Glowgent Data Protection Policy

Introduction and Scope

Glowgent is an AI-powered wellness platform committed to protecting your personal data. We comply with major data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR (Data Protection Act 2018), the California Consumer Privacy Act (CCPA, as amended by CPRA), and, where applicable, the U.S. Health Insurance Portability and Accountability Act (HIPAA). This policy applies to all individuals and organizations using Glowgent:

• Individual Consumers: People using Glowgent for personal wellness guidance, Glow Rooms, expert sessions, trackers, and AI tools.
• Business/Enterprise Users: Entities such as clinics, coaches, HR teams, or content creators who use Glowgent to create branded communities or AI wellness modules for their clients or employees.

By using Glowgent (whether as a consumer or on behalf of a business), you agree to the practices described in this policy. We aim to explain these practices in clear, user-friendly language while maintaining legal accuracy. If you have any questions, please contact us using the information at the end of this policy.

Our Data Protection Principles

Glowgent adheres to fundamental data protection principles to ensure your information is handled lawfully and transparently. These core principles, inspired by the GDPR, lie at the heart of our approach:

• Lawfulness, Fairness & Transparency: We process personal data only for legitimate purposes and in a fair manner, and we are open about our data practices. We will always inform you about what data we collect and why (via this policy and just-in-time notices).
• Purpose Limitation: We collect personal data for specific, explicit purposes (such as providing you with wellness insights or community features) and do not use it in ways that are incompatible with those purposes. We will not, for example, use your information for unrelated marketing without your consent.
• Data Minimization: We only collect data that is adequate, relevant, and limited to what is necessary for the purposes of providing our services. Our forms and tools are designed to ask only for information we truly need.
• Accuracy: We strive to keep your personal data accurate and up-to-date. You have the ability to correct or update your information, and we promptly rectify any inaccuracies you report to us.
• Storage Limitation: We do not keep personal data longer than necessary. Your data is retained only as long as needed to fulfill the purposes described (unless a longer retention is required by law). When data is no longer needed, we delete or anonymize it in a secure manner.
• Integrity & Confidentiality (Security): We protect personal data with appropriate technical and organizational security measures to prevent unauthorized access, loss, or damage. This includes encryption, access controls, and regular security reviews (detailed in a later section).
• Accountability: Glowgent takes responsibility for the personal data we handle. We have internal processes and a dedicated Data Protection Officer to ensure compliance with these principles and privacy laws. We maintain documentation of our data practices and regularly train our team on data protection.

These principles guide everything described in this policy. In the following sections, we outline in detail what data we collect, how we use and protect it, and the rights and choices you have regarding your information.

Data We Collect

We collect different types of personal data from users, depending on whether you are an individual consumer or a business user, and depending on how you use Glowgent. This includes information you provide directly as well as data generated through your use of our platform. Below is an overview of the categories of data we handle:

• Account & Contact Information: When you sign up or create an account, we collect basic identifiers such as your name, email address, phone number, username, and password. If you are a business or organizational user, we may also collect your company/organization name, role/title, and business contact details. This information is used to create and secure your account, and to communicate with you (e.g., sending verification codes or service updates).
• Profile and Onboarding Data: As part of onboarding or profile setup, you may provide demographic and wellness-related information. For example, we might ask for your age, general location (e.g., city or country), and personal wellness goals or interests. In a wellness context, you might also share information about your lifestyle, health preferences, or general well-being status. We collect only what is needed to personalize your Glowgent experience and ensure the guidance you receive is relevant. (Some of this information could be considered health-related or "sensitive personal data." Where required by law, we will obtain your explicit consent to process such sensitive data).
• Wellness Tracker Data: Glowgent offers tools like trackers and logs for various wellness activities (e.g., mood journaling, fitness or step counts, sleep tracking, nutrition logs). If you use these features, we collect the data you input, such as daily step totals, hours slept, mood ratings, or journal entries about your wellness. This dynamic tracking data changes over time as you continue to log or as connected devices update information. It helps Glowgent provide insights, progress tracking, and tailored recommendations for you. You control how much you log; all tracker data is voluntary.
• Glow Rooms and Expert Session Content: Glowgent allows you to participate in community "Glow Rooms" (group forums or chats) and one-on-one or group sessions with wellness experts. If you engage in these, we will process the content you share or discuss. This may include chat messages, posts, or questions you submit in a group, or information you reveal during a coaching session (which could include personal anecdotes, health-related details, etc.). We treat this content as private to the group or session (Glow Rooms might be visible to invited members, whereas one-on-one sessions are private between you and the expert). We advise you to share only what you're comfortable sharing. Glowgent will use this data solely to facilitate the session and not for any unrelated purposes.
• AI Interaction Data: Glowgent features AI-powered wellness assistants and tools. If you interact with our AI (for example, asking a question to a wellness chatbot or using an AI-driven module), the content of your queries and the AI's responses may be collected. Important: To protect your privacy, we employ pseudonymization for AI data (see the AI and Pseudonymized Data section below). In essence, while we may retain what issues or topics are being asked to improve the AI, we strip out or obfuscate any personal identifiers from these interaction logs. This way, the AI can learn general wellness trends or frequently asked questions without knowing who you are.
• Usage Data and Device Information: Like most digital services, Glowgent collects data about how you use our platform. This includes technical data such as your IP address, device type (e.g., phone or laptop, operating system), browser type, and app version. We also log usage details like the pages or screens you visit, features you click or interact with, session duration, and referral information (e.g., what link or ad led you to our site). We use cookies or similar technologies to remember your preferences and ensure smooth navigation. This usage data helps us understand which features are most useful to users, diagnose technical issues, and secure the platform (for example, detecting suspicious login attempts). Where required by law, we will seek consent for certain analytics or cookies, and you can adjust your browser or app settings to control these technologies.
• Business Client Data and Content: If you are a business/enterprise user (such as a clinic or coach) creating a community on Glowgent, you might upload or input personal data about others—e.g., inviting your employees or clients to join your Glowgent space, or entering data about their wellness progress. In such cases, you (the business) are responsible for having the right to share that personal data with us. Glowgent will act as a service provider/data processor for that information, meaning we will only process it on your behalf and according to your instructions (in line with any agreements we sign, such as a Data Processing Agreement). This data could include participants' names, contact information, and any wellness data they input into the platform under your program. We treat all such data as confidential and do not use it except to provide the services.
• Payment Information: If you make any payments (for example, subscribing to a premium feature or a business client paying for enterprise services), our third-party payment processor will collect your payment card details. Glowgent itself does not store your full credit card numbers. Payment details are handled by a PCI-DSS compliant payment processor (e.g., Stripe) that adheres to strict security standards. We may retain records of transactions (date, amount, product) for accounting and legal purposes, but not the sensitive card data.
• Other Data You Choose to Provide: You may choose to provide other information when using Glowgent – for instance, participating in surveys, contacting customer support, or submitting feedback. If you contact us directly, we will receive whatever information you include in your inquiry (such as your contact information and the content of your message). We will use it to assist you and improve our services.

Summary: In general, the data we collect is aimed at delivering a personalized, effective wellness experience. You always have control over what information you provide. We do not collect any categories of personal data that aren't necessary for Glowgent's services – for example, we do not ask for social security numbers, driver's license numbers, or financial account numbers, except in the context of payments as noted. We also do not knowingly collect information from children under 13 (and require parental consent if we ever were to offer a service for minors). Our platform and services are intended for adults and authorized business use.

How We Use Personal Data

Glowgent uses the collected data to operate, improve, and personalize the platform's services. We always ensure there is a valid legal basis for processing your data (such as your consent, performance of a contract with you, compliance with a legal obligation, or legitimate interests, depending on context). Below are the purposes for which we use personal data, along with examples for clarity:

• Providing and Improving Services: We use your information to create your account, authenticate you when you log in, and deliver the wellness features you expect. For example, we use your wellness tracker inputs to chart your progress and provide insights, and we use your profile info and goals to tailor the guidance or content you see. We might analyze overall usage patterns to improve feature design (e.g., if we notice many users quit a certain activity, we investigate why and improve it). Your data helps us troubleshoot issues (if you report a bug, we might check logs relevant to your account to fix it). We also use data to respond to your inquiries or support requests.
• Personalized Guidance and Content: The core of Glowgent is personalized wellness guidance. We process your wellness data (onboarding answers, tracker logs, etc.) to give you customized feedback, recommendations, and motivational messages. For instance, if you log that you're consistently not meeting a sleep goal, the platform's AI might suggest tips for better sleep or an expert might share relevant content in your Glow Room. Personalization means your experience is unique to you – and we base this on data you provide or permit us to collect. We do not make any automated decisions that have legal or significant effects on you without human review – the suggestions our AI provides are meant for coaching and information, not medical or legal determinations.
• AI and Pseudonymized Data (ACDAE Policy): Glowgent leverages artificial intelligence to enhance your wellness experience (for example, an AI chatbot that answers health questions or analyzes your mood trends). We understand the sensitivity of personal data in AI processing. Under our ACDAE (AI & Customer Data Anonymization and Ethics) policy, any personal data used by our AI is first pseudonymized. Pseudonymization means we replace or remove identifying information so that the data cannot be directly linked to you. For instance, if our AI is learning from user queries, your name or contact info is not attached to those query logs. Instead, the AI might see something like "User123 asked: [How can I improve my focus?]" without knowing who User123 is. We maintain a secure separation between your identity and the data patterns the AI analyzes. This practice is recommended under GDPR as a security technique. In effect, the AI learns from aggregated, anonymized trends across many users. We never allow the AI to output your personal information to others, and we do not use your data to train external AI models. All AI training or improvement happens within Glowgent's controlled environment and solely to benefit our users. Our ACDAE policy also entails strict ethical guidelines: the AI's use of data is limited to wellness-related purposes, and we regularly check the AI's outputs to ensure they are appropriate and privacy-respecting.
• Communications: We use contact information (like your email or phone number) to send you service-related communications. These include confirmations (e.g., email verification, booking confirmations for an expert session), alerts (such as changes to our terms or privacy policy), and security notifications (like new login alerts or password reset messages). We may also send wellness newsletters, tips, or updates about new features if you have opted in to such communications. You can unsubscribe from promotional emails at any time by clicking the "unsubscribe" link in them or adjusting your account preferences. (Transactional emails related to your account or use of service, however, will still be sent as needed). We will not spam you or sell your contact info to third-party marketers.
• Community Features and Social Interaction: If you participate in Glow Rooms or other community forums on Glowgent, the content you post (minus any personal identifiers you choose not to display) may be visible to other authorized users of that space. We use your data to ensure the right people see the right content (for example, only members of a particular Glow Room can see messages posted there). We might also highlight general platform activity (e.g., "5 people completed a meditation today" – but such stats are aggregated and not identifying anyone specifically).
• Analytics and Product Development: We analyze usage data, performance metrics, and user feedback to understand how Glowgent is used and how we can make it better. For instance, we might measure how many users use a new stress-tracking feature and what results they get, to decide if we should refine it. Analytics may involve third-party tools that process usage data on our behalf (under strict confidentiality) to give us insights (for example, Google Analytics for website traffic, though we will configure it to avoid collecting any personal identifiers or we will seek consent as required). All analysis is done in aggregate form whenever possible. Insights derived help us improve user experience, optimize content, and develop new wellness modules that meet users' needs.
• Security and Fraud Prevention: Protecting your data also means using it to keep Glowgent secure. We monitor login attempts, device information, and network info (IP addresses) to detect and prevent suspicious or unauthorized activities. If something looks like a potential breach or fraud (e.g., many failed logins, or a login from a new location), we may use data to block access or alert you. We also use data (like logs) to debug and fix errors that could pose security risks. Our systems also log actions within the app which helps with auditing and identifying any misuse of personal data.
• Legal Compliance and Protection: Finally, in some cases we need to use or disclose data to comply with applicable laws or regulations. For example, if we receive a lawful subpoena or request from law enforcement, or if tax law requires us to keep transaction records. Also, if necessary to enforce our Terms of Service or to protect the rights, property, or safety of Glowgent, our users, or others, we may use personal data for those purposes (but only when legally permitted). This could include cooperating with an investigation of violations of our community guidelines or addressing fraud or security issues. We will inform users of any such disclosures when we are allowed to.

No Selling of Personal Data: Glowgent does not sell your personal information. In the context of CCPA, "sell" refers to sharing personal data with third parties for monetary or other valuable consideration. We do not engage in that. We only share data with service providers or partners as needed to run our platform (and those parties are bound by contracts to use the data solely for our purposes, not their own marketing). We also do not use your data for third-party advertising targeting. If this ever changes, we will update this policy and provide required opt-out mechanisms. (See the Your Privacy Rights section for how you can opt out of any potential data sharing and for California-specific "Do Not Sell/Share" rights.)

How We Share Data

We treat your personal data with care and do not share it except in the following circumstances:

• Service Providers (Processors): We use reputable third-party vendors to help us operate Glowgent. Examples include cloud hosting providers (for our databases and servers), email/SMS delivery services (to send verification codes or notifications), analytics providers (to help us understand usage patterns), and customer support tools. These providers may process your data on our behalf only for the purposes of providing their services to us. We vet our providers for strong security and privacy standards. We have Data Processing Agreements in place with them, binding them to protect your data and not use it for any other purpose. For instance, our data is primarily stored on Supabase, a secure cloud database platform. Supabase is SOC 2 Type 2 certified and HIPAA-compliant (able to handle health information under a Business Associate Agreement). All data in our Supabase database is encrypted at rest and in transit, ensuring that our provider cannot read your information without authorization.
• Within Glowgent (Personnel and Related Entities): Within our company, access to personal data is limited to those who need to know it to perform their duties. For example, a customer support agent might access your account details when you have an issue, or a developer might access an error log to fix a bug. All staff with such access are trained in confidentiality and data protection. We have strict role-based access controls; not all employees can see user data. Administrative access to systems is logged and regularly reviewed. If Glowgent operates under a parent company or has affiliates helping to provide the service, your data might be shared with them – but always under the same privacy obligations and only for the purposes described in this policy.
• Business Users (for their members' data): If you are using Glowgent as part of a program run by a business (e.g., your employer's wellness program or a clinic's patient community), the organizers (the business customer) may have access to certain data about your use of Glowgent. For example, a corporate HR wellness manager might see aggregate reports on employee participation or an individual coach might see their client's tracker data to provide guidance. This is similar to how a fitness coach might review your workout logs. Those business users are required to handle your data in accordance with privacy laws and their own agreements with you. Glowgent shares data with them only as needed for the program and as permitted by you (usually, you will be informed by your organization what data they can see). If you have questions about what your organization can see, please refer to the information provided by that organization or ask us.
• Legal Requirements and Safety: We may disclose personal data when required by law or court order – for example, in response to a subpoena, or to comply with reporting obligations. We will ensure such requests are valid and will narrow the data shared to what is necessary. Additionally, if we believe in good faith that disclosure is necessary to protect our rights, your safety or the safety of others, investigate fraud, or respond to a government request, we may share data for those purposes. This could include sharing information with law enforcement when investigating misuse of the platform or threats to anyone's well-being. Glowgent will document these disclosures and, if appropriate, attempt to notify you (unless legally prohibited or in an emergency situation).
• Business Transfers: If Glowgent undergoes a business transaction like a merger, acquisition, corporate reorganization, or sale of assets, user data may be transferred to the successor or new owner as part of that deal. If such a transfer happens, we will ensure the new entity is bound to honor the commitments we have made in this policy. We will notify you (for example, via email or a notice on our site) of any change in ownership or uses of your personal information, as well as any choices you may have regarding your information in that event.
• With Your Consent: In any situation not covered above, we will seek your consent before sharing your personal data with a third party. For instance, if we ever want to publish a user testimonial or success story that includes personal information, we would ask for your explicit permission. You are in control – if you direct us to share data with a third-party service (say, you want to sync Glowgent data with another wellness app via an integration), we will do so only with your authorization and as explained to you.

No Public Posting of Personal Data: We do not publicly release personal data. Any community postings you make (like Glow Room messages) are semi-private (visible only to the community) and you have control over what to share. We encourage users to be mindful not to post sensitive personal details in public forums. Glowgent does moderate content to remove personal data if it's inadvertently exposed and to enforce community guidelines.

AI and Pseudonymized Data Usage (ACDAE Policy)

This section provides more detail on how our AI features handle data in a privacy-protective way, under what we call our ACDAE policy.

Glowgent's innovative AI tools (like chatbots, recommendation engines, or analytical tools) are designed with privacy by design principles. ACDAE stands for AI & Customer Data Anonymization and Ethics – a policy framework we follow to use AI responsibly on user data:

• Pseudonymization Before Processing: Any personal data that is fed into our AI systems is pseudonymized beforehand. This means we strip out direct identifiers (such as names, emails, IDs) and replace them with surrogate values or tokens. For example, before an AI model analyzes chat logs to improve its responses, all user names might be converted to a random user ID, and any specific references (like "I work at Company X") might be generalized or removed. The AI therefore operates on data that cannot directly identify individuals. As highlighted in GDPR Article 32, pseudonymization is a recommended security measure that we embrace. While pseudonymized data is still kept secure and confidential, this extra layer helps ensure that even internally, the AI doesn't inadvertently expose someone's identity.
• Aggregation and Minimal Access: Our AI models focus on aggregate patterns, not individual profiles. For instance, an AI feature might learn that "users who log higher stress tend to benefit from breathing exercises" by looking at trends, but it doesn't single out your data in isolation. We also limit which team members or systems can link the pseudonymized data back to real identities. The "key" that links pseudonyms to real user identities is kept separate and only used if necessary (for example, to apply an AI insight back to your account). Typically, analyses for AI training are done on a separate dataset that does not include this key at all, meaning the AI sees only anonymized patterns.
• Ethical Use and Transparency: Glowgent's ACDAE policy ensures that AI is used ethically. We do not use AI to make decisions that would negatively affect you without the possibility of human review (e.g., there is no AI that will, say, deny you access to a feature based on your data). AI is there to support and empower your wellness journey, not to judge or penalize. We are transparent about where AI is used – for example, if you are interacting with a chatbot, we will tell you it's AI-driven. If any AI-driven content or recommendation is presented, you can usually get an explanation or have the option to consult a human expert if you prefer.
• No External AI Data Sharing: We do not share the personal data used by our AI with external or third-party AI systems except our contracted processors. For instance, we wouldn't upload your journal entries into a public AI service. If we ever partner with an external AI provider, we will ensure similar pseudonymization and strict contracts are in place, or we'll ask for your consent.
• Continuous Oversight: We monitor the outputs of our AI systems to ensure they remain accurate and unbiased. If the AI produces an output that includes personal data or seems to violate privacy, that's treated as a bug and corrected. Our team regularly updates the AI models with privacy improvements and employs techniques like data minimization (feeding the AI only what it truly needs for a task) and purpose limitation (the AI only uses data for the specific wellness function at hand). We also conduct Data Protection Impact Assessments for our AI features when required, to systematically evaluate and mitigate privacy risks.

In summary, Glowgent's AI is a powerful tool for wellness, but it is built and run with privacy safeguards. Our ACDAE policy means you can benefit from AI-driven insights while we keep your personal identity and sensitive details protected and confidential.

Data Storage and Security Practices

Your personal data is stored and processed on secure servers. Glowgent utilizes Supabase (a secure cloud database and infrastructure provider) as our primary data storage solution. We chose Supabase for its strong security and compliance features, which include:

• Encryption: All personal data stored in our Supabase database is encrypted at rest and in transit. Supabase uses industry-standard AES-256 encryption for data at rest (data stored on disk) and TLS/SSL for data in transit (data traveling between your device and our servers). This means that even if someone were to obtain the physical hard drives or intercept network traffic, the data would be unreadable without the proper encryption keys. Additionally, certain sensitive fields may be encrypted at the application level by Glowgent before being stored (for instance, we might further encrypt particularly sensitive notes or health metrics).
• Server Location and Transfers: Our servers are located in secure data centers. By default, Glowgent's data is hosted in the United States. If you are an international user, be aware that your data may be transferred to and stored in a country different from your own. However, no matter where your data is stored, it remains protected under the safeguards described in this policy. For data originating from the EU/UK, if it is stored on servers outside those regions (e.g., in the U.S.), we implement adequate transfer mechanisms such as the European Commission's Standard Contractual Clauses (SCCs) or we rely on approved frameworks to ensure legality and protection of such transfers. In essence, we ensure that your data receives the same level of protection as it would under EU law, even when stored abroad.
• Access Controls: Access to our databases is strictly controlled. Only authorized Glowgent engineers or administrators (and Supabase's operations team, as necessary for maintenance) have access to the database, and even then, they can only access it through secure authentication and privileged connections. Supabase supports role-based access control, meaning each service or user has only the minimum access needed. We regularly review access logs and revoke any access that is no longer required.
• Backups and Recovery: Our database is routinely backed up to prevent data loss. Supabase automatically performs daily backups of customer databases, and we securely store these backups. In case of any system failure or data corruption, we have the ability to restore data from backups (including point-in-time recovery for up to a certain retention period). Backup files are encrypted and protected just like the live database. We only retain backups for the duration necessary (consistent with our retention policy) and they are automatically purged after that period.
• Retention and Deletion: We store your personal data only for as long as it is needed to fulfill the purposes outlined in this policy, or as required by law. In practice, this means:
  • Active account data is kept for the life of your account. You can access and update much of this data via your profile or settings.
  • If you choose to delete your account or certain data entries, we will initiate deletion of those records from our production systems. Deletion may be immediate for some data (we aim to remove it from use quickly), but complete removal from all backups and logs will occur in accordance with our data retention schedule (generally within 30 days, unless a legal requirement necessitates longer retention). We take care that data is fully expunged or irreversibly anonymized.
  • Aggregated data that is not identifiable to you (for example, statistical averages) may be retained, as it no longer contains personal data.
  • Certain information may be kept longer if necessary: for example, payment transaction records (for financial auditing), or data needed for dispute resolution or to comply with legal obligations. However, we will not use personal data for any new purposes after deletion; it would only be retained in a secure, restricted archive if required.
  • We have a detailed internal schedule for reviewing data we hold. If we identify data that is no longer necessary, we proactively delete or anonymize it.
• Physical and Environmental Security: Our cloud infrastructure through Supabase is hosted on top-tier cloud providers (such as AWS or Google Cloud) with robust physical security at data centers (guard patrols, access badges, surveillance, climate control, fire suppression, etc.). Although we do not directly manage the physical servers, we rely on these reputable providers' certifications (like ISO 27001, SOC 2) which ensure the facilities and hardware are secure.
• Network Security: We employ firewalls and network monitoring to protect our cloud environment. Only necessary network ports are open, and we use virtual private networks (VPNs) or secure tunnels for administrative access. We keep our servers and software up-to-date with security patches to guard against vulnerabilities.
• Testing and Audit: Glowgent regularly tests its platform for security weaknesses. We conduct periodic penetration tests and security audits, sometimes with the help of independent experts. We also utilize automated vulnerability scanning tools to catch common issues. Findings from tests are promptly addressed. Supabase, as our platform, also undergoes its own security audits and maintains SOC 2 Type 2 compliance, which involves regular testing of controls.
• Incident Response: Despite all precautions, no system is 100% immune to issues. Glowgent has an incident response plan for handling security events or data breaches. Our team is on call to respond to alerts. If we detect any incident involving personal data, we will act swiftly to contain and investigate it. We will also notify affected users and authorities as required (see Data Breach Notification below).
• Supabase Compliance: As noted, Supabase is capable of supporting HIPAA compliance (with a Business Associate Agreement) and meets industry standards. We have executed the necessary agreements with our providers to ensure they are contractually committed to protecting your data to high standards. This is important especially for any health-related data we store. Additionally, Supabase's infrastructure inherits compliance like GDPR and CCPA readiness. They provide a Data Processing Addendum (DPA) for EU personal data handling, which we have in place, meaning your data on their servers is handled under GDPR terms.

In summary, Glowgent takes strong measures to secure your data at every level – application, database, network, and human processes. We continuously work to update our security practices in line with evolving threats and industry best practices, so that your information remains safe with us.

Internal Accountability and Governance

Glowgent not only relies on technical safeguards, but also robust organizational measures to ensure data protection is embedded in our culture and operations. Here's how we uphold accountability:

• Data Protection Officer (DPO): We have appointed a Data Protection Officer (or equivalent privacy lead) who oversees Glowgent's privacy strategy and compliance. The DPO's responsibilities include conducting privacy impact assessments for new features, training staff on data handling, and serving as a point of contact for users and regulators regarding data protection matters. You can find the DPO's contact information in the Contact section of this policy. Our DPO actively monitors our compliance with GDPR and other regulations and advises the company on fulfilling our obligations.
• Training and Awareness: Every Glowgent team member with access to personal data undergoes privacy and security training. We conduct regular refresher sessions to ensure everyone understands the importance of data protection, the procedures to follow, and the responsibility we all share in safeguarding user information. This includes training on spotting social engineering attempts, proper data encryption practices, and adherence to this policy and related internal policies.
• Access Management: Internally, we follow the principle of least privilege. Each employee, contractor, or partner is given the minimum access to data or systems that they need to do their job. Administrative access to production systems is limited to a small, vetted team. We use multi-factor authentication and unique user accounts for anyone accessing systems with personal data. Access rights are reviewed periodically and revoked promptly when someone leaves the company or changes role. Administrative actions (like querying the database) are logged for audit purposes. Misuse of data internally is a serious offense that can lead to disciplinary action.
• Privacy by Design & Default: When we design new features or products, privacy is considered from the start. We conduct Privacy Impact Assessments where appropriate to identify and mitigate risks. By default, we try to collect and use the minimal amount of personal data necessary (aligning with data minimization). For example, if we introduce a new wellness metric, we will evaluate if it's really needed and how to secure it. User settings are generally privacy-friendly by default (for instance, profiles might be set to private by default unless you choose to share certain info).

Your Privacy Rights and Choices

We want you to have control over your personal data. Depending on where you live and whether certain laws apply, you may have specific legal rights regarding your data. Even if you are not in one of the regions described, Glowgent still allows you to make certain choices (like deleting your account) because we believe in empowering all our users. Below, we outline key user rights and how to exercise them:

Rights for EU and UK Individuals (GDPR/UK GDPR)

If you are in the European Union, United Kingdom, or a jurisdiction with similar laws, you have robust data subject rights under GDPR and UK data protection law. These include:

1. Right to be Informed: You have the right to clear information about how we use your personal data – which is one purpose of this very policy. We aim to be transparent and will inform you if we plan to use your data in a new way.
2. Right of Access: You can request a copy of the personal data we hold about you, as well as information about how we process it. This is often called a "Data Subject Access Request." Upon verification of your identity, we will provide you with a summary or full copy of your data (whichever you prefer, and as allowed by law) – for example, information like your profile details, tracker entries, etc., as well as the purposes, categories of data, and any third parties with whom it's shared. We will do so within one month of your request (or inform you if we need more time for complex requests).
3. Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to have it corrected. Much of your basic info can be edited directly in your account settings. For any other corrections, contact us and we will rectify the data. For instance, if your name is spelled wrong or you want to update health info that has changed, we'll update our records accordingly without undue delay.
4. Right to Erasure (Right to be Forgotten): You may request that we delete your personal data. This right is not absolute, but we will honor it if: the data is no longer necessary for the purposes collected, or you withdraw consent (if consent was the basis) and no other legal basis exists, or you object to processing and we have no overriding interest, or we collected data unlawfully, etc. In practice, this means you can delete your account via settings (which triggers deletion of personal data as described in the Retention section). We will also delete specific data on request if you don't want to delete your whole account (for example, a particular log entry you added by mistake). Note: we might retain certain minimal data if required (e.g., transaction records) or keep your email to ensure we don't re-contact you, but we'll inform you if so.
5. Right to Restrict Processing: You have the right to ask us to limit the processing of your data in certain circumstances. For example, if you contest the accuracy of data, you can request we halt processing (aside from storing it) until we verify accuracy. Or if you object to some processing we do based on legitimate interests, we will consider if we can accommodate a restriction. When processing is restricted, we will just store the data and not use it until the issue is resolved.

Rights for California Residents (CCPA/CPRA)

If you are a resident of California, the CCPA (California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020) provides you with specific rights over your personal information. These rights (some of which overlap with those described above) include:

• Right to Know: You can request that we disclose what personal information we have collected about you, the categories of sources of that information, the business or commercial purpose for collecting it, the categories of third parties with whom we share it, and specifically what pieces of information we have about you. Essentially, it's your right to ask "What do you know about me?" This is similar to the access right under GDPR. We will provide either a report or make the information available in a portable format covering the 12-month period prior to your request (or longer, as required by law).
• Right to Delete: You can request that we delete personal information we have collected from you. Upon a verifiable request, we will delete your personal info from our records (and direct our service providers to do the same), except for situations where an exemption applies. For example, if the information is needed to complete a transaction you requested, to detect security incidents, to exercise free speech or another legal obligation, or for certain internal uses aligned with your expectations, we may not delete those specific pieces. We will inform you of any denial and the reason if we cannot fulfill a part of your deletion request due to an exemption. In practice, you can also delete your account which triggers the deletion process as described earlier.

Children's Privacy

Glowgent is not directed to children under the age of 13 (or under the age of 16 in certain jurisdictions, such as the EU, where parental consent may be required). We do not knowingly collect personal data from children in these age groups without verifiable parental consent. If you are under 13, please do not use Glowgent or provide any information about yourself. If we become aware that we have collected personal information from a child without consent, we will take steps to delete that information.

Parents or guardians: if you realize your child has provided personal data to Glowgent without your consent, please contact us and we will delete the data and (if applicable) terminate the child's account. If Glowgent ever offers specific features for younger audiences, we will do so in compliance with laws like COPPA (Children's Online Privacy Protection Act) and obtain proper consent.

Updates to This Policy

We may update this Data Protection Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make a significant change, we will notify you through appropriate channels: for example, by posting a prominent notice on our website or app, and/or by emailing you if you have provided an email address. The "Effective Date" at the top will always indicate when the last changes were made.

We encourage you to review this policy periodically to stay informed about how Glowgent is protecting your data. If you do not agree with any changes to the policy, you should stop using our services and may request that your data be deleted. Continued use of Glowgent after a policy update constitutes your acceptance of the changes.

Older versions of this policy will be archived (and you can request a copy of a previous version by contacting us). We maintain transparency about our privacy promises over time.

Contact Us (and Data Protection Officer)

We value your opinions and feedback. If you have any questions, concerns, or requests regarding this Data Protection Policy or how we handle your personal data, please contact us:

• Email: hello@glowgent.com
• DPO Contact: Attn: Data Protection Officer – you can reach our DPO at the above email (please mark it "Attn: DPO"). If you prefer to speak by phone, email us your contact and we will arrange a call.

If you contact us with a privacy inquiry or to exercise your rights, please include your contact information and a detail of your request. We will respond as soon as possible, and no later than any timeframe required by law.

As mentioned, you also have the right to lodge a complaint with a supervisory authority. For example, in the UK you can contact the ICO, or in the EU you can reach out to your national Data Protection Authority. We would, however, appreciate the chance to address your concerns directly first.

Thank you for trusting Glowgent. Your privacy and data security are integral to our mission of providing a safe, empowering wellness platform. We are committed to guarding that trust by keeping your information secure and handling it with the utmost care and respect.