Glow Cycle Lab LLC respects your privacy. This Privacy Policy explains how we collect, use, share, and protect your information when you interact with our services.
Definitions
For the purposes of this Privacy Policy, the following terms have the meanings set forth below:
"Company," "Glow Cycle Lab," "we," "us," or "our" refers to Glow Cycle Lab LLC, a New York limited liability company.
"Service" or "Services" refers collectively to the Site and the App, including all features, content, and related services we provide.
"Site" refers to our website located at glowcyclelab.com and any related subdomains.
"App" refers to our mobile application, Glow Cycle Lab™, currently available to internal beta testers, with public release planned for the Apple App Store.
"User," "you," or "your" refers to the individual accessing or using the Service, or the entity on behalf of which such individual is accessing or using the Service.
"Personal Information" or "Personal Data" refers to any information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular individual or household.
"Beta Program" refers to our pre-release testing program for the App, including TestFlight Internal Testing and TestFlight External Testing.
"Service Providers" refers to the third-party companies that process Personal Information on our behalf, as described in Section 3.
"Process" or "Processing" refers to any operation performed on Personal Information, including collection, recording, organization, storage, use, disclosure, transmission, or deletion.
This Privacy Policy applies to both the Site and the App. Where a practice applies only to one or the other, we say so explicitly.
1. Information We Collect
We collect the following categories of information:
1.1 Information you provide directly
Email address, when you join our waitlist, sign up for an account, or contact us.
Phone number, when you sign up for the beta program (used to confirm your identity, send beta-related communications, and verify account access via SMS through our verification provider).
Account credentials, when you create a Glow Cycle Lab account. Authentication is managed by our auth provider; we never store passwords directly.
Communications you send us, including support inquiries and feedback.
1.2 Information collected automatically
Usage data, such as pages visited, browser type, device type, and approximate location (country/region) inferred from IP address. Collected via privacy-friendly analytics that do not use cookies.
App diagnostics, such as crash reports and performance metrics, when you use our mobile application.
1.3 Information processed when you use AI features
When you use features in the mobile application that involve our artificial intelligence integrations (including product analysis and the Glow Assistant chat), the content of your request is sent to our servers and processed by Anthropic Claude. We do not store the raw content of your requests or the AI's responses. Section 2.3 below describes the technical observability log we keep.
1.4 Information we do NOT collect server-side
The following categories of information remain on your device only and are never transmitted to our servers:
Your skin profile (Fitzpatrick type, skin concerns, allergies, sensitivities, pregnancy status, prescription topical regimen, and similar clinical information you enter into the app)
Your products list and ritual schedule
Photographs, scans, or media of any kind
If you delete the app, this on-device data is deleted automatically.
2. How We Use Your Information
We use the information we collect for the following purposes:
2.1 Operating the service
To create and manage your account, authenticate access, and provide the features you request.
To verify beta participants and deliver beta-related communications.
To respond to your inquiries and support requests.
2.2 Communicating with you
To send you product updates, early access opportunities, and launch announcements (you can opt out at any time).
To send service-related notices, such as security alerts, policy updates, and account-related messages (these are not optional while you maintain an active account).
2.3 AI feature logging and observability
When you use features that involve our artificial intelligence integrations, our servers keep a technical log of each API call. This log exists for system reliability, debugging, performance monitoring, safety rule verification, and cost analysis. It does not exist for marketing, advertising, profiling, or any commercial purpose beyond operating the product.
What we log:
The timestamp of the call
Which feature triggered it (for example, product analysis or chat)
Which AI model handled it
A pseudonymous (hashed) version of your user ID. This is a one-way hash; we cannot recover your original ID from it.
Token counts, response time, and HTTP status code
If the call errored, the error code
A pseudonymous (hashed) version of the request content. This is a one-way hash; we cannot recover what you typed or scanned from it.
What we do not log:
The actual content of your messages, product names, or scans (only their hashed fingerprints)
The responses our AI features return to you
Your name, email, address, payment information, or any direct personal identifier
Your skin profile data, including Fitzpatrick type, allergies, pregnancy status, sensitivity ratings, and any clinical information you have entered into the app
Photos, images, or media of any kind
These logs are stored on our database infrastructure and are accessible only to Glow Cycle Lab LLC personnel via service-role credentials. They are not shared with third parties for marketing, advertising, or any purpose unrelated to operating the product.
Our AI features are powered by Claude, a service operated by Anthropic, PBC. When you use an AI feature, your request travels to Anthropic's servers for processing. Per our commercial agreement with Anthropic, the content of your requests and responses is not used to train Anthropic's models. Anthropic's privacy practices are described in their own privacy policy.
Logs are automatically deleted after 30 days. If you would like your logs deleted sooner, you can request deletion as described in Section 5.
2.4 Improvement and security
To improve our website, application, and services.
To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service.
To comply with legal obligations and enforce our agreements.
3. Service Providers and Data Processors
We do not sell, rent, or trade your personal information. We share information with the following service providers, who process data on our behalf under contractual confidentiality and data protection obligations:
Provider
Purpose
Data categories
Supabase
Database, authentication, account management
Email, account credentials, AI feature logs (hashed), beta signup records. Hosted on Amazon Web Services in the United States.
Twilio
SMS verification for beta signing and account access
Phone number, verification codes
Anthropic, PBC
AI features (product analysis, Glow Assistant chat)
The content of your AI requests and the AI's responses, in transit. Per commercial agreement, content is not used to train Anthropic models.
Brevo
Transactional email and marketing communications
Email address, name (if provided), email engagement metrics
Railway
Server hosting for the application backend
All data processed by our backend in transit
Porkbun
Domain registration, DNS, and static website hosting
IP address, request metadata
Plausible Analytics
Privacy-friendly, cookieless website analytics
Aggregated, anonymized usage statistics. No personal data, no cookies, no cross-site tracking.
Formspree
Website contact form processing
Name, email, message content submitted via contact forms
Google Workspace
Operational email for Glow Cycle Lab personnel inboxes
Inbound and outbound email correspondence with Glow Cycle Lab
Apple, Inc.
App Store distribution and In-App Purchase subscription billing (when applicable)
Subscription transaction data is processed by Apple under Apple's privacy policy. We never receive your payment card information.
We may also disclose information when required by law, in response to valid legal process, to protect the rights, safety, or property of Glow Cycle Lab LLC or others, or in connection with a merger, acquisition, or sale of assets (in which case affected users will be notified).
4. Data Retention
We retain your personal information for as long as necessary to fulfill the purposes described in this policy, or as required by law. Specific retention periods:
Waitlist email addresses: until you unsubscribe or request deletion.
Account information: while your account is active, plus a reasonable period after account closure to comply with legal obligations and resolve disputes.
Beta signing records (including phone numbers): for the duration of the beta program, plus up to 12 months after the beta concludes for audit and legal purposes.
AI feature logs: 30 days, then automatically deleted.
Support communications: up to 24 months for quality assurance and legal purposes.
Aggregated analytics: indefinitely, in non-personally-identifiable form.
You may request deletion of your data at any time as described in Section 5.
5. Your Privacy Rights
Depending on your jurisdiction, you have specific rights regarding your personal information. Below we describe rights for residents of California (CCPA/CPRA) and the European Economic Area, United Kingdom, and Switzerland (GDPR/UK GDPR). If you reside elsewhere, similar rights may apply under your local law and we will honor reasonable requests consistent with applicable law.
5.1 General rights (all users)
Access: request a copy of the personal information we hold about you.
Correction: ask us to correct inaccurate or incomplete information.
Deletion: ask us to delete your personal information, subject to legal exceptions.
Opt out of marketing: unsubscribe from marketing communications at any time using the unsubscribe link in any marketing email or by contacting us directly.
To exercise any of these rights, contact us at privacy@glowcyclelab.com. We will respond within 30 days, typically sooner. We may need to verify your identity before fulfilling certain requests.
5.2 California residents (CCPA and CPRA)
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act and California Privacy Rights Act:
Right to know what categories of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it (this Privacy Policy provides that information).
Right to delete your personal information, subject to legal exceptions.
Right to correct inaccurate personal information.
Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes beyond what is necessary to provide the service.
Right to opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information for cross-context behavioral advertising, so there is no opt-out mechanism required, but we honor Global Privacy Control signals if received.
Right to non-discrimination for exercising any of these rights.
To submit a CCPA request, email privacy@glowcyclelab.com with "CCPA Request" in the subject line. You may designate an authorized agent to submit a request on your behalf; we will require verification.
Notice at Collection: The categories of personal information we collect at the point of collection are described in Section 1. We collect this information for the purposes described in Section 2 and retain it for the periods described in Section 4. We do not sell personal information.
5.3 European Economic Area, United Kingdom, and Switzerland residents (GDPR and UK GDPR)
If you reside in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation and equivalent UK and Swiss laws:
Right of access to your personal data and information about how it is processed.
Right to rectification of inaccurate or incomplete data.
Right to erasure ("right to be forgotten"), subject to legal exceptions.
Right to restrict processing in certain circumstances.
Right to data portability, to receive your data in a structured, machine-readable format.
Right to object to processing based on legitimate interest, including profiling and direct marketing.
Right to withdraw consent at any time, where processing is based on your consent.
Right to lodge a complaint with your local supervisory authority.
Legal bases for processing. We rely on the following legal bases under GDPR Article 6:
Contract performance for processing necessary to provide the service you request (account creation, AI features, beta participation).
Consent for marketing communications and any optional features that require it.
Legitimate interest for security monitoring, fraud prevention, AI feature observability (Section 2.3), service improvement, and similar operational purposes. We balance these interests against your privacy rights and offer opt-outs where appropriate.
Legal obligation for tax records, responding to valid legal process, and similar regulatory compliance.
To exercise GDPR rights, email privacy@glowcyclelab.com with "GDPR Request" in the subject line.
6. Cookies and Similar Technologies
Our website uses minimal tracking technology. We use Plausible Analytics, which is cookieless and does not track individual users across sessions or across other websites.
If we add additional cookies in the future (for example, for site preferences or session management), we will update this policy and provide appropriate notice and consent mechanisms where required by law.
You can control cookie preferences through your browser settings.
7. Security
We take reasonable measures to protect your personal information from unauthorized access, loss, or misuse:
Data is transmitted over encrypted connections using HTTPS/TLS.
Data at rest is stored in encrypted databases managed by our infrastructure provider.
Access to production data is restricted to authorized personnel using strong authentication.
We maintain administrative and technical safeguards consistent with industry practice for our company size.
However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.
8. International Data Transfers
Glow Cycle Lab LLC is based in the United States. The service providers we use (described in Section 3) are also primarily located in the United States. If you access our service from outside the United States, your information will be transferred to, processed, and stored in the United States.
For users in the European Economic Area, United Kingdom, or Switzerland, we rely on legally valid transfer mechanisms (such as Standard Contractual Clauses) where required to protect your personal data when it is transferred internationally. By using our service, you understand and consent to this transfer.
9. Children's Privacy
Our services are not directed to individuals under 18. Our Terms of Service require all users to be at least 18 years old. We do not knowingly collect personal information from anyone under 18. If we discover that we have collected such information, we will delete it. If you believe a minor has provided us with personal information, please contact us at privacy@glowcyclelab.com.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Changes will be posted on this page with an updated "Last updated" date. For material changes, we will provide additional notice through the service or by email.
11. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us: