Privacy Policy

Effective Date: April 5, 2026

GlowUp ("we", "our", "us") respects your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use the GlowUp mobile application ("App").

1. Information We Collect

• Account Information: When you sign in with Apple, we receive your Apple ID, display name, and email address (if you choose to share it).
• Face Photos: Photos you upload or capture for facial analysis are transmitted securely to our server, processed by our AI system in real-time, and immediately discarded after analysis. Face photos are never stored on our servers or in cloud storage. Only the resulting analysis scores and text recommendations are retained. See Section 3 for full details on face data handling.
• Analysis Data: Scores, category breakdowns, recommendations, and progress data generated from your analyses.
• Chat Messages: Messages you send to the AI Coach feature are processed by OpenAI to generate responses. Chat messages are processed in real-time and are not permanently stored on our servers. Chat history is only kept locally on your device during your session.
• Usage Data: App interactions such as features used, session duration, and task completions for improving the App experience.
• Device Information: Device type, operating system version, and push notification tokens for delivering notifications.

2. How We Use Your Information

• To provide AI-powered facial analysis and personalized recommendations
• To track your progress and improvement over time
• To deliver AI Coach responses tailored to your profile
• To process subscription purchases and manage your account
• To send push notifications you have opted into (daily reminders, milestones)
• To improve and maintain the App

3. Face Data Collection, Use, and Retention

What face data we collect: When you use the facial analysis feature, the App captures or receives a single photo of your face via the device camera or photo library. The photo is converted to a base64-encoded image on your device and transmitted securely (via HTTPS/TLS) to our backend server for processing.

How face data is used: Your face photo is sent to OpenAI's GPT-4.1-mini API (with vision capabilities) for AI-powered facial analysis. The AI evaluates facial features across categories such as symmetry, jawline definition, skin quality, grooming, and style. The analysis produces numerical scores (0-100), text-based strengths and improvement suggestions, and celebrity look-alike matches. The photo itself is used solely for this one-time analysis.

Third-party sharing — OpenAI: Your face photo is transmitted to OpenAI (https://openai.com) for AI processing. OpenAI processes the image to generate the analysis.

• Does OpenAI store face data? OpenAI may temporarily retain API inputs (including your face photo) for up to 30 days. After 30 days, the data is automatically deleted.
• Why does OpenAI retain data for 30 days? OpenAI retains API data temporarily solely for abuse and misuse monitoring — to detect harmful content, prevent platform misuse, and ensure safety. This retention period is required by OpenAI's operational policies and cannot be shortened by GlowUp.
• Is face data used to train AI models? No. Per OpenAI's API Data Usage Policy, API inputs and outputs are not used to train OpenAI's models.
• OpenAI's privacy practices: OpenAI is committed to data protection and does not sell API user data. OpenAI implements industry-standard security measures to protect data during the temporary retention period. For full details, review OpenAI's Privacy Policy and API Data Usage Policy.

No other third parties receive your face photo.

Data storage: Face photos are NOT stored on our servers. The photo exists in server memory only during the brief processing window (typically under 30 seconds) and is immediately discarded after the AI analysis completes. Only the resulting text-based analysis data (scores, recommendations, category breakdowns) is saved to your account in our database. The original photo remains only on your local device.

Data retention: Since face photos are not stored on our servers, there is no server-side retention of face images. The analysis results (scores and text) are retained as long as your account is active and are permanently deleted when you delete your account. The photo file on your local device is managed by your device's storage and is not controlled by the App.

AI consent: Before your first facial analysis, the App displays a consent modal explaining that your photo will be processed by AI. You must explicitly consent before proceeding. AI-generated scores and recommendations are for entertainment and self-improvement purposes only and should not be considered medical, psychological, or professional advice.

4. Biometric Data Policy

This section serves as our written biometric data policy as required by applicable biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act (CIPA), and Washington Biometric Identifier laws.

What biometric data we collect: When you use the facial analysis feature, your face photo contains biometric identifiers, specifically facial geometry data. This data is collected solely for the purpose of generating your AI-powered facial analysis scores and personalized improvement recommendations.

Purpose of collection: Biometric data (facial geometry) is collected exclusively to provide the core facial analysis service of the App. It is not used for identification, surveillance, advertising, or any purpose other than generating your personalized analysis results.

Biometric Data Retention Schedule:

• Face photos (biometric source material): Processed in server memory only. Automatically destroyed within 60 seconds of analysis completion. Never written to disk or stored in any database on our servers.
• OpenAI temporary retention: OpenAI may retain the face photo for up to 30 days for safety monitoring, after which it is automatically and permanently deleted. OpenAI does not use API data to train models.
• Analysis results (derived data): Numerical scores, text recommendations, and category breakdowns are retained in our database for as long as your account is active, up to a maximum of 3 years from the date of your last interaction with the App.

Biometric Data Destruction Schedule:

• Face photos are destroyed from our server memory within 60 seconds of processing.
• OpenAI destroys retained data within 30 days per their API data retention policy.
• All analysis results and derived data are permanently destroyed when you delete your account (available in App Settings), or automatically after 3 years of account inactivity, whichever comes first.
• Destruction is carried out by permanent deletion from our database systems (Supabase/AWS) with no recovery possible.

Third-party disclosure: Your biometric data (face photo) is disclosed only to OpenAI for the purpose of AI analysis. No other third party receives your biometric data. We do not sell, lease, trade, or otherwise profit from your biometric data.

Consent: Before your first facial analysis, the App displays a biometric data consent modal that requires your explicit, informed consent. You may revoke consent at any time by deleting your account in Settings. Revocation of consent does not affect the lawfulness of processing performed prior to revocation.

Right to request deletion: You may request deletion of all biometric-derived data at any time by deleting your account within the App or by contacting us at glowupaiapp@gmail.com.

5. Data Storage & Security

Your account data and analysis results are stored securely using Supabase (hosted on AWS). We implement industry-standard security measures including encryption in transit (TLS) and at rest, row-level security policies, and secure authentication via JSON Web Tokens (JWT). Face photos are never stored on our servers — only text-based analysis results are retained in the database.

6. Third-Party Services

• Supabase: Database and authentication hosting
• OpenAI: AI analysis and chat processing
• RevenueCat: Subscription and purchase management
• Apple: Sign-in authentication and in-app purchases
• Expo: App update delivery

Each third-party service has its own privacy policy governing their use of data.

7. Data Retention & Deletion

Your data is retained as long as your account is active. You can delete your account at any time from the Settings screen in the App. When you delete your account:

• All analysis data (scores, recommendations, category breakdowns) are permanently deleted from our database
• All profile data, progress history, streaks, achievements, and task completions are permanently deleted
• Your authentication account is permanently removed
• No face photos need to be deleted as they are never stored on our servers

Deletion is irreversible and typically completes within minutes.

8. Children's Privacy

GlowUp is not intended for children under 17. We do not knowingly collect personal information from children. If we learn we have collected data from a child under 17, we will delete it promptly.

9. Your Rights

You have the right to:

• Access your personal data through the App
• Delete your account and all associated data
• Opt out of push notifications via device settings
• Request information about your data by contacting us

10. European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Legal Basis: We process your personal data based on your consent (facial analysis, push notifications) and legitimate interest (improving our services, preventing fraud).
• Right of Access: You may request a copy of all personal data we hold about you.
• Right to Rectification: You may request correction of inaccurate personal data.
• Right to Erasure: You may request deletion of your personal data by deleting your account in the App or contacting us.
• Right to Data Portability: You may request your data in a structured, machine-readable format.
• Right to Object: You may object to processing based on legitimate interest.
• Right to Withdraw Consent: You may withdraw consent at any time by deleting your account or contacting us. Withdrawal does not affect prior processing.

To exercise these rights, contact us at glowupaiapp@gmail.com. We will respond within 30 days.

Data Transfers: Your data may be transferred to and processed in the United States. We rely on standard contractual clauses and service provider agreements to ensure adequate data protection.

11. California Users (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request details about the categories and specific pieces of personal information we collect, the purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information. Delete your account in the App Settings or contact us.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• Sale of Personal Information: We do NOT sell your personal information to third parties.
• Sensitive Personal Information: Under the CCPA, biometric data (including facial geometry) is classified as "sensitive personal information." We collect this data only with your explicit consent and use it solely for the purpose of providing the facial analysis service. You may limit or opt out of this processing by not using the facial analysis feature or by deleting your account.

To exercise these rights, contact us at glowupaiapp@gmail.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the App or by updating the effective date above.

13. Contact Us

If you have questions about this Privacy Policy, contact us at: glowupaiapp@gmail.com