, sent to, or accessible to us.

1.5 Usage Data

• Product interaction: onboarding progress, funnel stage (created / authenticated / photo-captured / paid), analysis session counts, referral codes you enter, and selections such as gender.
• Attribution data: the advertising media source and campaign that drove your install, as reported by AppsFlyer.

1.6 Diagnostic Data

• Server error logs: when an API request fails, we log the endpoint, HTTP status code, response time, memory usage, IP address, and user-agent string. This data is used solely for debugging and reliability.

Information we do not collect: we do not collect your name, phone number, physical address, precise or coarse location, contacts, health or fitness data, financial information beyond Apple-managed purchase data, browsing or search history outside the App, audio recordings, or content from your emails or messages.

2. How We Use Your Information

We use the information we collect for the following purposes:

• App Functionality: authenticating your account, gating access to subscriber features, delivering facial analysis results, processing subscriptions, preventing fraudulent transactions, and providing customer support.
• Analytics: understanding aggregate user behavior, measuring funnel conversion, evaluating feature effectiveness, and planning product improvements.
• Advertising Measurement: attributing app installs and subscription events to advertising campaigns, measuring return on ad spend, and optimizing future advertising (via AppsFlyer).
• Security and Diagnostics: detecting errors, investigating abuse, and maintaining the stability of our services.
• Legal Compliance: complying with applicable laws, responding to lawful requests, and enforcing our Terms of Service.

3. User Consent and Facial Image Processing

Facial images are processed only after you take explicit action to capture or upload an image within the App. Before your first analysis, the App presents an AI consent modal that you must accept. By uploading facial images, you expressly consent to their processing for the purpose of providing AI-powered facial analysis. No facial images are processed without your explicit, voluntary action.

4. App Tracking Transparency (ATT) and Tracking Disclosure

On first launch, or at the point at which advertising attribution is required, the App presents Apple's App Tracking Transparency permission prompt. If you grant permission, the App shares your IDFA with AppsFlyer so that your install and subscription events can be attributed to the advertising campaign that brought you to the App.

The data types used for tracking purposes (as defined by Apple) are: Device identifiers (AppsFlyer ID and IDFA when consented) and Purchase events (subscription product identifier, transaction identifier, and revenue). This tracking is used for advertising attribution and advertising measurement only. You may revoke permission at any time from iOS Settings → Privacy & Security → Tracking. If you deny or revoke permission, attribution is limited to Apple's SKAdNetwork / AdAttributionKit APIs, and no IDFA is shared.

We do not display third-party advertisements inside the App. We do not sell your personal data. We do not share data with data brokers.

5. Third-Party Processors

We engage the following third-party service providers to operate the App. Each processes your data only on our instructions and under its own privacy policy:

• Apple Inc. — App distribution, App Store payments and subscription management (StoreKit), App Store Server Notifications, Sign in with Apple, and App Tracking Transparency. Governed by Apple's Privacy Policy.
• OpenAI, L.L.C. — AI facial analysis. Your photos are transmitted to OpenAI's Vision API to generate analysis results. Governed by OpenAI's Privacy Policy and API data usage policies.
• AppsFlyer Ltd. — Mobile install attribution and advertising measurement. Receives device identifiers (AppsFlyer ID, and IDFA when ATT consent is granted) and subscription events (product ID, transaction ID, revenue, currency). Governed by AppsFlyer's Services Privacy Policy.
• Supabase Inc. — Authentication and database hosting. Stores your email, account record, analysis sessions, and subscription status. Governed by Supabase's Privacy Policy.
• Vercel Inc. — Hosting of our backend APIs and web properties. May process request metadata (IP address, user-agent) as a data processor. Governed by Vercel's Privacy Policy.
• Resend, Inc. — Delivery of transactional emails (one-time verification codes). Governed by Resend's Privacy Policy.
• Google LLC — Sign in with Google, if you choose that authentication option. Governed by Google's Privacy Policy.

6. Data Storage, Security, and International Transfers

Your personal data, including facial images, is transmitted over 256-bit TLS and stored on servers operated by our infrastructure providers. Facial images and associated analysis results are isolated per account and are not accessible to other users of the App. We implement administrative, technical, and physical safeguards designed to protect against unauthorized access, disclosure, alteration, or destruction.

Our servers and service providers are located primarily in the United States. If you access the App from outside the United States, your data will be transferred to, stored, and processed in the United States or other countries where our processors operate. Where required by law, we rely on Standard Contractual Clauses or equivalent mechanisms to lawfully transfer personal data.

7. Data Retention

We retain personal data only for as long as necessary to provide the App and for the purposes described in this Policy:

• Facial images and analysis results: retained until you delete an individual scan from your history or delete your account, whichever is earlier.
• Account data (email, user ID, subscription status): retained for the life of your account, then deleted following an account-deletion request (see Section 8).
• Server error logs: retained for up to 90 days for debugging and security purposes, then purged.
• App Store notification records: retained for the duration required to reconcile subscription state and for legal or tax record-keeping.

8. Your Rights and Account Deletion

You may delete your account at any time from within the App by opening Settings → Membership → Delete Account. Account deletion permanently removes your account record, facial images, analysis results, and associated personal data from our production databases. Audit, fraud-prevention, and legally required records may be retained for a limited period as permitted by law.

Subject to applicable law, you also have the right to: (a) request access to your personal data; (b) request correction of inaccurate data; (c) request deletion of your personal data; (d) object to or restrict certain processing; (e) request data portability; and (f) withdraw consent for processing based on consent. To exercise any of these rights, contact us at privacy@glowmaxapp.pro. We will respond within the timeframe required by applicable law.

9. GDPR Compliance (European Economic Area and United Kingdom)

If you are located in the European Economic Area or the United Kingdom, the following additional provisions apply to the processing of your personal data under the General Data Protection Regulation (GDPR) and UK GDPR:

• Legal Bases for Processing: (a) explicit consent (Article 6(1)(a) and Article 9(2)(a)) for the processing of facial images and for advertising tracking; (b) contract performance (Article 6(1)(b)) for account creation, authentication, and subscription delivery; (c) legitimate interests (Article 6(1)(f)) for service improvement, security, and diagnostics; (d) legal obligation (Article 6(1)(c)) for tax and accounting records.
• Special Category Data: Facial images may constitute biometric data under Article 9 of the GDPR. We process such data only with your explicit consent, obtained via the in-app AI consent modal before any image upload or analysis.
• Your Rights: you have the right to access, rectify, erase, restrict processing of, port, and object to the processing of your personal data, and to withdraw consent. To exercise these rights, contact privacy@glowmaxapp.pro.
• Supervisory Authority: you have the right to lodge a complaint with a supervisory authority in the EU Member State or the United Kingdom of your habitual residence, place of work, or place of the alleged infringement.
• Data Controller: for GDPR inquiries, contact privacy@glowmaxapp.pro.

10. CCPA/CPRA Compliance (California)

If you are a California resident, the following additional provisions apply under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Categories of Personal Information Collected: identifiers (email address, user ID, device identifiers); biometric information (facial images); commercial information (subscription purchases); internet or network activity (app interactions, attribution data); and inferences drawn from the above.
• Categories of Sources: directly from you, automatically from your use of the App, and from third-party processors such as AppsFlyer.
• Categories of Recipients: our third-party service providers listed in Section 5, each bound by contract to process data only on our instructions.
• Right to Know, Delete, and Correct: you have the right to request that we disclose, delete, or correct personal information we have collected about you.
• Right to Opt-Out of Sale or Sharing: we do not sell your personal information. We may "share" personal information for cross-context behavioral advertising only to the extent your device's IDFA is shared with AppsFlyer for attribution purposes, which requires your affirmative opt-in via the App Tracking Transparency prompt. You may withdraw that consent at any time in iOS Settings.
• Right to Limit Use of Sensitive Personal Information: you have the right to limit our use of sensitive personal information (such as biometric information) to purposes necessary to provide the App.
• Right to Non-Discrimination: we will not discriminate against you for exercising any CCPA/CPRA right.
• Requests: to exercise your rights, contact privacy@glowmaxapp.pro.

11. Illinois BIPA Disclosure

If you are an Illinois resident, the following disclosure is provided pursuant to the Illinois Biometric Information Privacy Act (740 ILCS 14/1, et seq.):

• Biometric Data Collected: facial geometry data derived from photographs you upload qualifies as biometric data under BIPA.
• Consent: written consent is obtained via the in-app AI consent modal before any biometric data is collected or processed.
• Purpose: biometric data is collected and used solely for AI-powered facial analysis to provide self-improvement recommendations within the App.
• Retention Schedule: facial images and analysis results are retained until you delete the individual scan from your history or delete your account, whichever occurs first, and in no event longer than three (3) years after your last interaction with the App.
• Destruction: biometric data is permanently destroyed when you delete a scan or your account, or at the conclusion of the retention period above.
• No Sale or Trade: we do not sell, lease, trade, or otherwise profit from your biometric data.
• Storage and Protection: biometric data is stored with the same or greater protections as other confidential and sensitive information, including 256-bit TLS in transit and encryption at rest.

12. Children's Privacy

The App is not intended for use by individuals under the age of 13, and the App's Terms of Service require users to be at least 17 years old. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will delete such information promptly. If you believe we have collected information from a child under 13, please contact us at privacy@glowmaxapp.pro.

13. Do Not Track

Our web properties do not respond to "Do Not Track" browser signals because no uniform standard for responding to them has been adopted. Our in-app tracking practices are governed by Apple's App Tracking Transparency framework as described in Section 4.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our service providers, or applicable law. We will post the updated Policy at this URL and update the "Last updated" date. Material changes will be communicated by in-app notice or email where required. Your continued use of the App after an update constitutes acceptance of the revised Policy.

15. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Email: privacy@glowmaxapp.pro
Legal Inquiries: legal@glowmaxapp.pro

← Back to Home