Privacy Policy
Last updated: 17 May 2026
Version: 1.0
Applies to: the GlowStudio mobile application (iOS and Android, bundle app.glowstudio.artist), the website at https://glowstudio.app, and any related services (collectively, the "Service").
This Privacy Policy explains, in plain English, what personal information we collect when you use GlowStudio, why we collect it, who we share it with, how long we keep it, and the rights you have over it. We also use this policy to satisfy our obligations under the European Union General Data Protection Regulation ("GDPR"), the United Kingdom GDPR, the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and the privacy disclosures required by Apple's App Store and Google Play.
If anything below is unclear, please email us at [email protected].
1. Who we are and our dual role
GlowStudio is operated by Vitalii Stetsiuk, an individual based in Ukraine (referred to as "we", "us", "GlowStudio"). Our data protection contact is [email protected].
GlowStudio plays two distinct roles under data protection law, and this matters for your rights:
-
For your own artist account data (your name, email, subscription tier, app settings, push tokens), GlowStudio is the data controller. We decide why and how that information is processed.
-
For the client records that you, as a beauty professional, enter into the app (your clients' names, phone numbers, photos, allergies, medical history, appointment notes, financial records tied to those clients), you are the data controller and GlowStudio acts as your data processor. You decide what to collect and why; we only process it on your instructions to keep the app working.
This split is described in our in-app Terms of Service, paragraph 2 ("You retain ownership of all client data you enter") and paragraph 3 (blacklist data stays on your device under your control). If one of your clients asks us to disclose, correct, or delete their data, we will forward that request to you because we cannot read your local encrypted store. We will help you respond.
2. What information we collect
We collect only what is needed to operate the Service. We do not run any analytics SDK, advertising SDK, or behavioural tracker.
2.1 Information you give us about yourself (the artist)
| Category | Examples | Why |
|---|---|---|
| Account identifiers | email address, Apple ID relay email, hashed password if email magic-link is used | Sign-in, account recovery |
| Profile | display name, brand name, city, profile photo, specialty (microblading, lash, nail, brow), bio | Personalised in-app experience and public booking page |
| Subscription | RevenueCat anonymous user ID, subscription tier (free, solo, pro, studio, studio_pro), trial status, App Store / Play receipt identifiers | Paid feature gating and renewal management |
| Device | device model, OS version, app version, push notification token, language, time zone | App functionality, push delivery, crash diagnostics |
| Diagnostics | anonymous crash reports and performance traces | App stability (Sentry) |
| Referral | invite code you signed up with, codes of colleagues who joined via you | CIRCLE tier-upgrade credit |
2.2 Information you give us about your clients (data you control)
When you use GlowStudio to manage your business, you may enter the following categories of information about your clients. You are responsible for obtaining their consent before doing so, per Section 7 below and our Terms of Service.
| Category | Examples |
|---|---|
| Contact info | name, phone number, email, address |
| Demographics | date of birth, gender, language preference |
| Photographs | before / after / healed procedure photos, profile photos |
| Voice notes | recorded audio reminders you create about a client (microphone permission required) |
| Health-adjacent information (special category under GDPR Art. 9) | allergies, contraindications, skin conditions, medical history checkboxes (blood thinners, autoimmune disorders, pregnancy or breastfeeding, anaesthetic allergies, active skin conditions, keloids or scarring, recent botox or fillers) |
| Appointment data | date, time, procedure, pigment used, price, deposit, notes |
| Financial data | income tied to appointments, expenses, supplier costs, tax exports |
| Inventory | pigments (brand, batch, expiry), needles, anaesthetics, consumables, supplier names |
| Aftercare communications | SMS messages you have sent to a client, delivery status |
| Blacklist | optional private note (your reason for not wanting a client back) and category enum |
Some of this is special-category data under GDPR Article 9 (health information). Section 7 explains the legal basis we rely on for processing it.
2.3 Information collected automatically
- From your device: when the app opens, we record the timestamp of the session, the app version, and basic device characteristics (model, OS) so that crash reports are meaningful. We do not collect IDFA, AAID, or any cross-app advertising identifier.
- Location: if you grant location permission, your approximate city is detected once during onboarding so you do not have to type it. We do not track location continuously and we do not store geographic coordinates.
- Photos: if you grant photo library permission, you can pick existing photos; we do not scan your photo library, we only read the photos you tap.
- Contacts: if you grant contacts permission, your address book is processed on-device only so you can pick which clients to import. Your contacts are never sent to our servers.
- Microphone and speech recognition: if you grant these permissions, voice notes are recorded. Transcription runs on-device by default. If you select cloud transcription in Voice Settings (or if your device cannot run on-device transcription), the recorded audio is sent through GlowStudio's backend to OpenAI Whisper for processing. OpenAI is GlowStudio's sub-processor for this flow (see Section 4). The cloud path is opt-in via Settings → Voice notes → provider preference.
2.4 Information from your in-app purchases
When you subscribe to a paid tier through Apple's App Store or Google Play, the store sends us a receipt identifier and entitlement status via RevenueCat. We do not see your credit card, PayPal balance, or other payment instrument. Apple and Google process all payments.
3. How we use your information and the legal basis
| Purpose | Information used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Create and run your account | account identifiers, profile, device | Art. 6(1)(b) contract performance |
| Charge for paid tiers | subscription receipts, RevenueCat ID | Art. 6(1)(b) contract performance |
| Keep the app running and fix crashes | device info, diagnostics | Art. 6(1)(f) legitimate interest (app stability) |
| Send transactional messages (sign-in code, receipt confirmations) | email, push token | Art. 6(1)(b) contract performance |
| Send marketing or product update push notifications | push token | Art. 6(1)(a) consent — opt-in toggle in Settings, recorded with timestamp |
| Store your encrypted business data so you can use the app | client records, photos, appointments, financials, voice notes | Art. 6(1)(b) contract performance (you are the controller; we are processor) |
| Process special-category health data | medical fields on client records, contraindications, photographs depicting medical conditions | Art. 9(2)(a) explicit consent — see Section 7 |
| Detect and prevent abuse and fraud | device fingerprint, audit trail, login events | Art. 6(1)(f) legitimate interest |
| Comply with tax, accounting, and legal obligations | subscription receipts, financial exports | Art. 6(1)(c) legal obligation |
4. Sub-processors
We use a small set of third-party services to operate GlowStudio. Each one has a written Data Processing Agreement with us (Art. 28 GDPR). The current list is below; we update this page when we add or change a sub-processor and, where required, ask you to consent again before the change applies to your account.
| Sub-processor | Purpose | Region | Transfer mechanism (where applicable) |
|---|---|---|---|
| Supabase, Inc. | Backend database, authentication, file storage for synced data | EU (Frankfurt, Germany) for the primary region | EU data stays in EU; SCCs for any incidental US support access |
| RevenueCat, Inc. | Subscription state synchronisation between Apple, Google, and us | United States | Standard Contractual Clauses (2021) |
| Sentry GmbH | Anonymous crash reports and performance traces | Germany | EU |
| Apple Inc. | App Store distribution, In-App Purchase billing, Apple Push Notification Service, Sign in with Apple | United States and Ireland | Adequacy (Ireland) / SCCs (US) |
| Google LLC | Google Play distribution, Play Billing, Firebase Cloud Messaging (Android push relay) | United States | SCCs |
| Expo, Inc. | Push notification relay (forwards your push token to APNs/FCM) | United States | SCCs |
| OpenAI, L.L.C. | Voice note transcription via Whisper (when cloud path is selected); natural-language appointment parsing for the in-app Quick-Add feature | United States | SCCs — see special note in Section 4.1 |
| Twilio, Inc. or Plivo (when SMS automation is enabled) | Sending aftercare SMS messages to your clients on your behalf | United States | SCCs |
| Vercel, Inc. | Hosting of glowstudio.app web pages (privacy, terms, public booking, deposit confirmation) | EU (Frankfurt) | EU |
We do not sell your personal information to anyone. We do not share your personal information with advertisers or data brokers.
4.1 A note on OpenAI
Two GlowStudio features call OpenAI's API: voice note transcription (Whisper) and the AI Quick-Add appointment parser (gpt-4o-mini). Both calls go through our backend using a GlowStudio-owned API key; the data flow is GlowStudio → OpenAI, with OpenAI acting as our sub-processor under a written DPA. Two things you control:
- Voice transcription is opt-in. By default, voice notes transcribe on-device (iOS Speech Framework, Android SpeechRecognizer). The cloud path through OpenAI only runs if you select it in Settings → Voice notes, or if your device cannot run on-device transcription.
- AI Quick-Add is opt-out by usage: it processes only the text you type into the Quick-Add field, and only when you tap "Parse with AI". If you don't use that field, no data is sent to OpenAI.
OpenAI's API terms forbid using API submissions to train their models. They retain submissions for up to 30 days for abuse monitoring (per OpenAI's Enterprise Data Privacy policy at the time of writing) and then delete them.
5. International transfers
GlowStudio is built for the EU and Ukraine. Your synced data sits in Supabase's Frankfurt region. Some sub-processors (Apple, Google, RevenueCat, Expo Push, OpenAI, Twilio) are based in the United States. Where personal data leaves the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs, 2021/914), supplemented by encryption in transit (TLS 1.2 or higher) and at rest (AES-256-GCM on device, AES-256 at-rest disk encryption on the server, with row-level security and an immutable audit log providing the additional safeguards for special-category fields). You can request a copy of the relevant SCCs by emailing [email protected].
6. How long we keep your information
| Data | Retention |
|---|---|
| Active artist account | For as long as you have an account |
| Account after deletion request | 30-day grace period during which you can restore the account, then hard-deleted from all live systems within 30 days; deletion propagates to backups within 90 days as they are overwritten |
| Client records, appointments, photos, voice notes, financials (data you control) | For as long as you keep them in the app, subject to your own retention preference; deleted with your account |
| Subscription receipts | 7 years (tax and accounting obligation) |
| Audit log (immutable, who-did-what evidence for GDPR Art. 5(2)) | 7 years |
| Crash and performance diagnostics (Sentry) | 90 days |
| Push notification delivery logs | 30 days |
Terms of Service acceptance history (tos_acceptances) | Indefinitely (legal evidence) |
| Marketing consent records (timestamp, version) | Indefinitely while you have an account |
| GDPR data subject request records (Art. 15/17/20 requests and our responses) | 3 years |
Cookies on glowstudio.app | Session lifetime; no persistent advertising cookies |
If you uninstall the app without deleting your account, we keep your synced data so you can restore the account on a new device. To wipe everything, use Settings → Account → Delete account in the app or the web form at glowstudio.app/delete-account.
7. Health data and explicit consent (GDPR Article 9)
The pre-consultation form and the client profile can hold information about a client's health: allergies, anaesthetic reactions, pregnancy, autoimmune disorders, blood-thinning medication, skin conditions, contraindications. Photographs of clients can also depict health information (a healing wound, a skin reaction, a pigmentation issue).
This is special-category personal data under GDPR Article 9. We process it on the basis of Article 9(2)(a) — the data subject's explicit consent, given to you, the artist.
What this means in practice:
- Before you create or update a client record with health information, you confirm in the app that you have obtained your client's explicit, informed consent to enter that information into GlowStudio and to have it stored on our servers and processed by the sub-processors listed in Section 4.
- The app records the moment of consent (timestamp + Terms of Service version) on the client record and in our audit log, so you can demonstrate compliance if asked.
- For photographs, every photo capture creates a per-photo audit record (
lib/photoAudit.ts) stamped with the consent acknowledgement and Terms version at the moment of capture. - Your client can withdraw consent at any time. When they do, you must delete the affected fields. Your client also has the right to contact us directly at [email protected]; we will route their request to you and assist as the processor.
If you cannot obtain explicit consent for a particular client, do not store their health information in GlowStudio. Limit the record to non-sensitive scheduling information.
8. Your rights (GDPR, UK GDPR)
You have the following rights over your own data. To exercise any of them, email [email protected] from the address on your account, or use the in-app routes (Settings → Privacy). We respond within 30 days.
- Access (Art. 15) — receive a copy of the personal data we hold about you. The in-app data export packages your artist profile, all client records, appointments, financials, voice note metadata, and audit trail as a structured JSON archive.
- Rectification (Art. 16) — correct inaccurate or incomplete data. Most fields are editable directly in the app.
- Erasure (Art. 17) — delete your account and all associated data via Settings → Account → Delete account (30-day grace, then hard delete). You can also request erasure by email.
- Restriction (Art. 18) — ask us to stop processing while a dispute is resolved.
- Portability (Art. 20) — receive your data in a structured, machine-readable JSON archive (same export as Access).
- Objection (Art. 21) — object to processing based on legitimate interest; tell us why and we will stop unless we can show compelling grounds.
- Withdraw consent (Art. 7(3)) — toggle off marketing or AI features in Settings at any time; this does not affect the lawfulness of processing before withdrawal.
- Complain to a supervisory authority (Art. 77) — you may lodge a complaint with the data protection authority of your country of residence. A list of authorities is at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
If we collect data from you that was not provided by you directly (rare, but possible if your client adds you as a contact), GDPR Article 14 disclosures apply and we will inform you when we begin processing.
9. California residents — CCPA / CPRA
If you live in California, you have specific rights in addition to those above:
- Right to know what personal information we collect, use, disclose, and share.
- Right to delete your personal information.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing for cross-context behavioural advertising.
- Right to limit use and disclosure of sensitive personal information (health information is sensitive personal information under CPRA).
- Right to non-discrimination for exercising any of these rights.
We do not sell personal information and we do not share personal information for cross-context behavioural advertising. No opt-out toggle is required because there is nothing to opt out of, but if you want a written confirmation for your records, email [email protected] and we will send one. If you are an authorised agent acting on behalf of a California resident, please include proof of authorisation in your request.
The categories of personal information we collect map to CCPA categories as follows: identifiers, customer records (Cal. Civ. Code §1798.80(e)), commercial information, internet activity (limited to in-app, no cross-site), geolocation (coarse only, at onboarding), audio (voice notes), sensitive personal information (health data and biometric-adjacent photographs).
10. Children
GlowStudio is built for adult beauty professionals. You must be at least 18 years old to create an artist account. We do not knowingly collect personal information from anyone under 18 as an account holder.
Clients you enter into the app are entered by you, the artist, who attests that you have authority to manage their records. If a client is under 16 (in the EU) or under 13 (in the US), parental consent is required before you store their data in GlowStudio, including health-adjacent information. You are responsible for obtaining that consent.
If you believe a child under 18 has created an account, contact us at [email protected] and we will delete it.
11. Security
We take security seriously because we know what's in your clients' records. Five layers protect special-category fields (allergies, contraindications, medical notes, voice-note transcripts, pre-consultation responses):
- At rest on your device: sensitive Zustand stores (clients, appointments, photos metadata, financials, voice notes, blacklist) are encrypted with AES-256-GCM via
@noble/ciphers. The key is stored in the iOS Keychain / Android Keystore viaexpo-secure-store. - At rest on the server: the entire Supabase Postgres database is stored on AES-256-encrypted disks (default on every Supabase tier). Snapshots and backups inherit the same disk encryption.
- Row-level security (RLS): every query against the database carries a PostgreSQL policy enforcing
artist_id = auth.uid(). A compromised API layer, leaked anon key, or hijacked session for one artist cannot read another artist's data — the policy executes inside the database engine itself. - In transit: TLS 1.2 or higher between app and server; certificate pinning where supported by the platform.
- Audit log: an immutable, append-only audit log records every write to special-category client fields with actor, action, before/after diff, and timestamp.
UPDATEandDELETEon the audit log itself raise database-level exceptions. - App lock: you can enable Face ID / Touch ID / device passcode to unlock the app (
Settings → Privacy → Lock app). The unlock check fails closed if biometrics fail. - Session management: inactivity logout after 30 days, signed-in device list, "sign out everywhere" control.
- Anti-tamper: the app refuses to run on rooted or jailbroken devices unless you explicitly override (
jail-monkey+expo-local-authentication). - No analytics SDK, no advertising SDK: we believe the safest data is the data we never collect.
These five layers (device encryption + at-rest disk encryption + RLS + TLS + audit log) together meet the "appropriate technical and organisational measures" standard set by GDPR Article 9 and Article 32 for special-category data. We do not add app-layer column encryption on top of disk encryption — the additional latency, key-management complexity, and failure modes outweigh the marginal protection against attackers who would have already needed to bypass our database-tier provider's controls. For higher tiers requiring per-record cryptographic isolation (e.g. enterprise medical-institution use), contact us about a dedicated deployment.
No system is perfectly secure. If you suspect a breach affecting your account, email us at [email protected] and we will respond promptly. Where required by Articles 33–34 of the GDPR, we notify our supervisory authority within 72 hours and notify affected users.
12. Cookies, local storage, and tracking
Mobile app: the app does not use cookies. It stores configuration and encrypted business data locally on your device (AsyncStorage and SecureStore). It does not send any telemetry to advertising networks.
Website (glowstudio.app): the site uses strictly-necessary functional cookies set by our hosting provider Vercel for load balancing and session continuity. We do not set tracking cookies. We do not use Google Analytics, Facebook Pixel, or any other behavioural advertising tag. Because we only set strictly-necessary cookies, no consent banner is shown under the ePrivacy Directive.
13. Changes to this Policy
If we materially change this Policy (new sub-processor, new data category, change of legal basis, change of retention), we will:
- update the Last updated date and version number at the top;
- present the new version in-app on next launch and ask you to acknowledge it;
- email account holders for changes affecting health-data processing or sub-processors handling health data;
- keep an archive of past versions available at glowstudio.app/privacy/archive.
Minor wording or typo fixes are made silently.
14. Contact us
Privacy inquiries: [email protected] Legal inquiries: [email protected] Security disclosures: [email protected] Postal: Vitalii Stetsiuk, Ukraine
If you live in the European Economic Area or the United Kingdom and we have appointed an EU/UK representative under Articles 27 GDPR, their details will be listed here once the appointment is confirmed.