Privacy Policy

1. Data We Collect

To provide our AI-powered skin analysis and dermatologist-reviewed insights, we collect the following:

• Facial Images & Scan Photos: Uploaded to our secure servers for AI skin analysis. Our dermatologists and skin scientists may review anonymized versions to improve detection accuracy.
• Health & Wellness Data: Cycle tracking, diet logs, sleep patterns, medication records, and mood data — stored on our servers to provide cross-signal insights.
• Survey Data: Information about your age, gender, lifestyle, skin type, and skin concerns provided during onboarding.
• Account Information: Email, phone number, and authentication data to save your progress and enable multi-device access.
• Usage Data: How you use the app, which features you interact with, and technical performance metrics to improve our service.
• Device Information: Browser type, operating system, screen resolution, device model, IP address (anonymized for analytics).
• Voice Data: If you use voice input, speech is transcribed and stored on our servers for AI processing.

2. How Your Photos Are Handled

3. Biometric & Sensitive Data

Facial images captured during skin scans may constitute biometric data under certain jurisdictions. We treat all facial data with the highest level of care:

• Facial images are used for generating your skin health report, tracking progress, and improving our AI through anonymized dermatologist review. They are not used for facial recognition or identity verification.
• When our dermatologists review data for AI improvement, all images are anonymized — personal identifiers are stripped before review.
• Images are processed through our proprietary AI models. Analysis results (scores, markers, recommendations) are stored separately from the raw images.
• We do not sell, rent, or share your facial images with any third party for advertising, marketing, or external AI training.
• You may request complete deletion of all facial images and derived data at any time.

4. How We Use Your Data

Your data is used for:

• Generating your personalized skin health report, routines, and AI recommendations.
• Tracking your skin, health, and wellness progress over time across all your devices.
• AI Improvement: Our board-certified dermatologists and skin scientists review anonymized, aggregated data to train and refine our AI for better accuracy — especially for diverse Indian skin tones.
• Cross-signal analysis (correlating your skin with diet, cycle, sleep, stress, weather, etc.).
• Providing user support and responding to inquiries.
• Improving the overall app experience, performance, and security.
• Sending transactional emails (scan results, account updates). We do not send unsolicited marketing emails without consent.

5. Who Has Access to Your Data

6. Data Storage & Security

All your data — photos, scan results, health data — is stored on secure cloud infrastructure (Supabase/PostgreSQL) with multiple layers of protection:

• Encryption in Transit: All data transfers use TLS 1.2+ encryption.
• Encryption at Rest: All stored data including photos is encrypted with AES-256.
• Row-Level Security: Database access is restricted so users can only access their own data.
• Access Controls: Only authorized team members (dermatologists, engineers) can access anonymized data for AI improvement.
• CSRF Protection: All API mutations are protected against cross-site request forgery.
• Security Headers: Strict CSP, HSTS, X-Frame-Options, and other security headers are enforced.
• Regular Audits: Security audits are conducted regularly to identify and mitigate vulnerabilities.
• Breach Notification: In the unlikely event of a data breach affecting your personal data, we will notify affected users within 72 hours via email and in-app notification, as required by the DPDP Act 2023 and GDPR. We will also notify the relevant Data Protection Authority where required by law.

7. Data Retention

We retain your personal data only for as long as necessary to provide our services:

• Account Data: Retained while your account is active. Deleted within 30 days of account deletion request.
• Facial Images & Photos: Retained on our servers while your account is active for progress tracking. Deleted within 30 days of deletion request or account closure.
• Health Data (Cycle, Diet, Sleep, etc.): Retained while your account is active. Deleted on account deletion.
• Scan Reports: Retained while your account is active. You may delete individual reports from your dashboard.
• Payment Records: Retained for 7 years as required by Indian tax and accounting regulations.
• Anonymized Analytics: Aggregated, non-identifiable data used for AI training may be retained indefinitely as it cannot be traced back to you.

8. Your Rights

Under the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable laws, you have the right to:

• Access: Request a copy of all personal data we hold about you, including photos, scan results, and health data.
• Correction: Request correction of inaccurate or incomplete data.
• Erasure: Request complete deletion of your personal data, including all facial images, scan history, health data, and derived analytics.
• Data Portability: Request an export of your data in a machine-readable format.
• Withdraw Consent: Withdraw your consent for data processing at any time. This will not affect the lawfulness of processing done prior to withdrawal.
• Opt-Out of Dermatologist Review: You may request that your anonymized data not be used for AI improvement. Contact our privacy team.
• Grievance Redressal: File a complaint with our Grievance Officer or the Data Protection Board of India.

For more details on your rights under Indian law, see our DPDP Compliance page.

9. Cookies & Tracking

We use essential cookies for authentication and security, as well as optional analytics cookies (Google Analytics 4) to improve your experience. Analytics cookies are only activated after you give consent. IP addresses are anonymized. For full details on the cookies we use and how to manage them, please refer to our Cookie Policy.

10. Children's Privacy

GlowXLab is not intended for children under the age of 13. We do not knowingly collect personal data from children. If you believe a child under 13 has provided us with personal data, please contact us immediately so we can delete the information.

11. International Data

GlowXLab primarily serves users in India. Our servers are hosted through Supabase's cloud infrastructure. If you access GlowXLab from outside India, your data may be transferred to and processed in India, subject to Indian data protection laws including the DPDP Act 2023.

12. For Users in the European Economic Area (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional rights and protections apply under the General Data Protection Regulation (GDPR):

• Legal basis for processing: We process your data based on your explicit consent (skin scans, photo uploads), contractual necessity (account management), and legitimate interests (service improvement, security).
• Right to access: You can request a copy of all personal data we hold about you.
• Right to rectification: You can correct any inaccurate data.
• Right to erasure: You can request deletion of all your data ("right to be forgotten").
• Right to data portability: You can request your data in a machine-readable format.
• Right to restrict processing: You can ask us to limit how we use your data.
• Right to object: You can object to processing based on legitimate interests.
• Right to withdraw consent: You can withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You may file a complaint with your local Data Protection Authority (DPA).

Data transfers: Your data may be transferred to India for processing. We rely on your explicit consent as the transfer mechanism under GDPR Article 49(1)(a).

Data retention: We retain your personal data only for as long as necessary to provide our services. Scan images are processed and deleted within 30 days unless you opt in to cloud backup. Account data is deleted within 30 days of account deletion.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes via email or an in-app notification. Your continued use of GlowXLab after changes are posted constitutes acceptance of the revised policy.