Privacy Policy

Definitions

Account

A login set up by the Partner that is then the method followed by the Partner to authenticate access to the Application / System.

Partner

A natural person, a legal person or entity, or an organizational unit without legal personality who uses the Application under the terms of this Agreement in connection with their business or professional activity and has created an Account in the Application for themselves as an entrepreneur or business, in order to provide Services to Customers.

Glowcheck

Glowcheck, Is a brand of Federico Nagy, legal individual with registered address at Via Oristano 10, 20128 Milano, Italy and tax identification number 11745870961.

Personal Data (or Data)

Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.

Usage Data

Information collected automatically through this Application (or third-party services employed in this Application), which can include: the IP addresses or domain names of the computers utilized by the Users who use this Application, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User’s IT environment.

User

Partner

Data Processor (or Processor)

The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as described in this privacy policy.

Data Controller (or Owner)

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of this Application. The Data Controller, unless otherwise specified, is the Owner of this Application.

Processing of Personal Data

Any operation performed on personal data, such as collecting, recording, using, sending, or deleting. Any use of personal data in any manner constitutes processing.

This Application

The means by which the Personal Data of the User is collected and processed.

Service

The service provided by this Application as described in the relative terms (if available) and on this site/application.

European Union (or EU)

Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.

Cookie

Cookies are Trackers consisting of small sets of data stored in the User’s browser.

Tracker

Tracker indicates any technology - e.g Cookies, unique identifiers, web beacons, embedded scripts, e-tags and fingerprinting - that enables the tracking of Users, for example by accessing or storing information on the User’s device.

Legal information

This policy relates solely to this Application, if not stated otherwise within this document.

Owner and Data Controller

Federico Nagy
Via Oristano 10, 20128 Milan, Italy
VAT Number (Partita IVA): 11745870961

Owner contact email: federico@glowcheck.app

General Information

We would like to inform you that:

1. Glowcheck is the data controller for the personal data of Partners who are natural persons.
2. To the extent that both Glowcheck and the Partner process the personal data of Customers for their own, independently determined purposes, they act as separate data controllers. Specifically, the Partner is the data controller with regard to the provision of their services to Customers. In cases described in sections 4 and 7 below, Glowcheck will act as a data processor and process personal data on documented instructions from the Partner, who acts as the data controller for the personal data entrusted to Glowcheck for processing.
3. Upon the confirmation of a booking, a service agreement is concluded between the Customer and the Partner for the provision of the Partner’s services to the Customer. Additionally:
   1. The Customer may grant consent in person to the Partner to process their personal data for purposes specified by the Partner, including marketing communication.
   2. Glowcheck provides the Partner, through the Application, with the Customer’s personal data necessary for the provision of services to that Customer.
   3. At this point, the Partner becomes the data controller of the Customer’s personal data and is therefore obligated to comply with GDPR requirements, bearing legal responsibility for such compliance.
4. In order for Glowcheck to provide services to the Partner via the Application, it is necessary for the Partner to entrust Glowcheck with the processing of the following categories of personal data:
   1. Personal data of the Partner’s customers who have entered into service agreements with the Partner outside the Application (e.g., directly at a salon operated by the Partner), if the Partner inputs such data into the Application,
   2. Personal data of individuals employed or engaged by the Partner (e.g., employees, collaborators, contractors) who use the Application,
   3. Personal data of Customers and the Partner’s customers who have consented to receiving marketing communication from the Partner.
5. To facilitate this data processing as described above, the Partner and Glowcheck enter into a Data Processing Agreement (DPA), in accordance with Article 28 GDPR.
6. The Partner acknowledges that the termination of the Data Processing Agreement will result in Glowcheck being unable to provide services that require the processing of data for which the Partner is the data controller. Consequently, upon the termination of the DPA, Glowcheck’s obligations under the Service Agreement related to such data processing will cease.
7. When the Partner uses tools available within the Glowcheck Services (e.g., appointment calendar, marketing tools), Glowcheck processes the Partner’s customer data on the Partner’s behalf, in accordance with the terms of the Data Processing Agreement.
8. The purposes for which the Partner may process their customers’ personal data will depend on the legal grounds for data processing that the Partner identifies in their capacity as a data controller.
9. Glowcheck is not responsible for the scope of personal data processed by the Partner or for the legal compliance of such processing by the Partner. The detailed obligations of both parties in this regard are outlined in the Data Processing Agreement.

Types of Data collected

Among the types of Personal Data that this Application collects, by itself or through third parties, there are:

For account creation:

name and surname, business name, e-mail address, phone number, residential or business address, IP address. If you choose to upload a logo or profile picture that contains your image, Glowcheck will also process this information. If you use external authentication services to log in to Glowcheck (e.g. Apple), Glowcheck receives your personal data from these platforms, including: name, surname, email. You may choose not to share certain data during login.

Use of the Application:

personal data related to your activities, such as updates to your information (e.g., changes to your business address), contacts with us, payments, and billing information. Glowcheck also processes voluntarily provided data, information related to your activity on the platform (e.g., from cookies), and account logs.

Use of the Website

voluntarily provided data, and information related to your activity on the website (e.g., from cookies).

Complete details on each type of Personal Data collected are provided in the dedicated sections of this privacy policy or by specific explanation texts displayed prior to the Data collection.

Personal Data may be freely provided by the User, or, in case of Usage Data, collected automatically when using the Application.

Unless specified otherwise, all Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. In cases where this Application specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.

Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner.

Any use of Cookies – or of other tracking tools – by this Application or by the owners of third-party services used by this Application serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document.

Users are responsible for any third-party Personal Data obtained, published or shared through this Application.

Mode and place of processing the Data

Methods of processing

The Owner takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.

The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Owner, in some cases, the Data may be accessible to certain types of persons in charge, involved with the operation of this Application (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list of these parties may be requested from the Owner at any time.

Place

The Data is processed at the Owner’s operating offices and in any other places where the parties involved in the processing are located.

Depending on the User’s location, data transfers may involve transferring the User’s Data to a country other than their own. To find out more about the place of processing of such transferred Data, Users can check the section containing details about the processing of Personal Data.

Retention time

Unless specified otherwise in this document, Personal Data shall be processed and stored for as long as required by the purpose they have been collected for and may be retained for longer due to applicable legal obligation or based on the Users’ consent.

The purposes of processing

We process your personal data for the following purposes:

1. Establishing and maintaining business relationships, offering our services, and taking steps to enter into a contract – Your personal data may be processed when you contact us to request information about our services or when we conduct pre-contractual communications. The legal basis for processing your personal data in this context is either our legitimate interest (Article 6(1)(f) of the GDPR), which involves offering and providing information about our services, or the necessity to take steps at your request prior to entering into a contract (Article 6(1)(b) of the GDPR).
2. Managing your Glowcheck account – This includes enabling you to use its functionalities, such as managing your data in the Application (including exporting data where available). This processing is necessary for the performance of the contract between you and Glowcheck (Article 6(1)(b) of the GDPR).
3. Sending you service and transactional communications – This includes inter alia notifications about changes to the Glowcheck Terms of Service. The legal basis for this processing is the necessity to perform the contract (Article 6(1)(b) of the GDPR) and compliance with legal obligations (Article 6(1)(c) of the GDPR).
4. Receiving customer feedback on your business and enabling you to respond – This processing is necessary for the performance of the contract under the Terms of Service of the Application (Article 6(1)(b) of the GDPR).
5. Handling payments and financial settlements – Your personal data is processed to facilitate payments and settlements, as required for the performance of the contract with Glowcheck (Article 6(1)(b) of the GDPR).
6. Marketing of Glowcheck products or services (excluding direct marketing) – The processing of your personal data for this purpose is carried out based on Glowcheck’s legitimate interest (Article 6(1)(f) of the GDPR), which is the ability to promote and market its products and services.
7. Direct marketing of Glowcheck’s products or services – This includes using electronic communication channels such as email, SMS, MMS, and push notifications. The processing is based on Glowcheck’s legitimate interest (Article 6(1)(f) of the GDPR), which involves directly communicating with you to advertise and promote its services.
8. Personalization of content and analysis of preferred services – This involves tailoring our products or services, as well as marketing, to your preferences and to those of identified customer groups. This processing is necessary to fulfil Glowcheck’s legitimate interest (Article 6(1)(f) of the GDPR), which is to provide better-targeted content and services aligned with your expectations.
9. Researching preferences and service demand – This includes conducting surveys (via phone, SMS, or email) and monitoring user activity within the Application to assess customer interest in Glowcheck or Partner services and to measure satisfaction. The legal basis is Glowcheck’s legitimate interest (Article 6(1)(f) of the GDPR), which is to understand the catalogue of products and services customers find valuable.
10. Establishing, pursuing, or defending against legal claims and debt collection – Your data is processed as necessary to fulfil Glowcheck’s legitimate interest (Article 6(1)(f) of the GDPR), which involves managing legal claims and debt recovery.
11. Compliance with legal obligations – We process your data to meet obligations under applicable laws, such as accounting, tax reporting (e.g., reporting platform transactions), fraud prevention, and anti-money laundering requirements. This processing is based on legal obligations (Article 6(1)(c) of the GDPR).
12. Internal reporting, analysis, and statistics – Your data is processed to create reports, plan service development, and conduct system improvements. This processing is necessary to fulfil Glowcheck’s legitimate interest (Article 6(1)(f) of the GDPR), which is to analyze and develop business operations.
13. Developing and implementing new system functionalities – This involves improving application features, testing new solutions, and conducting analyses for new tools or reports. The legal basis for this processing is Glowcheck’s legitimate interest (Article 6(1)(f) of the GDPR), which is to maintain and improve system security and functionality.
14. Communication with you – When you contact us, we process your data to respond and communicate with you. This is necessary to fulfil Glowcheck’s legitimate interest (Article 6(1)(f) of the GDPR), which is to ensure effective communication.

Detailed information on the processing of Personal Data

Personal Data is collected for the following purposes and using the following services:

Analytics

The services contained in this section enable the Owner to monitor and analyze web traffic and can be used to keep track of User behavior.

Posthog

Posthog is an analytics service provided by Amplitude Inc.

Personal Data processed: Usage Data.

Place of processing: EU – Privacy Policy.

Beta Testing

This type of service makes it possible to manage User access to this Application, or parts of it, for the purpose of testing a certain feature or the entire Application. The service provider may automatically collect data related to crashes and statistics related to the User’s use of this Application in a personally identifiable form.

TestFlight (Apple Inc.)

TestFlight is a beta testing service provided by Apple Inc.

Personal Data processed: various types of Data as specified in the privacy policy of the service.

Place of processing: United States – Privacy Policy.

Handling payments

Unless otherwise specified, this Application processes any payments by credit card, bank transfer or other means via external payment service providers. In general and unless where otherwise stated, Users are requested to provide their payment details and personal information directly to such payment service providers. This Application isn’t involved in the collection and processing of such information: instead, it will only receive a notification by the relevant payment service provider as to whether payment has been successfully completed.

Payments processed via the Apple App Store (Apple Inc.)

This Application uses a payment service provided by Apple Inc. that allows the Owner to offer the purchase of the app itself or in-app purchases.

Personal Data processed to complete the purchases are processed by Apple, as described in the privacy policy for the App Store.

Personal Data processed: payment info.

Place of processing: United States – Privacy Policy.

Platform services and hosting

These services have the purpose of hosting and running key components of this Application, therefore allowing the provision of this Application from within a unified platform. Such platforms provide a wide range of tools to the Owner – e.g. analytics, user registration, commenting, database management, e-commerce, payment processing – that imply the collection and handling of Personal Data.

Some of these services work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.

Apple App Store (Apple Inc.)

This Application is distributed on Apple’s App Store, a platform for the distribution of mobile apps, provided by Apple Inc.

By virtue of being distributed via this app store, Apple collects basic analytics and provides reporting features that enables the Owner to view usage analytics data and measure the performance of this Application. Much of this information is processed on an opt-in basis.

Users may opt-out of this analytics feature directly through their device settings. More information on how to manage analysis settings can be found on this page.

Personal Data processed: Usage Data.

Place of processing: United States – Privacy Policy.

Contabo

Contabo is an IT hosting provider.

Personal Data processed: all of the personal data specified in this privacy policy

Place of processing: EU - Privacy Policy

Registration and authentication

By registering or authenticating, Users allow this Application to identify them and give them access to dedicated services.

Depending on what is described below, third parties may provide registration and authentication services. In this case, this Application will be able to access some Data, stored by these third-party services, for registration or identification purposes.

Some of the services listed below may also collect Personal Data for targeting and profiling purposes; to find out more, please refer to the description of each service.

Direct registration

The User registers by filling out the registration form and providing the Personal Data directly to this Application.

Personal Data processed: email address; first name; password; phone number.

External authentication services (e.g. Log in with Apple)

Glowcheck receives your personal data from these platforms: Apple.

The User may choose not to share certain data during login.

Personal Data processed: name, surname, email.

Place of processing: United States – Privacy Policy.

Google Maps

The User by following the onboard process is asked to select their business and its connected address by searching the Google Maps database.

Personal Data processed: business name, business address.

Place of processing: United States - Privacy Policy

Email Communications

To send service notifications and (where consented) marketing

Brevo

Brevo is a mail system that GlowCheck utilises to send notifications to customers about their appointments.

Place of processing: EU - Privacy Policy

Further Information for Partners

Further information about retention time

1. Glowcheck processes, including stores, your personal data for no longer than is necessary to achieve the purposes for which it is processed. The data retention periods are as follows:
   1. Contract performance with Glowcheck (under the Application Terms of Service) – Article 6(1)(b) of the GDPR: Your personal data, required to create an account in the Glowcheck Application and related to your activities within the Application, is processed to enable you to use the platform’s functionalities. The data is processed until the termination or expiration of the contract, after which it is retained for the duration of the statute of limitations for claims or until other legitimate interests of Glowcheck expire. Additional data, such as a profile picture, is stored until you delete it or delete your account.
   2. Compliance with legal obligations – Article 6(1)(c) of the GDPR: Data processed to comply with Glowcheck’s legal obligations is retained for the period required by applicable laws.
   3. Consent – Article 6(1)(a) of the GDPR: When the processing of your personal data is based on your consent, the data is processed until you withdraw your consent.
   4. Legitimate interest – Article 6(1)(f) of the GDPR: Your personal data processed based on Glowcheck’s legitimate interests is retained for the duration of those interests (e.g., for correspondence purposes) or until you object to the processing for these purposes. If Glowcheck has overriding legitimate grounds for continued processing, your data may be retained longer, and you will be informed accordingly. Data processed for the establishment, exercise, or defense of legal claims is stored for the statute of limitations period or until the conclusion of mediation or court proceedings.
   5. Marketing – Article 6(1)(f) of the GDPR: For marketing purposes, your personal data is processed until you withdraw your consent to receive marketing communications from Glowcheck, or until you object to such processing.

The rights of Partners based on the General Data Protection Regulation (GDPR)

Under the GDPR, you have the following rights:

• Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
• Right of access – You have the right to obtain information from us about how and for what purposes your personal data is being processed, as well as to receive a copy of your data.
• Right to rectification – You have the right to request the correction of your personal data if it is inaccurate or incomplete.
• Right to erasure ("right to be forgotten") – You have the right to request the deletion of your personal data (more details are provided in the next section).
• Right to restrict processing – In certain circumstances, you can request that Glowcheck temporarily stop processing your personal data and limit itself to storing the data unless you authorize its use for another purpose, or unless its use is necessary under applicable law, for the establishment, exercise, or defense of legal claims, or to protect the rights of another person or entity. Situations where you may request restriction of processing include: (1) You dispute the accuracy of the personal data processed by Glowcheck, (2) the data is no longer needed for Glowcheck’s purposes, but you require it to establish, exercise, or defend your legal claims (e.g., in court), (3) You have objected to the processing of your data, and Glowcheck is verifying whether there are overriding legitimate grounds for processing, (4) the data has been unlawfully processed, but you prefer not to have it deleted at this stage.
• Right to data portability – You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request that it be transferred to another controller, where the processing is based on your consent or a contract and is carried out by automated means.
• Right to lodge a complaint – You have the right to lodge a complaint with a supervisory authority (Data Protection Commission).

Users are also entitled to learn about the legal basis for Data transfers abroad including to any international organization governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by the Owner to safeguard their Data.

Details about the right to Withdraw Consent

You may withdraw your consent to the processing of your personal data at any time. This applies solely to data processing based on the consent you have provided to Glowcheck. Withdrawal of consent does not affect the lawfulness of data processing carried out before the consent was withdrawn.

Details about the right to Object To Processing

You have the right to object at any time to the processing of your personal data by Glowcheck when the processing is based on the legitimate interest of Glowcheck (Article 6(1)(f) of the GDPR), for reasons related to your particular situation. Glowcheck will cease processing your data unless it can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

If you object to the processing of your data for marketing or direct marketing purposes, Glowcheck will immediately stop processing your data for these purposes. You are not required to provide a justification for your objection to marketing-related data processing. For direct marketing, you can also withdraw your consent to receive marketing communications by logging into your account in the Application and navigating to the "Settings" tab, then "Notifications"

Rights to Erasure

You may request the deletion of your personal data from the Glowcheck platform at any time if any of the following conditions apply: (1) the data is no longer necessary for the purposes for which it was collected, (2) the processing was based on your consent, which you have withdrawn, (3) you have objected to the processing, and Glowcheck has no overriding legitimate grounds for continued processing, (4) you object to marketing activities, (5) the data has been processed unlawfully, (6) Glowcheck is required to delete the data to comply with a legal obligation, (7) the data was collected in connection with information society services. Glowcheck may refuse to delete your data if there are circumstances justifying the continued processing of the data. You will be informed of such a decision. If you are using the Glowcheck application on iOS, you can delete your account by navigating to the "Settings" tab, then "Help and Feedback", selecting "Delete Account," and finally clicking "Submit Request."

How to exercise these rights

Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. Such requests are free of charge and will be answered by the Owner as early as possible and always within one month, providing Users with the information required by law. Any rectification or erasure of Personal Data or restriction of processing will be communicated by the Owner to each recipient, if any, to whom the Personal Data has been disclosed unless this proves impossible or involves disproportionate effort. At the Users’ request, the Owner will inform them about those recipients.

Additional information about Data collection and processing

Legal action

The Partner’s Personal Data may be used for legal purposes by the Owner in Court or in the stages leading to possible legal action arising from improper use of this Application or the related Services.

The Partner declares to be aware that the Owner may be required to reveal personal data upon request of public authorities.

Additional information about Partner’s Personal Data

In addition to the information contained in this privacy policy, this Application may provide the Partner with additional and contextual information concerning particular Services or the collection and processing of Personal Data upon request.

System logs and maintenance

For operation and maintenance purposes, this Application and any third-party services may collect files that record interaction with this Application (System logs) or use other Personal Data (such as the IP Address) for this purpose.

Information not contained in this policy

More details concerning the collection or processing of Personal Data may be requested from the Owner at any time. Please see the contact information at the beginning of this document.

Changes to this privacy policy

The Owner reserves the right to make changes to this privacy policy at any time by notifying its Partner on this page and possibly within this Application and/or - as far as technically and legally feasible - sending a notice to Partner via any contact information available to the Owner. It is strongly recommended to check this page often, referring to the date of the last modification listed at the top.

Should the changes affect processing activities performed on the basis of the Partner’s consent, the Owner shall collect new consent from the Partner, where required.