GlowMinder

Privacy policy

Last updated: 11 May 2026

1. Introduction

GlowMinder (“we”, “us”) provides a personalised skincare and wellness app. This policy describes what personal data we collect, why, how we use it, who we share it with, how long we keep it, and your rights. The legal basis under GDPR is your consent (for AI features) and the performance of the contract (for delivering the app you signed up for).

2. What we collect

  • Account data: email address, language, timezone. Optional name and demographic information.
  • Skincare profile: skin type, concerns, goals, country, age, current products, water/sleep habits, pregnancy/breastfeeding/acne-medication flags you choose to share.
  • Photos for skin scans: when you take a skin scan, the photo is streamed to our AI providers and the analysis is returned. We do not store the photo on our servers at any point. See section 4 for what providers do.
  • Progress photos: optional premium feature. Stored in a private storage bucket scoped to you and never shared with AI providers.
  • Daily tracking: routine completion, water intake, vitamin/SPF check-ins, optional mood and free-text notes.
  • Device data: Expo push notification tokens, platform, app version, language — used solely to deliver scheduled notifications.
  • Usage: in-app analytics events (screens viewed, actions taken). Anonymised after 90 days.

3. How we use information

  • To generate and update your personalised routine.
  • To respect safety constraints (pregnancy, medication, age).
  • To send the notifications you’ve enabled.
  • To detect abuse and enforce rate limits.
  • To improve the product (using aggregated, anonymised data).

We do not sell your data. We do not run advertising. We do not share data with third parties for marketing.

4. AI providers we share data with

GlowMinder relies on third-party AI providers for analysis and routine generation. The following providers may receive your data:

  • OpenAI: Skin photo analysis (vision) and product analysis. Receives the photo bytes and your text profile. See their privacy policy.
  • Anthropic: Routine generation and product analysis. Receives your text profile only — no photos. See their privacy policy.
  • Google AI: Fallback provider used when the primary fails. May receive either the photo and/or text profile depending on the task. See their privacy policy.

Photos. We do not store the photos you take for skin scans on our servers. Photos are streamed to the chosen AI provider for analysis and discarded as soon as the response is received. AI providers may temporarily retain inputs for abuse monitoring per their own policies linked above. Skin-scan photos are never trained on. Progress photos (premium) are stored in your private bucket and are not sent to AI providers.

5. Storage and security

Data is stored on Supabase in the European Union (Ireland), with AES-256 encryption at rest and TLS 1.2+ in transit. Third-party API keys (e.g. our OpenAI key) are encrypted with a separate key managed server-side and never decrypted in the browser. Row-Level Security policies are enabled on every database table that touches user data.

6. Your rights

Under GDPR and equivalent regimes, you have the right to:

  • Access the data we hold about you.
  • Correct anything inaccurate.
  • Receive a copy in a portable format (in-app: Settings → Your data → Export).
  • Delete your account (in-app, or via /delete-account).
  • Withdraw consent for AI features at any time. Without consent the AI-powered features stop, the rest of the app continues to work.
  • Lodge a complaint with your data protection authority.

7. Children’s privacy

GlowMinder is not directed at children under 13 and we do not knowingly collect data from anyone under 13. If you believe a child has provided us with personal data, please contact us at privacy@glowminder.app and we will remove it.

8. International transfers

Our primary data centre is in the EU (Ireland). AI providers are based in the United States. Transfers to providers in the United States rely on Standard Contractual Clauses approved by the European Commission, or equivalent safeguards where applicable.

9. Retention

  • Account data: kept while your account exists. Deleted on request (30-day window).
  • AI request logs: 90 days, for cost auditing and abuse detection.
  • Analytics events: 90 days; pruned automatically.
  • Support correspondence: kept while the case is open; redacted after closure.
  • Skin-scan photos: zero retention on our side.

10. Changes

We will update this policy when our practices change. Material changes will be announced in-app the next time you open it, and on this page’s “Last updated” line.

11. Contact

Privacy questions: privacy@glowminder.app. Anything else: /support.