Privacy Policy

We collect the following categories of personal information:

Identity & contact

• Full name and preferred name
• Australian mobile number (used for OTP login)
• Email address (used for receipts, account recovery)
• Profile photo (optional)
• Gender (used to render your character on the map)

Location

• Approximate location at the time you search for a stylist (so we can show pros within 15 km).
• Service address for an active booking.
• Real-time GPS of the stylist while a service is in progress (broadcast every 10 seconds). Never collected when the stylist is offline or when no service is active.

Stylist verification

• Certificate III in Hairdressing (or equivalent)
• Public Liability Insurance certificate
• National Police Check (CrimCheck) outcome
• Australian Business Number (ABN)
• Stripe Connect onboarding data (held by Stripe, not by us)
• Stripe Identity verification result

Bookings & service history

• Services booked, scheduled time, location, price, status
• Before / after photos uploaded during a service
• Ratings and reviews
• In-app chat messages between client and stylist
• Safety incidents (SOS activations, complaints)

Payments

Payment card details are collected, processed and stored by Stripe Inc. on PCI-DSS compliant infrastructure. Gloowly never sees or stores your full card number.

Technical data

• Device type, browser, operating system
• IP address (used for rate limiting, fraud detection)
• Page and feature usage analytics
• Error and crash reports

We use your personal information to:

• Match clients with nearby qualified stylists;
• Process bookings, payments, payouts, refunds, and tax invoices;
• Verify the qualifications, insurance, and identity of stylists;
• Operate the trust & safety features (SOS, share trip, PIN arrival, incident response);
• Send transactional notifications (booking confirmation, en-route, arrived, completed, reviews);
• Improve the platform (analytics, A/B testing on aggregated, de-identified data);
• Comply with our legal obligations (ATO tax records, ASIC corporate records, law-enforcement requests);
• Prevent and detect fraud, abuse, and breaches of these Terms.

You provide express consent for location collection during the onboarding flow. You may withdraw consent at any time by toggling location off in your device settings or by visiting your profile and revoking the permission. Without location data we cannot show you nearby stylists.

Stylists broadcast position only while their online toggle is on. The position is deleted from our database 90 days after the associated booking is completed.

You may also delete the entire location history attached to your account at any time:

DELETE /api/me/location-history

Personal information is disclosed to the following service providers strictly to deliver the platform. All providers are bound by confidentiality and security obligations under their respective agreements with Gloowly:

• Supabase Inc. — primary database, authentication, storage (Australia / Singapore region).
• Stripe Payments Australia — payment processing, Connect Express, Identity verification, Tax invoices.
• Twilio Inc. — phone OTP via the Verify product.
• Mapbox Inc. — basemap tiles, geocoding, directions.
• Resend — transactional email delivery.
• CrimCheck Australia — National Police Check processing.
• Sentry Inc. — error and performance monitoring (PII-stripped).
• Vercel Inc. — hosting and CDN delivery.
• Anthropic PBC — assists with document verification (Cert III legibility, insurance expiry date parsing) on a per-request basis, with documents purged after processing.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

Our primary data residency is Australia (Supabase AU region). Stripe, Mapbox, and Sentry may process limited data in the United States or Europe under their respective Standard Contractual Clauses and regulatory commitments. By using Gloowly you consent to this transfer.

• Account data: kept for the life of your account. Deleted within 30 days of account closure, subject to legal retention requirements below.
• Location history: maximum 90 days. A cron job purges older rows weekly.
• Tax invoices & financial records: kept for 7 years as required by the Australian Taxation Office.
• Chat messages: kept for 12 months for safety and dispute resolution, then de-identified.
• Crash reports: 30 days.

• TLS 1.3 encryption in transit for all traffic.
• Row Level Security (RLS) is enabled on every database table — you can only ever read or modify your own data.
• Storage buckets containing documents and portfolio photos are private and served via short-lived signed URLs (10 minutes max).
• Service-role credentials are restricted to server-side code and never exposed to the browser or to a stylist's device.
• We log access attempts and run regular automated security scans on the codebase.

Under the Privacy Act you may:

• Access the personal information we hold about you;
• Correct any inaccurate or outdated information (most fields are editable directly in-app);
• Delete your account (closes the account, purges non-mandatory data within 30 days);
• Withdraw consent for location, push notifications and marketing communications independently;
• Complain to us first, and to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if unresolved.

To exercise any of these rights, email privacy@gloowly.com with sufficient information to identify your account. We aim to respond within 30 days.

Gloowly is not directed to people under 16. We do not knowingly collect personal information from anyone under that age. If you become aware that a minor has provided us with personal data, please contact us and we will delete it promptly.

See our Cookies Policy for the full list of cookies we use, what they do, and how to disable them.

We will publish material changes here with a new effective date and, where appropriate, notify you by email or in-app at least 14 days in advance.

Privacy queries: privacy@gloowly.com.
Support: support@gloowly.com.