Privacy Policy

1. Information We Collect

Account Information

When you create an account using Google Sign-In or Apple Sign-In (via OAuth), we collect your:

• Name — used for app functionality and to personalize your experience.
• Email address — used for authentication and account management.

Both are linked to your user identity within the App.

Health & Fitness Data

To provide personalized skincare analysis, we collect:

• Skin type and skin concerns
• Sensitivities and allergies
• Face scan metrics (hydration, texture, redness, breakouts) derived from selfie analysis

This data is used for product personalization and core app functionality, and is linked to your identity.

User Content

• Photos — product photos and face selfies you upload for AI analysis. Photos are encrypted in transit (HTTPS) and analyzed server-side. Linked to your identity.
• Customer support data — information generated during support chat sessions via Intercom. Linked to your identity.

Search History

Product search queries you perform in the App are logged for analytics, app functionality, and product personalization. This data is linked to your identity.

Identifiers

• User ID — used for app functionality, analytics, and tracking purposes (Appsflyer attribution). Linked to your identity.
• Device ID (IDFA) — used for third-party advertising and analytics, including ad attribution via Appsflyer, TikTok Ads, and Facebook Ads. Linked to your identity and used for tracking purposes.

Usage Data

• Product interaction data — app launches, taps, screen views, and feature usage tracked via PostHog. Used for product personalization and analytics. Linked to your identity and used for tracking purposes.
• Advertising data — ad campaign attribution data collected via Appsflyer. Used for third-party advertising and tracking purposes.

Diagnostics

• Crash data — used to improve app stability. Not linked to your identity.
• Other diagnostic data — used for app functionality. Not linked to your identity.

2. How We Use Your Information

We use the information we collect to:

• Provide and maintain the App, including account authentication
• Analyze product ingredients and generate safety scores, ingredient breakdowns, and skin match scores
• Analyze face selfies for skin metrics (hydration, texture, redness, breakouts)
• Build and manage personalized AM/PM skincare routines
• Track your skin health over time
• Power AI-driven skincare Q&A
• Personalize product recommendations based on your skin profile
• Provide customer support via in-app chat
• Measure app performance and improve the user experience through analytics
• Measure the effectiveness of advertising campaigns and user acquisition
• Diagnose and fix technical issues

3. Face Data

Glo includes a face scan feature that allows you to track your skin health over time. This section explains exactly what face data we collect, how we use it, where it is stored, and how long we keep it.

What We Collect

When you use the face scan feature, the App captures a standard 2D selfie photo using your device's front-facing camera. The photo is compressed locally on your device (resized to 1024px width, JPEG format at 0.7 quality) before being transmitted. We do not use the TrueDepth camera, ARKit, or any facial recognition technology. No facial geometry, depth maps, faceprints, or biometric identifiers are collected. The App captures a regular photograph only.

How We Use Face Data

Your face photo is used exclusively for skin condition analysis. It is sent to a server-side AI vision model (Google Gemini via OpenRouter) that evaluates your skin and returns four numerical scores (0–100):

• Hydration — how hydrated your skin appears
• Texture — smoothness and evenness of skin texture
• Redness — presence of redness or irritation
• Breakouts — severity of any breakouts

A one-sentence text summary describing changes since your previous scan is also generated. These scores are displayed in the Calendar tab so you can track skin health trends over time and correlate them with your skincare routine.

Face photos are never used for facial recognition, identity verification, advertising, profiling, or any purpose other than skin health assessment.

Third-Party Processing

Your face photo is sent to OpenRouter (an API proxy service), which routes it to Google Gemini for AI-based skin analysis. The image is transmitted solely for real-time inference — these services process the image to return analysis results and do not retain your photo after processing. Your face photo is not shared with advertisers, data brokers, social networks, or any other third parties.

Storage

The compressed face photo is stored in a private Supabase Storage bucket, scoped to your user account. Only you can access your own photos via row-level security policies. The analysis results (scores and summary) are stored in a Supabase PostgreSQL database table, also protected by row-level security. All data is encrypted in transit via HTTPS/TLS.

Retention & Deletion

Face photos and analysis results are retained for as long as your account is active, so you can track skin health trends over time. When you delete your account (Profile → Delete Account), all face photos are permanently removed from storage and all analysis records are permanently deleted from the database. This deletion is immediate and irreversible.

4. Third-Party Services

We use the following third-party services to operate the App. Each has its own privacy policy governing how it handles data:

• Supabase — backend database, authentication, file storage, and edge functions. Stores user data, scans, routines, and avatar images.
• RevenueCat — subscription and in-app purchase management.
• Superwall — paywall UI presentation and A/B testing.
• PostHog — product analytics, session replay, and event tracking.
• Appsflyer — mobile attribution and ad campaign measurement. Shares Device ID with TikTok Ads and Facebook Ads for attribution.
• Intercom — in-app customer support chat.
• TikTok Ads SDK — ad attribution (receives Device ID via Appsflyer).
• Facebook Ads SDK — ad attribution (receives Device ID via Appsflyer).
• OpenRouter / Google Gemini — AI analysis of product ingredients and face photos. Processing happens server-side via OpenRouter (API proxy) routing to Google Gemini. Images and data are sent solely for real-time inference and are not retained by these services after processing. No user data is shared beyond what is needed for analysis.

5. Tracking & Advertising

On iOS, the App requests your permission through Apple's App Tracking Transparency (ATT) framework before tracking your activity across other companies' apps and websites. You can choose to allow or deny this request.

If you allow tracking, your Identifier for Advertisers (IDFA) is used for ad attribution via Appsflyer, which shares this data with TikTok Ads and Facebook Ads to measure advertising campaign effectiveness and user acquisition.

You can change your tracking preference at any time in your device's Settings > Privacy & Security > Tracking.

We do not sell your personal data to third parties or ad networks.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with the App's services. When you delete your account, all associated data — including scans, photos, skin profiles, routines, and account information — is permanently deleted.

Diagnostic and crash data that is not linked to your identity may be retained in aggregated form for a reasonable period to improve app stability.

Analytics and advertising data processed by third-party services is subject to their respective retention policies.

7. Data Security

We take reasonable measures to protect your data:

• User data is stored in Supabase (PostgreSQL) with row-level security, meaning users can only access their own data.
• Photos and all data transfers are encrypted in transit using HTTPS/TLS.
• Authentication tokens are stored securely on your device with automatic refresh.
• Avatar images are stored in a secured Supabase Storage bucket.
• AI analysis of photos and ingredients is performed server-side in a controlled environment.

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Your Rights

All Users

• Delete your account — you can delete your account and all associated data directly from the profile screen in the App, in one tap.
• Wipe your data — you can clear all scans, photos, and account data from within the App at any time.
• Opt out of tracking — on iOS, you can deny tracking via the ATT prompt or change your preference in device settings at any time.

European Economic Area (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data.
• Right to restrict processing — request that we limit how we use your data.
• Right to data portability — request your data in a structured, machine-readable format.
• Right to object — object to processing of your data for certain purposes, including direct marketing.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.

Our legal bases for processing your data include: performance of a contract (providing the App's services), your consent (e.g., tracking, photo analysis), and our legitimate interests (e.g., analytics, app improvement, fraud prevention).

You also have the right to lodge a complaint with your local data protection authority.

California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you the following rights:

• Right to know — request details about the categories and specific pieces of personal information we have collected about you.
• Right to delete — request deletion of the personal information we have collected from you.
• Right to opt out of sale — we do not sell your personal information. No action is needed.
• Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, contact us at hello@nooki.io. We will respond to your request within 30 days (or as required by applicable law).

9. Subscriptions & Payments

Glo offers auto-renewable subscriptions via the Apple App Store and Google Play. All payment processing is handled entirely by Apple or Google — we never access, collect, or store your payment card information.

Subscription status is managed through RevenueCat to ensure access to premium features.

10. Children's Privacy

Glo is rated 13+ on the App Store and is not directed at children under 13. We do not knowingly collect personal information from children under 13 years of age, in compliance with the Children's Online Privacy Protection Act (COPPA).

If we learn that we have inadvertently collected personal data from a child under 13, we will take steps to delete that information as quickly as possible. If you believe a child under 13 has provided us with personal data, please contact us at hello@nooki.io.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Effective Date" at the top of this page and notify you through the App or by other appropriate means.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• Company: Nooki SRL
• App: Glo (com.nooki.glo)
• Email: hello@nooki.io