Legal
Privacy Policy
Last updated: May 27, 2026
1. Who we are
Glova ("we", "us") is a personal skin-tracking application. We take your privacy seriously and only collect the minimum data needed to provide the service.
Contact: support@glova-lab.com
2. What we collect
Data you give us
- Account info: name, email address, age, skin type, gender (optional)
- Skin logs: daily self-rated symptoms, sleep hours, stress level, lifestyle inputs
- Skin scans: photos of your face you upload for AI analysis
- Treatments and routines: products you use, treatments you've had
- Cycle info: if you opt in, menstrual cycle start date and length
- AI chat messages: if you use the premium AI assistant, your questions and our replies are stored so you can continue the conversation
Data we derive
- AI-generated metrics: acne, redness, dryness, inflammation scores from your photos (via OpenAI GPT-4o Vision)
- Daily skin score: computed from scan + log data
- Forecasts and patterns: trend insights derived from your historical data
Data from your device
- Location: your approximate location (city level), used to fetch local weather. Your coordinates are sent only to our weather and map providers (see section 4) for that purpose, never to advertisers.
- Weather: temperature, humidity, UV index from open-meteo.com
3. How we use it
- To provide your daily skin score, forecast, and personalised insights
- To track changes over time in your personal timeline
- To detect patterns between your habits and skin outcomes (only for you, never shared)
- To send you notifications you've opted in to
4. Who we share it with
Short answer: we never sell your data or share it with advertisers. To run the app we rely on a small set of trusted service providers ("sub-processors"), each receiving only the data it needs for its specific job.
- OpenAI: when you take a skin scan, your photo is sent to OpenAI's GPT-4o Vision API for analysis. If you use the premium AI chat, relevant parts of your data (skin type, concerns, recent scan and log values, cycle phase, and your routine) are also sent to OpenAI so it can answer your questions. OpenAI does not train on API data and retains requests only briefly. OpenAI privacy policy
- Supabase: our database, authentication, and photo storage provider. Data is encrypted at rest and in transit. Supabase privacy policy
- Vercel: hosts our marketing website. Does not have access to your account data. Vercel privacy policy
- RevenueCat: manages premium subscriptions and purchases (alongside the Apple App Store). Receives a subscription identifier to confirm your premium access. RevenueCat privacy policy
- Resend: sends our service emails (sign-up confirmation, password reset, notifications). Receives your email address for that purpose. Resend privacy policy
- Apple Push Notification service (Apple): delivers push notifications to your iPhone when you've opted in. Receives a device push token tied to your device, with no personal data attached. Apple privacy policy
- Sentry: collects crash and error reports so we can fix bugs. Configured not to attach personal identifiers. Sentry privacy policy
- open-meteo.com: receives your approximate coordinates to return local weather. Does not store them.
- OpenStreetMap (Nominatim): receives your approximate coordinates to convert them into a place name (e.g. your city). OpenStreetMap privacy policy
We do NOT:
- Sell your data to anyone
- Share with advertisers
- Use your data to train AI models
- Share your photos with anyone except the OpenAI API for analysis
- Set tracking, advertising, or cross-site cookies, or use third-party analytics
Glova does store your sign-in session and a small set of preferences locally on your device, so you stay logged in between visits. That is essential storage to make the app work, not tracking, and it never leaves your device.
5. Your photos
Photos are stored in a private Supabase Storage bucket. Only you can access them via signed URLs.
- Basic tier: photos are automatically deleted after 7 days
- Premium tier: photos are kept indefinitely until you delete them or your account
You can delete individual photos or all photos at any time from the Profile page.
6. How long we keep your data
- While your account is active: for as long as you use the app
- After you delete your account: all personal data is permanently deleted within 30 days
- Backups may retain data for up to 30 additional days before being overwritten
7. Your rights (GDPR / UK GDPR)
You have the right to:
- Access your data (export it directly from your Profile page or email us)
- Correct any inaccurate data (via the Profile page)
- Delete your account and all data (Profile page, or see Account Deletion)
- Object to data processing
- Port your data to another service (contact us for a JSON export)
- Withdraw consent at any time
To exercise these rights, contact support@glova-lab.com.
8. Security
- All data in transit uses HTTPS/TLS
- All data at rest is encrypted by Supabase
- Authentication uses industry-standard password hashing (managed by Supabase Auth)
- Photos are stored in a private bucket with signed-URL access only
- Row-level security ensures users can only access their own data
- We follow a pre-launch security checklist and regular audits
9. Minimum age
Glova is intended for users aged 16 and over. If you are under 16, please do not create an account. We do not knowingly collect data from anyone under 16; if we learn we have, we will delete it.
10. Medical disclaimer
Glova is not a medical device. The skin scan is an AI estimate based on a single photo and is for informational and wellness purposes only. Always consult a qualified dermatologist for any skin concerns or conditions.
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via in-app notification or email.
Questions? Email support@glova-lab.com.
