GlowTheory

Security & Privacy Posture

Last reviewed: 20 April 2026 · Owner: GlowTheory (EquationX) · Contact: hello@glowtheory.app

1. What data we collect

We do not collect precise geolocation, contacts, phone numbers, payment info (the app is free today), social-graph data, or browsing history outside the app.

2. Where data lives

All user data is stored in Google Cloud Platform, in the Firebase project glow-theory-2eded (US multi-region, ready to deploy to europe-west1 before EU launch). Infrastructure lives in the adjacent equationx project.

Selfie images are not stored long-term. They transit to our Vision service in memory, are analysed, and discarded after the response returns. Only derived metrics — skin-type label, concern tags, health score, zone observations — are persisted.

3. Encryption

• At rest. Firestore documents, Cloud Storage objects, and Secret Manager values are encrypted with Google-managed AES-256 keys. Automatic.
• In transit. TLS 1.2+ on every client–server and service–service link. Strict-Transport-Security enforced on public surfaces.
• Secrets. Third-party API keys live in Google Secret Manager and are mounted into Cloud Run at deploy time. Never committed to source.

4. Authentication and access control

User

• Firebase Authentication with email/password or Google OAuth. Passwords are never stored by us.
• HttpOnly, Secure, SameSite=Lax session cookies with 14-day TTL.
• Email verification required on outbound transactional email paths.
• MFA supported by Firebase; enabled for all admin and founder accounts.

Admin

• Admin routes are gated by an allow-list of uids — no shared credentials.
• Admin reads go through server-side API routes with session verification.
• Firebase Admin SDK uses Application Default Credentials on Cloud Run; nothing client-side.

Service-to-service

Sensitive paths proxy through Next.js API routes on glowtheory.app (Firebase session verified) before reaching internal microservices. Microservice URLs are not exposed to the browser. Public API surfaces on our vision and routine services are being locked to authenticated callers in an in-progress security pass; per-user rate limits and Cloud Monitoring alerts on Gemini spend are already in place as interim mitigations.

5. Biometric data handling

GlowTheory's skin scan processes facial landmark geometry, classified as biometric data under Illinois BIPA, Texas CUBI, Washington HB 1493, CCPA/CPRA (sensitive personal information), and GDPR Art. 9 (special category data).

• Explicit consent gate. New users tick an affirmative consent at signup covering both Terms of Service and biometric processing. The consent record stores uid, timestamp, policy version, and the exact consent text shown.
• No raw image retention. Selfies are transmitted, analysed, discarded. Only derived metrics persist.
• Narrow use. Biometric data is used only to generate the user's own routine and progress. Never sold, never shared for advertising, never used to train general-purpose models.
• User-deletable. Account deletion wipes all derived biometric data within 30 days including backups.
• State-specific readiness. Before launching in Illinois, a formal BIPA written-release flow and public biometric destruction policy will be published.

6. Data retention and deletion

• User-initiated account deletion is a cascading hard delete: user document tree (users/{uid}/**), notification preferences, shopping-list entries, Firebase Auth record, and all session cookies. Two-step confirm in the UI.
• Logs do not contain image payloads or unredacted chat transcripts. Hashed user identifiers only.
• Firestore backups retained 30 days. Deleted users disappear from backups within that window.
• Right to access / portability: email hello@glowtheory.app, 30-day response window.

7. Vendors (sub-processors)

We do not resell data to any third party.

8. Incident response

• Detection. Cloud Monitoring alerts on auth anomalies, Gemini spend spikes, error-rate bursts, and failed-email bursts.
• Response. Named incident commander. Steps: contain, assess blast radius, notify affected users within 72 hours if personal data is involved, post-mortem within 5 business days.
• Notification. Affected users contacted by email. GDPR supervisory authorities notified within 72 hours where required.

9. Application security

• All production changes via GitHub → Cloud Build → Cloud Run. No manual console changes.
• npm audit on every build; critical CVEs gated by Dependabot.
• Pre-commit secret scanning; Secret Manager is the only sanctioned store.
• Per-user and per-IP rate limits on signup, scan, and other sensitive write paths.
• Google Cloud Audit Logs enabled by default across services.
• Planned: annual third-party penetration testing after Series A.

9b. Training-data storage (opt-in only)

Users can optionally help us train and improve GlowTheory's own skin analysis models. If — and only if — a user affirmatively opts in (unticked by default at signup, revokable any time from their profile), the confirmed selfie from each scan is stored alongside the skin-type and concerns they confirmed.

• Location. A dedicated Google Cloud Storage bucket (glowtheory-training-data, US multi-region), architecturally separate from production Firestore. Access restricted to the web-v2 Cloud Run runtime service account; the bucket is not public.
• Retention. 24 months, enforced by a bucket lifecycle policy that auto-deletes older objects.
• Revocation. Toggling off research opt-in on the profile page deletes all the user's stored scans before the toggle completes. Account deletion does the same cascade.
• Use. Only to train GlowTheory's own models. Never shared with third parties, never used to train general-purpose models, never sold.
• Default. Off. The required signup consent does not cover research use — it's a separate, explicit tick.

10. Our framing — cosmetic skincare, not medical advice

GlowTheory is a cosmetic skincare app. We do not diagnose medical conditions, we do not prescribe treatments, and we are not a substitute for a dermatologist, esthetician, or physician.

• Observations, not diagnoses. Our skin scan produces aesthetic readings — attributes like dryness, oiliness, pore visibility, even-tone, and fine-lines — on a 0 to 10 scale. Cosmetic metrics in the vocabulary a licensed esthetician uses. Not clinical diagnoses.
• Routines, not prescriptions. The app composes skincare routines made up of over-the-counter cosmetic products. Prescription actives such as tretinoin and hydroquinone are out of scope. When observations suggest a medical condition, the app surfaces a "see a professional" nudge rather than trying to handle it.
• Where the playbook comes from. The routine-building logic is hand-coded from accredited skincare education curricula — the same body of material a licensed esthetician trains on. Rules such as "prefer azelaic as first-line for persistent redness", "never stack retinol with glycolic acid on sensitive skin", "ramp retinol from 2x per week over 8 weeks for beginners", and "pregnancy swaps retinoids for bakuchiol" are sourced from reference curricula, cross-checked against widely published dermo-cosmetic guidelines, and reviewed before they enter the composer. The playbook is proprietary to GlowTheory.
• The LLM explains, it does not prescribe. The deterministic composer picks components from our playbook. Gemini is used to generate the user-facing explanation of why those components were chosen. It does not design routines, does not pick active ingredients, and cannot override safety rules.

11. Compliance posture

Questions

Security or privacy questions can be sent to hello@glowtheory.app. We respond to privacy requests within 30 days and to security disclosures within 5 business days.

See also: Privacy Policy · Terms of Service