Privacy Policy
Effective Date: June 5, 2026 · Last Updated: June 5, 2026Important: This Privacy Policy has been drafted based on the technical and operational details of the Goo Ai application. It should be reviewed by qualified legal counsel before publication.
1. Introduction & Who We Are
Welcome to Goo Ai (also referred to as "Glowia" in some marketing materials). Goo Ai is an AI-powered skin analysis mobile application available on iOS and Android. Your privacy is important to us, and this Privacy Policy explains what information we collect, how we use it, and your rights in relation to it.
This Privacy Policy applies to the Goo Ai mobile application (iOS bundle ID: com.itf.glowia-scanner;
Android bundle ID: com.itf.glowiascanner), the website located at
https://goo.itf.mn, and any related services we provide (collectively,
the "Service").
The data controller responsible for your personal information is:
GooAI LLC
Mongolia, Ulaanbaatar, HUD-23, 1502, 503
Mongolia
Privacy enquiries: info@itf.mn
2. Scope
This Policy covers personal information processed in connection with your use of the Goo Ai app and website. It does not apply to third-party websites or services that we do not control, even if accessed via a link within our app.
3. Information We Collect
3.1 Information You Provide
- Facial photographs. When you use the Skin Analyze feature, you capture a facial photo using your device camera. This image is uploaded to our backend and to our skin analysis provider solely to perform the requested scan.
- Saved images. If you choose to save analysis results to your device photo library, we request read/write access to your photo library solely for that purpose.
- Scan preferences. The scan plan you select (Quick, Essential, Advanced, or Full) and any in-app preferences you configure.
3.2 Information Generated by the Service
- Anonymous account identifier. When you first launch the app, an anonymous account is automatically created via Supabase Auth. You are assigned a unique UUID. No email address or password is required to use core features.
- Analysis results. Skin scores, per-metric breakdowns, skin age estimates, mask overlay URLs, session metadata, and AI-generated insight summaries and per-concern recommendations associated with your anonymous account.
- Credit information. Your credit balance and credit transaction history (credits purchased, credits consumed per scan).
- Purchase and subscription status. Records of in-app purchases and subscription entitlements managed through RevenueCat, linked to your anonymous user ID.
3.3 Device Permissions
- Camera — required to capture photos for skin analysis. Access is used only when you actively initiate a scan.
- Photo Library (read/write) — requested only if you choose to save analysis images to your device gallery.
You can revoke these permissions at any time in your device settings. Revoking camera permission will prevent the core analysis feature from functioning.
3.4 Local Device Storage
- Secure storage (expo-secure-store): Authentication session tokens stored securely on your device.
- Local database (SQLite): App state, user preferences, and language/locale settings stored locally.
We do not use advertising identifiers, tracking cookies, or cross-app tracking.
4. How We Use Your Information
- To provide the Service: processing your facial photograph to perform skin analysis, generating scores, overlays, and AI-written insights.
- To manage your account: maintaining your anonymous account, credit balance, and purchase history.
- To process payments: validating and fulfilling in-app purchases and QPay transactions; managing subscription entitlements.
- To improve the Service: analysing aggregate, de-identified usage patterns to improve accuracy, performance, and new features. We do not use individual facial images for model training without explicit consent.
- To provide customer support: responding to enquiries and troubleshooting issues.
- To comply with legal obligations: retaining records as required by applicable law, responding to lawful requests from authorities.
5. Legal Bases for Processing (GDPR / UK GDPR)
Where the General Data Protection Regulation (EU) 2016/679 or UK GDPR applies, we rely on the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Providing skin analysis using facial photographs | Performance of contract (Art. 6(1)(b)); Explicit consent for biometric/special category data (Art. 9(2)(a)) |
| Maintaining anonymous account, credits, and session data | Performance of contract (Art. 6(1)(b)) |
| Processing payments via RevenueCat / QPay | Performance of contract (Art. 6(1)(b)) |
| Service improvement using aggregate data | Legitimate interests (Art. 6(1)(f)) — improving a wellness service |
| Legal compliance and record retention | Legal obligation (Art. 6(1)(c)) |
| Camera and photo library access | Explicit consent via device permission prompt (Art. 6(1)(a); Art. 9(2)(a)) |
6. Sharing with Third Parties & Subprocessors
We do not sell your personal data. We do not use your facial images or biometric data for advertising profiling. We share data only with the processors listed below and only to the extent necessary to provide the Service.
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Authentication, database, secure backend APIs (Edge Functions), storage of sessions, analysis results, and credits | Anonymous user ID, analysis results, credit records, session tokens |
| Perfect Corp / YouCam Engine (YCE) | Skin analysis processing on uploaded facial images | Facial photograph (transmitted securely; used only to perform the requested scan) |
| Google Gemini | AI-generated educational text insights and per-concern recommendations based on analysis output | Skin analysis metrics and scores (no raw facial image) |
| RevenueCat | In-app purchase processing, subscription management, and purchase validation | Anonymous user ID (app_user_id matching Supabase UUID), purchase receipt data |
| Apple App Store | App distribution and payment processing for iOS in-app purchases | Purchase transaction data (managed by Apple) |
| Google Play | App distribution and payment processing for Android in-app purchases | Purchase transaction data (managed by Google) |
| QPay (Mongolia) | Alternative payment method for purchasing credits, where offered | Payment verification data (processed server-side; payment credentials are never stored on the client device) |
We may also disclose your information if required by law, court order, or governmental authority, or to protect the rights, property, or safety of GooAI LLC, our users, or others.
7. International Data Transfers & Safeguards
Our service providers may process your data in countries outside your country of residence, including the United States and other jurisdictions. Where data is transferred from the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, we rely on appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO;
- Adequacy decisions by the European Commission where applicable;
- Our third-party providers' own compliance frameworks (e.g., Google's data processing terms, Apple's privacy commitments, RevenueCat's DPA).
You may request a copy of the applicable transfer mechanisms by contacting us at info@itf.mn.
8. Data Retention
We retain your data for as long as necessary to provide the Service and comply with legal obligations:
- Facial photographs: Uploaded images are retained on our backend and processed by Perfect Corp / YCE to perform the scan. Images are retained for 30 days after the scan is completed and then deleted. Mask overlay URLs may persist for the life of your account.
- Analysis results and scores: Retained for the life of your account, or until you request deletion.
- Credit and purchase records: Retained for 7 years as required for financial record-keeping obligations.
- Anonymous account data: Retained until you request account deletion. If you delete the app without contacting us, your anonymous account data may remain on our servers until the standard retention period expires. We are unable to identify and delete anonymous accounts without the account UUID or supporting device information.
- Local device data: Remains on your device until you delete the app or clear app data.
9. Your Rights & Choices
Depending on your jurisdiction, you may have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request that we correct inaccurate data.
- Deletion: Request deletion of your personal data and account. Submit requests to info@itf.mn.
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Withdraw consent for camera or photo library access at any time via your device settings. Note this will limit certain app features.
- Restriction: Request that we restrict processing of your data in certain circumstances.
To exercise these rights, contact us at info@itf.mn. We will respond within the timeframe required by applicable law (typically 30 days for GDPR requests). Because accounts are anonymous, we may require you to provide your account UUID or device information to locate your data.
10. Biometric & Sensitive Data Notice
Goo Ai processes facial photographs to analyse skin characteristics. Facial images may constitute biometric data or special category personal data under applicable law (including GDPR, Illinois BIPA, and similar statutes).
Scope and limitations of use: Your facial photograph is used exclusively to perform the skin analysis you request. It is transmitted securely to our skin analysis provider (Perfect Corp / YCE) for processing. We do not use facial images to identify individuals, for surveillance, for advertising targeting, or for any purpose unrelated to providing the skin analysis service.
By granting camera permission and initiating a scan, you consent to the processing of your facial image for this purpose. You may withdraw consent at any time by revoking camera permission in your device settings, which will prevent future scans.
11. Children's Privacy
Goo Ai is intended for users aged 13 and older (or 16 and older in jurisdictions where a higher minimum age applies under applicable data protection law, such as certain EEA member states). We do not knowingly collect personal information from children below the applicable minimum age.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at info@itf.mn and we will delete such information promptly.
12. Security Measures
We implement appropriate technical and organisational measures to protect your data, including:
- All data transmitted between the app and our servers is encrypted using HTTPS/TLS.
- Credit validation and payment processing are handled server-side; the client application cannot self-grant credits.
- User-owned data is protected by row-level security policies and authenticated APIs — only you can access your own analysis results.
- Authentication session tokens are stored in the device's secure enclave / Keychain via
expo-secure-store.
No system is completely secure. We cannot guarantee absolute security, but we are committed to notifying affected users and authorities in the event of a data breach as required by applicable law.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective Date" at the top of this page and, where appropriate, notify you through the app or via other means. Your continued use of the Service after any changes constitutes your acceptance of the updated Policy.
14. Contact Us
For privacy-related enquiries, data subject requests, or complaints:
GooAI LLC
Mongolia, Ulaanbaatar, HUD-23, 1502, 503
Privacy: info@itf.mn
Support: info@itf.mn
If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.
15. Region-Specific Addenda
15.1 California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioural advertising purposes.
- Right to Limit Use of Sensitive Personal Information: Facial images constitute sensitive personal information under CPRA. We use them solely to provide the skin analysis service you requested and do not use them for any additional purpose.
- Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
To submit a CCPA/CPRA request, contact info@itf.mn.
15.2 EEA & UK Residents (GDPR / UK GDPR)
If you are located in the EEA or UK, the legal bases for processing described in Section 5 apply. You have the right to lodge a complaint with your national supervisory authority. Our data processing activities involving international transfers are governed by Standard Contractual Clauses or equivalent safeguards.
15.3 Mongolia
For users in Mongolia, this Policy complies with the Law of Mongolia on Personal Data Protection to the extent applicable. Enquiries may be directed to info@itf.mn.
15.4 Republic of Korea
For users in the Republic of Korea, processing of personal information is conducted in accordance with the Personal Information Protection Act (PIPA). For enquiries related to Korean PIPA obligations, please contact us at info@itf.mn.