GlowMD
← Back

Privacy Policy

Last updated: April 22, 2026

1. Introduction

This Privacy Policy explains how Aesthetic Studio Creator S.R.L. ("GlowMD", "we", "us", "our") collects, uses, stores, shares, and protects information about you when you use the GlowMD website, mobile application, and related services (the "Service"). It applies to users in the European Economic Area, the United Kingdom, Switzerland, the United States (including California residents under the CCPA), and anywhere else we offer the Service.

If you are under 18 years old, you are not permitted to use GlowMD. Do not submit any personal information.

2. Data Controller

The data controller responsible for your information is:

Aesthetic Studio Creator S.R.L. B-dul Decebal, Nr. 12, Camera 1, Bl. S7, Sc. 1, Et. 5, Ap. 15, Sector 3, București, România Tax ID (CUI): RO45931173 Trade Registry: J40/6657/2022

Privacy contact: privacy@glowmd.com

For users in the EU/EEA/UK, this email also functions as our designated point of contact for data protection enquiries.

3. Information We Collect

3.1 Account information

  • Email address, password hash (never the plain password), authentication provider (if you sign in with Google), account creation and last-sign-in timestamps.

3.2 Profile information

  • Display name and optional avatar URL that you choose.

3.3 Skin quiz responses

  • Self-reported answers to our 15-question skincare quiz (skin type, concerns, lifestyle, routine history, goals).

3.4 Facial photographs ("biometric data")

  • The frontal, left-profile, right-profile, and optional neck photographs you upload.
  • Derived analysis outputs (zones of concern, severity, estimated skin age).
  • See our Biometric Data Consent for detailed rules specific to this category.

3.5 Payment information

  • Processed directly by Stripe. We receive a customer ID, subscription status, plan level, and billing events — but not your full card number, CVV, or bank credentials.

3.6 Technical data

  • IP address, device type, operating system, browser, approximate geolocation at city level, session timestamps, referring URL, diagnostic error logs.

3.7 From third parties

  • Google (when you sign in with Google OAuth): basic profile (email, display name, profile picture URL).
  • Stripe (when you subscribe): billing events and subscription status.

4. Legal Basis for Processing (GDPR Art. 6 & Art. 9)

PurposeLegal basis
Provide the Service (account, routine, dashboard)Art. 6(1)(b) — performance of a contract
Process facial photographs for analysisArt. 9(2)(a) — explicit consent
Process paymentsArt. 6(1)(b) — performance of a contract
Keep accounting and tax recordsArt. 6(1)(c) — legal obligation
Security, fraud prevention, incident responseArt. 6(1)(f) — legitimate interest
Product improvement (aggregated and anonymized)Art. 6(1)(f) — legitimate interest
Marketing communications (optional)Art. 6(1)(a) — consent

You can withdraw consent at any time; this does not affect the lawfulness of prior processing.

5. How We Use Your Information

We use the information we collect to:

  • Create and manage your account;
  • Generate personalized skin analyses, routines, and procedure guides;
  • Provide features such as the streak tracker, progress photos, and dashboard;
  • Process subscription payments and send receipts;
  • Respond to your support requests;
  • Detect, prevent, and respond to fraud, abuse, and security incidents;
  • Comply with our legal obligations (accounting, tax, regulatory reporting);
  • Improve the Service (product analytics on aggregated and anonymized data).

We do not profile you for advertising, and we do not sell your personal information.

6. Who We Share Data With

We share personal data only with processors who are contractually bound to protect it. We do not sell or rent your data.

ProcessorPurposeLocationSafeguard
Supabase (Supabase Inc. / Supabase OÜ)Database, authentication, file storageEU (Frankfurt) regionDPA + SCCs where applicable
Stripe (Stripe Payments Europe Ltd.)Subscription billingIreland / USADPA + SCCs (EU→US), PCI DSS
Vercel (Vercel Inc.)Web hosting and edge deliveryGlobal edge / US infrastructureDPA + SCCs
Resend (Resend Inc.)Transactional email deliveryEU/USDPA + SCCs
Google (Google Ireland Ltd. / LLC)OAuth sign-in onlyEU + USDPA + SCCs

A current list of sub-processors is available from privacy@glowmd.com on request.

7. International Transfers

Your data is primarily stored in the European Union. When data is transferred outside the EEA (for example, for payment processing or global edge caching), we rely on the Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914) and, where relevant, on supplementary technical measures such as encryption in transit and at rest.

You may request a copy of the SCCs by contacting privacy@glowmd.com.

8. Retention

We keep personal data only for as long as necessary for the purposes described in this policy.

CategoryRetention period
Account (email, auth metadata)While your account is active + 3 years after deletion for legal defense
Profile (display name)Same as account
Quiz responsesSame as account
Facial photographsDeleted 12 months after account deletion (or on request within 30 days)
Derived analysesSame as photographs
Consent records3 years after withdrawal
Billing and invoice records10 years (mandatory under Romanian fiscal law)
Security logs (IP, timestamps)12 months
Support correspondence3 years

After these periods, data is permanently deleted or anonymized beyond re-identification.

9. Your GDPR Rights

If the GDPR applies to you, you have the following rights:

  1. Right of access — obtain confirmation of whether we process your data and receive a copy of it.
  2. Right to rectification — correct inaccurate or incomplete data.
  3. Right to erasure ("right to be forgotten") — ask us to delete your data, subject to legal retention obligations.
  4. Right to restriction of processing — ask us to pause certain uses while a dispute is resolved.
  5. Right to data portability — receive your data in a structured, machine-readable format (JSON).
  6. Right to object — to processing based on legitimate interest, including direct marketing.
  7. Right to withdraw consent — where processing is based on consent (e.g., biometric data).
  8. Right to lodge a complaint with a supervisory authority — in Romania, the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), www.dataprotection.ro, B-dul G-ral Gheorghe Magheru nr. 28-30, sector 1, București.

To exercise any of these rights, contact privacy@glowmd.com. We respond within one month, extendable by two months for complex requests (we will inform you of any extension).

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the CPRA:

  • Right to know what categories and specific pieces of personal information we have collected about you, and how they are used and shared.
  • Right to delete personal information we hold about you.
  • Right to correct inaccurate personal information.
  • Right to opt-out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising.
  • Right to limit use and disclosure of sensitive personal information — we use sensitive personal information (facial images) only for the purposes described in the Biometric Data Consent and do not disclose it for inferring characteristics.
  • Right to non-discrimination — we will not deny service, charge different prices, or provide a different level of quality because you exercised any of these rights.

To exercise these rights, email privacy@glowmd.com with the subject "CCPA Request". You may designate an authorized agent to make the request on your behalf.

11. Security

We maintain technical and organizational measures appropriate to the risk:

  • In transit: TLS 1.3 for all connections to our services.
  • At rest: AES-256 encryption for database volumes and object storage.
  • Access control: Supabase Row-Level Security enforces per-user access to personal data. Employee access is least-privilege and audit-logged.
  • Authentication: Passwords are stored as salted hashes. We support social sign-in via Google OAuth.
  • Breach notification: If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, and we will inform affected users without undue delay.
  • Penetration testing and code review are performed regularly.

No system is perfectly secure; you are responsible for keeping your account credentials confidential.

12. Cookies

For detailed information about cookies and similar technologies, see our Cookie Policy.

13. Children

GlowMD is not directed at and is not available to individuals under 18 years of age. If you believe a minor has provided us with personal information, email privacy@glowmd.com and we will delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you in the Service or by email at least 30 days before they take effect. The "Last updated" date at the top of this document reflects the most recent revision.

15. Contact

Questions, complaints, or requests: privacy@glowmd.com

Postal address: Aesthetic Studio Creator S.R.L. B-dul Decebal, Nr. 12, Camera 1, Bl. S7, Sc. 1, Et. 5, Ap. 15, Sector 3, București, România CUI: RO45931173 · J: J40/6657/2022