DPDP Compliance

Digital Personal Data Protection Act, 2023 (India). How we protect your data.

In simple words
  • India has a law called DPDP Act that protects your personal data. We follow it completely.
  • We upload and store your data (photos, scans, health info) on our encrypted servers.
  • Our dermatologists and skin scientists may review anonymized data to improve our AI.
  • You can ask us to show, fix, or delete your data anytime.
  • You can take back your permission anytime — we'll stop processing your data.
  • You can opt out of anonymized dermatologist review if you prefer.
  • If you have any complaint, you can contact our grievance officer (details below).

1. Data Fiduciary

Under the DPDP Act, GlowXLab acts as the Data Fiduciary. We determine the purpose and means of processing your personal data. We are responsible for ensuring your data is handled lawfully, fairly, and transparently.

2. Lawful Basis for Processing

We process your personal data (including facial images and health data) based on your explicit consent, obtained at the time of account creation and before your first scan. We process your data for:

  • AI-powered skin health analysis and report generation.
  • Storing your photos and health data on our encrypted servers for progress tracking.
  • Anonymized review by our in-house dermatologists and skin scientists to improve AI accuracy.
  • Cross-signal health analysis (skin + cycle + diet + sleep + weather correlations).
  • Sending transactional communications related to your account and reports.

3. Your Rights as a Data Principal

Under the DPDP Act, you (the Data Principal) have the following rights:

Right to Information

You can request a summary of all personal data we process about you, how it is used, and who has access to it.

Right to Correction & Erasure

You can request correction of inaccurate data or complete deletion of all your personal data, including photos, scan results, and health data. Deletion is completed within 30 days.

Right to Withdraw Consent

You can revoke your consent at any time. Upon withdrawal, we will stop processing your data and delete it within 30 days. This does not affect the lawfulness of processing done before withdrawal.

Right to Opt-Out of AI Improvement

You may request that your anonymized data not be used for AI training or dermatologist review. Contact our privacy team to exercise this right.

Right to Grievance Redressal

You can contact our Grievance Officer for any data-related concerns. If unsatisfied with our response, you may escalate to the Data Protection Board of India.

4. Data Storage & Transfer

All your data is stored on encrypted cloud servers (Supabase). Data is encrypted both in transit (TLS 1.2+) and at rest (AES-256). We use row-level security to ensure only you can access your personal data through the app. Our in-house team accesses only anonymized data for AI improvement.

5. Data Retention

We retain your data only as long as necessary for the stated purpose. Active account data is retained while your account exists. Upon account deletion or consent withdrawal, all personal data (including photos, scans, and health records) is permanently deleted within 30 days. Anonymized, aggregated data that cannot be traced to you may be retained for research. Payment records are retained for 7 years per Indian tax law.

6. Data Breach Protocol

In the event of a data breach that may affect your personal data, we will:

  • Notify the Data Protection Board of India as required by the DPDP Act.
  • Notify affected users via email within 72 hours of discovering the breach.
  • Take immediate steps to contain and remediate the breach.
  • Provide clear guidance on steps you can take to protect yourself.

7. How to Exercise Your Rights

To exercise any of your rights under the DPDP Act, you can:

  • Email privacy@glowxlab.com with your request.
  • Use the "Delete Account" option in Profile settings for immediate account and data deletion.
  • Contact our Grievance Officer (below) for complaints or escalations.

We will respond to all data rights requests within 72 hours and complete the action within 30 days.

Grievance Officer

If you have any grievances regarding your data protection, please contact:

Grievance Officer, GlowXLab

Mumbai, India

grievance@glowxlab.com

Response time: Within 72 hours

For more information, see our full Privacy Policy.

Related pages
Privacy Policy →Terms of Service →Cookie Policy →Contact us →FAQ →

For informational purposes only. This content is not medical advice. For skin or health concerns, consult a qualified dermatologist.

Ready to see how your skin is doing?

Start your AI scan