Privacy Policy
GlowUpKit ("we," "our," "us") is operated by GlowUpKit ("Company").
Effective date: May 27, 2026 · Last updated: June 17, 2026
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the GlowUpKit mobile application and related services (the "Service"). This policy applies to users worldwide, including users in the United States, European Economic Area (EEA), United Kingdom, India, United Arab Emirates, Saudi Arabia, and other jurisdictions.
1. Data We Collect
| Category | Data | Purpose | Retention |
|---|---|---|---|
| Account | Email address, hashed password (email sign-up); or your name, email address, and Google account identifier (if you sign in with Google) | Authentication, account recovery, personalized greeting | Until account deletion |
| Profile | Age range, gender, ethnicity, skin concerns, product preferences, beauty goals | Personalize analysis and recommendations | Until account deletion |
| Photos | Selfie images you upload | Color analysis, skin analysis, glow-up image generation | Until account deletion (you can request earlier deletion) |
| Analysis results | Color season, undertone, skin score, skin type, concerns, makeup guide, skincare routine | Display results, scan history | Until account deletion |
| Generated images | AI-generated before/after glow-up images | Show your personalized makeover | Until account deletion |
| Subscription | Subscription tier and status (via RevenueCat) | Manage access to premium features | Until account deletion |
| Usage | App interaction events (screens viewed, features used, scan count) | Improve the app, fix bugs | 90 days (anonymized after) |
| Device | Device type, OS version, app version | Technical support, compatibility | 90 days |
| Notifications | Push notification token (a per-install identifier issued by Firebase Cloud Messaging) | Send re-engagement and account notifications. Not used for advertising or cross-app tracking | Until account deletion or you disable notifications |
1.1 Sensitive Data
We recognize that selfie photos, ethnicity, and skin analysis results may be considered sensitive personal data under certain laws (including GDPR Article 9, India's DPDP Act, and UAE PDPL). We process this data only with your explicit consent, which you provide when you:
- Complete the onboarding quiz (ethnicity, skin concerns)
- Upload or take a selfie for analysis
- Tap "Got it, let's go" before your first scan
You may withdraw consent at any time by deleting your account (see Section 8).
1.2 Biometric Data Notice
Our Service uses AI to analyze facial features (skin tone, eye color, hair color) from your selfie. Depending on your jurisdiction, this may be classified as biometric data. We do not use facial recognition to identify you. We do not create a "faceprint" or biometric identifier. The analysis extracts color values (RGB) and skin characteristics only. No biometric template is stored or shared.
1.3 Data We Do NOT Collect
- Payment card numbers, bank details, or financial data (handled entirely by Google Play / Apple / RevenueCat)
- Precise GPS location
- Contacts, call logs, or SMS
- Microphone or audio recordings
- Data from other apps on your device
- Android Advertising ID or any other advertising identifier — we do not use advertising IDs or track you across apps. (We do use a Firebase Cloud Messaging push token to deliver notifications; it is not an advertising identifier — see Section 1.)
2. How We Use Your Data
| Purpose | Legal Basis (GDPR) | Legal Basis (India DPDP) |
|---|---|---|
| Provide the Service (color analysis, skin analysis, glow-up image) | Contract performance (Art. 6(1)(b)) | Specified purpose with consent |
| Personalize recommendations based on quiz answers | Contract performance | Specified purpose with consent |
| Process sensitive data (ethnicity, photos, skin analysis) | Explicit consent (Art. 9(2)(a)) | Explicit consent |
| Manage your subscription and payments | Contract performance | Specified purpose with consent |
| Send transactional emails (password reset, account changes) | Contract performance | Specified purpose |
| Improve the app (analytics, crash reports) | Legitimate interest (Art. 6(1)(f)) | Legitimate use |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) | Legal obligation |
3. Third-Party Services and Data Sharing
We share your data only with the services necessary to operate GlowUpKit. We do not sell your personal data.
| Service | Provider | Data Shared | Purpose | Location |
|---|---|---|---|---|
| Database & Storage | Supabase (AWS) | All account data, photos, analysis results | Data storage, authentication | United States |
| AI Analysis & Image Generation | Google (Gemini API) | Selfie image (for skin analysis and glow-up image generation), color feature values (for makeup guide) | Generate skin analysis, makeup recommendations, and before/after glow-up image (paid users only) | United States |
| Subscription Management | RevenueCat | User ID, subscription status | Manage premium subscriptions | United States |
| App Distribution | Google Play / Apple App Store | App usage, crash data, purchase data | App distribution, payment processing | United States / Ireland |
AI processing disclosure: When you run a scan, your selfie is sent to Google's Gemini AI for skin analysis. For paid users, your selfie is also sent to Google's Gemini AI for before/after glow-up image generation. These services process your image solely to fulfill your request and are contractually prohibited from using your data for their own training or other purposes. Temporary signed URLs to your selfie expire after 10 minutes. In exceptional circumstances, image generation may be fulfilled by Replicate (an optional fallback provider); if so, the same data handling restrictions apply.
4. International Data Transfers
Your data is processed and stored in the United States. If you are located outside the United States, your data will be transferred internationally. We rely on the following safeguards:
4.1 European Economic Area & United Kingdom
For transfers from the EEA/UK to the US, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Where applicable, the EU-US Data Privacy Framework
4.2 India
Under the Digital Personal Data Protection Act, 2023 (DPDP Act), we transfer data to countries not restricted by the Central Government. You consent to this transfer when you create an account and use the Service.
4.3 United Arab Emirates & Saudi Arabia
Under the UAE PDPL and Saudi PDPL, we transfer data with your explicit consent and ensure adequate protection measures are in place. Data processing complies with applicable data protection regulations in the GCC region.
5. Data Security
- All data transmitted between your device and our servers uses TLS 1.2+ encryption
- Selfie photos are stored in a private storage bucket accessible only to your authenticated account
- Authentication tokens are stored in your device's secure keychain (iOS Keychain / Android Keystore)
- Database access is protected by Row-Level Security: users can only read/write their own data
- API access to selfies requires a time-limited signed URL (expires in 10 minutes for third-party processing, 1 hour for in-app viewing)
- Passwords are hashed using bcrypt; we never store plaintext passwords
- Our API server enforces rate limits (3 scans/day free, 10 scans/day paid) to prevent abuse
6. Your Rights
6.1 All Users
- Access: View your data in the app (Profile > Settings, Scan History)
- Deletion: Delete your account and all associated data in-app (Settings > Delete Account) or via the web at glowupkit.app/delete-account. This permanently removes your auth account, all selfie photos, all generated images, and all scan history. See Section 8 for full details.
- Correction: Update your email or re-take the onboarding quiz
- Withdraw consent: Stop using the Service and delete your account at any time
6.2 EEA, UK, and Swiss Users (GDPR)
In addition to the rights above, you have the right to:
- Data portability: Request a machine-readable copy of your data
- Restrict processing: Ask us to limit how we use your data
- Object to processing: Object to processing based on legitimate interest
- Lodge a complaint: File a complaint with your local Data Protection Authority
- Not be subject to automated decision-making: Our AI analysis provides recommendations only; no decisions with legal or significant effects are made solely by automated means
6.3 California Users (CCPA/CPRA)
- Right to know: What personal information we collect, use, and share (described in this policy)
- Right to delete: Request deletion of your personal information
- Right to opt-out of sale: We do not sell your personal information
- Right to non-discrimination: We will not discriminate against you for exercising your rights
- Shine the Light: California residents may request information about data shared with third parties for direct marketing. We do not share data for third-party marketing.
6.4 Indian Users (DPDP Act)
- Right to access: Obtain a summary of your personal data and processing activities
- Right to correction and erasure: Correct inaccurate data or request deletion
- Right to grievance redressal: Contact our Grievance Officer (see Section 11)
- Right to nominate: Nominate another individual to exercise your rights in case of death or incapacity
6.5 UAE and Saudi Arabia Users
- Right to access, correct, and delete your personal data
- Right to withdraw consent for data processing at any time
- Right to data portability in a structured, commonly used format
- Right to object to processing of your personal data
To exercise any of these rights, email privacy@glowupkit.app. We will respond within 30 days (or sooner if required by applicable law).
7. Children's Privacy
GlowUpKit is not intended for children under 13 years of age (or under 16 in the EEA, or under the applicable age of consent in your jurisdiction). We do not knowingly collect data from children below these ages. If you believe a child has provided us with personal data, contact us at privacy@glowupkit.app and we will delete it promptly.
Users aged 13-17 (or 16-17 in the EEA) may use GlowUpKit with parental or guardian consent.
8. Data Retention and Deletion
- Account data, photos, and analysis results: Retained until you delete your account
- Usage analytics: Retained for 90 days, then anonymized
- Account deletion: You can delete your account at any time in-app (Settings > Delete Account) or by submitting a request at glowupkit.app/delete-account. Deletion permanently removes: your auth account, profile information, all selfie photos, all generated images, all scan results, and onboarding quiz data. Email requests are processed within 30 days.
- Inactive accounts: Accounts inactive for more than 24 months may be flagged for deletion. We will notify you by email 30 days before deletion.
9. Cookies and Tracking
The GlowUpKit mobile app does not use browser cookies. Analytics are limited to non-advertising app-interaction events (screens viewed, features used, scan count) and do not involve the Android Advertising ID or any other advertising identifier. You can review your device privacy settings at any time in your Android or iOS settings.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via in-app notification or email at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
11. Contact Us
| Role | Contact |
|---|---|
| Privacy inquiries (all users) | privacy@glowupkit.app |
| General support | support@glowupkit.app |
| Grievance Officer (India DPDP Act) | privacy@glowupkit.app (Attn: Grievance Officer) |
| Data Protection inquiries (EEA/UK) | privacy@glowupkit.app (Attn: Data Protection) |
Mailing address: GlowUpKit, India
This privacy policy is provided in English. If there is a conflict between the English version and any translated version, the English version prevails.