Limited-time sale🔥 Save 90% on the Profile Starter Pack — now €0.99€9.99View offer →
Glowup

Privacy Policy

Effective date: 03.10.2025

Operator / Controller: gustar.io Nachhaltige Technologien UG (haftungsbeschränkt), Berger Straße 156, 60385 Frankfurt am Main, Germany (“we”, “us”, “Operator”)

Contact: contact@gustar.io

We generate dating profile pictures (“Outputs”) from images you upload (“Uploads”). This policy explains how we process personal data when you use our web app, support, and referral features (the “Service”).

1) Who we are and roles

  • For GDPR/UK GDPR, gustar.io UG is the controller of personal data processed via the Service.
  • We use vetted processors/sub-processors, including Google Cloud (hosting + face detection), Stripe (payments), Resend (email), and EU-based affiliates/contractors (Portugal) with restricted access for maintenance and support.

If the Service changes operator (e.g., reorganization or transfer), we’ll provide in-app notice and update this policy with the new controller and contact details. If purposes change, we’ll ask for fresh consent where required.

2) What we collect

We collect the minimum necessary to run the Service:

  • Email, password (hashed), age attestation (18+), country/region (from billing or IP for tax/risk).
  • Images you upload (JPG/PNG/WebP) and the generated Outputs.
  • Face check: transient face detection results (pass/fail) to validate there is a face.
  • App interactions, referral link use, timestamps, approximate location from IP (city/region), device/browser metadata, cookies (see §10).
  • Transaction metadata (amount, currency, status, last four digits/brand tokenized, tax/VAT status). We do not receive full card numbers.
  • Messages you send us, email address for receipts and important service messages; in-app notifications.

3) Why we use your data (legal bases)

We process data for:

Create account, process uploads, generate/download outputs, enforce limits, deliver purchases, provide support.

Detect prohibited content, rate-limit, prevent fraud/abuse, protect users and our infrastructure.

Process payments, issue receipts/invoices, comply with tax and accounting laws.

We perform transient face detection (no stored biometric identifiers; no identification of a person). In jurisdictions treating face analysis as biometric processing, we rely on your consent. You can withdraw consent at any time (see §8).

In-app notifications and essential emails (e.g., security, receipts). We don’t send third-party ads.

Understand feature usage and reliability; no third-party advertising profiles.

Respond to lawful requests, enforce Terms, defend legal claims.

4) Sub-processors & recipients

We share data only as needed to run the Service:

  • Google Cloud Platform (EU europe-west1 (Belgium)): hosting, storage, transient face detection.
  • Stripe Payments Europe: payments, taxes, risk checks.
  • Resend: sending emails (receipts, account, security).
  • Affiliates/Contractors (EU – Portugal): limited, logged access for maintenance/support under confidentiality and data processing terms.
  • Authorities/Advisors: where required by law or to establish/exercise/defend legal claims.
  • Corporate transactions: if we sell/transfer the Service, data may transfer to the successor under equivalent protections.

A current list is available on request at contact@gustar.io and may be updated; we will provide in-app notice for material changes.

5) International transfers

Primary storage is in the EEA (Belgium). Where a provider transfers data outside the EEA/UK/Switzerland (e.g., for support), we use approved safeguards (Standard Contractual Clauses and supplemental measures). Copies are available on request where legally permissible.

6) Retention

  • Uploads & Outputs: kept up to 30 days by default to operate the Service (re-downloads, safety review).
  • Backups: may persist up to 90 days longer, then auto-purged.
  • Account & purchase records: kept as required by law (e.g., tax/accounting retention).
  • Logs & security data: typically 90–180 days unless needed longer for investigations.
  • Abuse prevention data: When you use a free preview, we create a cryptographic hash (SHA-256) of your email address and retain it indefinitely for fraud and abuse prevention under our legitimate interest (GDPR Art. 6(1)(f)). This hash cannot be reversed to identify you and is stored separately from your account. This prevents users from creating multiple accounts to abuse the free preview feature. If you delete your account, the hash remains to maintain the integrity of our abuse prevention system.
  • If you delete content or your account, we delete from active systems immediately; backups age out on their cycle. Minimal data may be retained for legal obligations, security, fraud prevention, or to enforce Terms.

7) Security

We use industry-standard safeguards: encryption in transit and at rest, access controls and least-privilege, monitoring and logging, secure key management, regular updates/patching, and vendor diligence. No system is perfect; please protect your credentials.

8) Your rights

Subject to law and some exceptions, you can:

  • Access a copy of your data; rectify inaccuracies; erase data;
  • Restrict or object to certain processing;
  • Port data you provided in a structured, machine-readable format;
  • Withdraw consent (e.g., for face detection where consent is your legal basis). Withdrawing doesn’t affect prior processing but may limit features.

To exercise rights, email contact@gustar.io from your account email. We may verify identity and respond within the statutory timeframe.

You can lodge a complaint with your local authority or our lead authority:

9) Children

The Service is for 18+ only. We do not knowingly collect data from children. If you believe a minor has used the Service, contact us for deletion.

10) Cookies & similar tech

We use only what’s needed for:

  • Strictly necessary (login, session, security, rate-limiting).
  • Functional/analytics to improve reliability and UX (non-advertising; aggregated or pseudonymous).

Where required (e.g., in the EEA), we show a consent banner for non-essential cookies. You can change preferences in the app’s cookie settings or your browser.

11) Automated decisions

We use automated checks for safety (e.g., face present, prohibited content screening, rate limits). These do not produce legal or similarly significant effects. You can request human review where appropriate.

12) Payments, tax & VAT notes

We show prices excluding VAT/taxes. Taxes are calculated at checkout by Stripe. Where we qualify as a Kleinunternehmer (§19 UStG) in Germany, invoices state that VAT is not shown pursuant to §19 UStG. If our tax status changes, we’ll update invoicing accordingly.

13) Communications

We provide service notifications in-app and may email you for critical account/security matters or receipts. You can control non-essential emails in settings. We don’t sell your data or send third-party ads.

14) Data about other people

If your Uploads depict other people, you must have their lawful basis/consent to upload and process their images. We may ask you to confirm you have such rights and may block content that appears non-consensual.

15) Changes to this policy

We may update this policy to reflect product, legal, or operational changes. We’ll notify you in-app and indicate the effective date. If we introduce new purposes (e.g., marketing use or model training of Uploads/Outputs), we will request separate, informed opt-in and respect your choice.

16) Contact

Questions or requests: contact@gustar.io

Postal: gustar.io Nachhaltige Technologien UG, Berger StraĂźe 156, 60385 Frankfurt am Main, Germany

Appendix A – Quick Reference (plain language)

  • Storage region: EU (europe-west1, Belgium).
  • Sub-processors: Google Cloud (hosting + face detection), Stripe (payments), Resend (email), EU affiliates/contractors (Portugal).
  • Training/marketing use of images: No, unless you opt-in later.
  • Retention: Uploads/Outputs 30 days; backups up to +90 days.
  • Biometrics: Transient face detection only; no biometric identifiers stored or sold.
  • Your controls: In-app deletion and email us for access/erasure/portability, etc.
  • Complaints: Your local authority or HBDI (Hesse, Germany).

🇪🇺 EU Compliance Summary

Glowup is designed with privacy-by-default principles. Your data stays in the EU, photos are automatically deleted after 30 days, and you have full control over your privacy settings.