Glowgau Privacy Notice

Effective for the Glowgau B2B SaaS platform

Last Updated: June 15, 2026

This Privacy Notice describes how Glowgau ("Company", "we", "us") processes data on behalf of the medical aesthetic clinics ("Clinic") that subscribe to our platform, and how end-user data submitted through a clinic's embedded assessment widget is handled. Glowgau is a B2B vendor: clinics remain the data controller for their own client relationships, and Glowgau acts as a transient processor under written instruction.

1. What We Process

  • Assessment intake fields submitted by an end user (name, email, optional phone, age range, gender identity, primary aesthetic concern, free-text notes).
  • Selfie images uploaded by the end user solely for the purpose of Fitzpatrick + Glogau sectional facial mapping.
  • Derived clinical metadata produced by the mapping engine (e.g. sectional skin metrics, adequacy verdict, retake count) — fully de-identified.
  • Clinic operator data (account email, clinic display name, business hours, knowledge content, branding) provided by the clinic itself.

2. Zero-Retention Protocol for End-User PII

Glowgau operates a strict non-custodial transient pipeline. All end-user names, telephone numbers, email addresses, free-text notes, and facial photographic assets uploaded during a scan are permanently purged from Glowgau systems effective immediately upon successful report dispatch to the subscribing clinic.

Glowgau does not maintain long-term server-side storage, off-site backups, or cache layers containing end-user PII. Consequently, Glowgau does not possess, and cannot retrieve, end-user records or PII at a later date, even if formally requested by the clinic. Only aggregated, completely de-identified clinical metadata is preserved for the clinic's analytics dashboard.

3. Shift of Data Custody to the Clinic

Upon successful transmission of the generated intake report to the clinic's verified notification email, full legal custody and data liability shift entirely to the clinic. The clinic explicitly agrees to treat, process, and safeguard all transmitted client data in strict accordance with the Health Insurance Portability and Accountability Act (HIPAA), the Personal Information Protection and Electronic Documents Act (PIPEDA), the General Data Protection Regulation (GDPR), and any other jurisdiction-specific consumer-data regimes that apply to the clinic's practice.

4. Lawful Basis and Consent

End users are shown a clear, non-diagnostic disclaimer and a consent screen before any intake or selfie is submitted. The lawful basis for processing is the end user's affirmative consent (and, where applicable, the clinic's legitimate interest in receiving qualified consultation requests). Consent can be withdrawn at any time by the end user via the unsubscribe link in any report email; in practice, because Glowgau retains no end-user PII after report dispatch, withdrawal requests after that point are directed to the clinic.

5. Cookies, Analytics, and Tracking

The public marketing site uses only the cookies strictly necessary for navigation and security. The assessment widget itself does not set cross-site tracking cookies. De-identified, aggregated usage events (e.g. step counts, adequacy outcomes) are recorded for product quality and for the clinic's own dashboard; they are not used for cross-site advertising and are not sold.

6. Subprocessors and Hosting

Glowgau is hosted on enterprise-grade cloud infrastructure with encryption in transit (TLS 1.2+) and at rest for all stored records. Email delivery, payment processing, and AI inference are performed by reputable subprocessors bound by written data-processing terms. A current list of material subprocessors is available on request to contact@glowgau.com.

7. International Transfers

End-user data submitted through the widget may be processed in Canada, the United States, or other jurisdictions where our subprocessors operate, solely for the duration of the transient pipeline. Because the data is purged on report dispatch, no end-user PII persists in any of these jurisdictions.

8. End-User Rights

Subject to applicable law, end users may request access to, correction of, or deletion of their personal information. Because Glowgau retains no end-user PII after report dispatch, the operative party for fulfilling such requests is the clinic that received the report. Glowgau will cooperate in good faith with any clinic responding to such a request.

9. Security

Glowgau employs role-based access controls, row-level security on its multi-tenant database, signed server-side functions for privileged operations, and continuous logging of administrative actions. Suspected incidents involving data submitted through the widget are escalated to the affected clinic without undue delay.

10. Children

The Glowgau assessment is intended for adults considering elective aesthetic services and is not directed at children under 18. Clinics agree not to use the widget to solicit assessments from minors.

11. Changes to This Notice

Material updates to this notice will be reflected in the "Last Updated" date above and, where appropriate, communicated to subscribing clinics by email or in-product notification.

12. Contact

Questions, data-rights requests, or compliance inquiries: contact@glowgau.com. For end-user requests after a report has been dispatched, please contact the clinic that delivered your report directly.

See also our Terms of Service.