Glowelly

Privacy Policy

Last updated 2026-05-13

We’re Glowelly. We’ve kept this policy short and human. If anything is unclear, email hello@glowelly.shop and a real person will reply.

Who we are

Glowelly is an AI-powered skincare service operated by Abdellah El Ouaadi (Einzelunternehmer, Germany), reachable at hello@glowelly.shop. Under the GDPR, we’re the data controller for the information described below.

What we collect

  • Account info: email address, first name, password (hashed by Supabase Auth — we never see your plain-text password).
  • Intake form: the answers you give when running a skin analysis (skin-type self-report, concerns, goals, allergies, medical context, lifestyle).
  • Selfies: the 3 photos you submit per analysis. We do not store the raw images.They’re sent to Anthropic for processing and discarded once the analysis completes. What we keep is a perceptual hash (a short fingerprint that lets us detect duplicate submissions) and the structured text analysis Claude returns.
  • Analysis output: the structured JSON Claude returns (skin type, concerns, scores, recommended routine), tied to your account so we can show it on your dashboard.
  • Subscription state: your Stripe customer ID, subscription ID, and current billing period end. We do not see your full card number — Stripe handles that.
  • Cookies:only what’s needed to keep you logged in (Supabase auth session cookies). No advertising or cross-site tracking cookies.
  • Server logs: standard request logs from Vercel (IP, user agent, timestamp) retained for ~30 days for security and debugging.

How we use it

  • Run your skin analysis and build your personalized routine.
  • Manage your subscription and process payments via Stripe.
  • Send you essential account emails (password reset, billing receipts).
  • Improve our service in aggregate — measuring things like how many users complete an analysis. We don’t use your individual photos or personal data for marketing.

Who we share with (data processors)

We use a small set of trusted third parties to run the service. Each receives only what they need:

  • Anthropic (USA) — receives your 3 selfies and intake form for analysis. Anthropic does not train their models on API requests by default. Photos are not retained on their side beyond the response.
  • Stripe(USA / Ireland) — receives your payment card details (entered on Stripe’s page, never on ours) and billing email.
  • Supabase (USA) — stores your account row, analysis records, and subscription state.
  • Vercel (USA) — serves the website and runs the backend functions.
  • Resend (USA) — sends transactional emails when we add that layer.

For transfers outside the EEA, we rely on Standard Contractual Clauses where applicable.

How long we keep it

  • Selfies: not retained. Processed in memory, discarded after analysis.
  • Analysis records + account: kept while your account exists. Deleted within 30 days of account deletion.
  • Stripe / billing records: retained per tax law (10 years for invoices in Germany), even after account deletion.
  • Server logs: ~30 days, then deleted automatically.

Your rights (GDPR)

You have the right to:

  • Access a copy of the data we hold about you.
  • Correctanything that’s inaccurate (you can do this for your name and password directly in Settings).
  • Deleteyour account and personal data — use the “Delete my account” button in Settings. Past Stripe invoices are retained for tax law (see above).
  • Exporta copy of your data — email us and we’ll send you a JSON export.
  • Object / restrict certain processing — email us.
  • Complain to your data protection authority. In Germany this is the BfDI or the relevant state authority.

Security

All connections to glowelly.shop are encrypted with HTTPS. Your password is hashed (bcrypt) by Supabase Auth — we cannot see it. Your payment card data never touches our servers; Stripe processes it directly. We use row-level security on the database so other users cannot read your records.

Children

Glowelly is intended for users 18 and over. We do not knowingly collect data from anyone under 18. If you believe a minor has signed up, contact us and we’ll delete the account.

Changes to this policy

If we change anything material, we’ll update the date at the top and notify active subscribers by email.

Contact

Questions or requests: hello@glowelly.shop