Glowloop ("we", "us", "our") is committed to protecting your privacy and handling your personal data with care, transparency, and respect. This Privacy Policy explains how we collect, use, share, and protect personal information when you visit our website at glowloop.io, use our platform, or interact with us in any way.
We operate across multiple jurisdictions and comply with the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the Australian Privacy Act 1988 and its 13 Australian Privacy Principles (APPs), and applicable US federal and state privacy laws. Where requirements differ between jurisdictions, we apply the highest applicable standard.
Plain language summary: We collect the information you give us to provide our services. We don't sell your data. You can ask us to delete it at any time. If you have questions, email us at
hello@glowloop.io.
01 Who We Are
The data controller responsible for your personal data is:
Glowloop
Operated by: Matthias Schulte
Registered address: Willi-Ricker-Weg 5, 48249 Dülmen, Germany
Email: hello@glowloop.io
Website: glowloop.io
As a business registered in Germany, we are subject to the DSGVO (the German implementation of GDPR) as our primary data protection framework. We additionally comply with the UK GDPR for UK-based customers, and the Australian Privacy Act 1988 for Australian-based customers.
02 What Data We Collect
2.1 Data you provide directly
- Contact information: Name, email address, phone number, business name, website URL
- Onboarding information: Business details, treatment types, pricing, preferred communication channels, booking system information, brand preferences — collected via our onboarding form
- Communications: Messages, emails, or inquiries you send us
- Payment information: Billing details processed by Stripe (we do not store card numbers directly)
- Account credentials: Login email and password for your Glowloop dashboard
2.2 Data we collect automatically
- Usage data: Pages visited, features used, time spent on platform, actions taken within the dashboard
- Device and technical data: IP address, browser type, operating system, device type, referring URLs
- Cookie data: See Section 13 for full details on our cookie use
2.3 Data relating to your clients (End User Data)
When you use our platform to manage your med spa clients, you submit personal data about those individuals ("End Users") including names, phone numbers, email addresses, appointment history, treatment notes, and communication preferences. You are the data controller for this data. We process it solely on your behalf as a data processor. See Section 5 for more on the controller/processor relationship.
2.4 Data we do not collect
We do not intentionally collect sensitive personal data such as health records, financial account numbers, government identification numbers, or biometric data. You should not submit such data to our platform unless specifically required by your configuration and agreed with us in writing.
03 How We Use Your Data
We use your personal data for the following purposes:
- Service delivery: Setting up and operating your Glowloop account, configuring your automations, and providing ongoing support
- Communication: Sending you onboarding materials, system notifications, product updates, and support responses
- Billing and payments: Processing your subscription payments through Stripe, issuing invoices, and managing your subscription
- Platform improvement: Analyzing usage patterns (in aggregated, anonymized form) to improve our services
- Legal compliance: Meeting our obligations under applicable laws, responding to legal requests, and enforcing our Terms and Conditions
- Security: Detecting, investigating, and preventing fraud, unauthorized access, and abuse
- Marketing (with consent): Sending you information about Glowloop features or updates where you have opted in — you may opt out at any time
We do not sell, rent, or trade your personal data to third parties for their marketing purposes under any circumstances.
04 Legal Basis for Processing (EU/UK GDPR)
Under the GDPR and UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:
- Contract (Art. 6(1)(b) GDPR): Processing necessary to perform our contract with you — delivering the Glowloop service, processing payments, providing support
- Legitimate interests (Art. 6(1)(f) GDPR): Improving our platform, detecting fraud, maintaining platform security, sending service-related communications. We have assessed that our legitimate interests are not overridden by your rights
- Legal obligation (Art. 6(1)(c) GDPR): Complying with tax, accounting, and regulatory obligations
- Consent (Art. 6(1)(a) GDPR): Where we send marketing communications or use non-essential cookies. You may withdraw consent at any time
For Australian customers, we process personal information under the Australian Privacy Principles — see Section 9 for the full APP compliance disclosure.
05 Data Sharing & Third Parties
5.1 Data processor relationship
When you use Glowloop to manage your clients, you are the data controller and we are the data processor acting on your instructions. We process your clients' personal data only to the extent necessary to provide the services you have configured. Upon request, we can provide a Data Processing Agreement (DPA) as required under GDPR or the Australian Privacy Act.
5.2 Sub-processors and third-party services
We share personal data with the following categories of third-party providers who help us deliver our services. All sub-processors are bound by appropriate data protection agreements:
- GoHighLevel: CRM, pipeline management, and automation infrastructure
- Twilio: SMS and voice messaging delivery
- Meta (WhatsApp / Instagram): Messaging channel delivery
- Stripe: Payment processing (PCI-DSS compliant)
- n8n / Make.com: Workflow automation and API integration
- Anthropic (Claude API): AI-powered message generation and client memory features
- Jotform: Onboarding form collection
- Netlify: Website hosting
- ImprovMX: Email forwarding
- Google (Fonts, Calendar integrations): UI rendering and optional calendar features
5.3 Legal disclosures
We may disclose personal data if required by law, regulation, legal process, or governmental authority, or where disclosure is necessary to protect our rights, property, or safety or that of others.
5.4 Business transfers
If Glowloop is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or use of your personal data.
06 International Data Transfers
As a business operating internationally, your personal data may be transferred to and processed in countries outside your country of residence, including Germany, the United States, and Australia. We ensure that all international transfers comply with applicable data protection law.
EU / Germany (DSGVO)
For transfers of personal data from the EEA to countries outside the EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or transfer to countries with an adequacy decision. Where transfers occur to the United States, we ensure our sub-processors participate in the EU-U.S. Data Privacy Framework where applicable.
United Kingdom (UK GDPR)
For transfers from the UK, we rely on UK International Data Transfer Agreements (IDTAs) or the UK addendum to the EU SCCs, as appropriate. We do not transfer UK personal data to countries without adequate protection unless appropriate safeguards are in place.
Australia (APP 8)
Before disclosing personal information to overseas recipients, we take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles. Where we cannot ensure APP-equivalent protection, we seek your consent or rely on another applicable exception under the Privacy Act 1988.
07 Data Retention
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods:
- Account data: Retained for the duration of your subscription plus 30 days after termination, after which it is permanently deleted
- Financial records: Retained for 10 years as required by German commercial and tax law (§257 HGB, §147 AO)
- Communication records: Retained for up to 3 years for support and dispute resolution purposes
- Marketing consent records: Retained for the period of consent plus 3 years
- Website analytics data: Retained in aggregated, anonymized form indefinitely; raw IP data deleted within 90 days
You may request early deletion of your personal data at any time, subject to any overriding legal retention obligations. See Section 10 for your rights.
08 Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, alteration, or disclosure. These measures include:
- Encryption of data in transit (TLS/HTTPS) and at rest
- Access controls limiting data access to authorized personnel only
- Use of reputable, security-certified sub-processors (including Stripe for payment data, which is PCI-DSS compliant)
- Regular review of our security practices as our platform evolves
No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security. In the event of a data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.
09 Australian Privacy Principles (APPs)
For customers and end users located in Australia, we comply with the 13 Australian Privacy Principles under the Privacy Act 1988 (Cth), as amended. Below is our compliance statement for each APP:
APP 1
Open & Transparent Management
We maintain this Privacy Policy and make it freely available. We handle personal information in accordance with the APPs.
APP 2
Anonymity & Pseudonymity
Where practicable, individuals may interact with us anonymously or using a pseudonym. However, a real identity is required to use our paid services.
APP 3
Collection of Solicited Personal Information
We only collect personal information that is reasonably necessary for our functions. We collect information directly from you where possible.
APP 4
Unsolicited Personal Information
If we receive personal information we did not solicit and could not have collected under APP 3, we will destroy or de-identify it as soon as practicable.
APP 5
Notification of Collection
We notify individuals of the purposes for collecting their personal information, who may access it, and their rights — via this Privacy Policy and at the point of collection.
APP 6
Use or Disclosure of Personal Information
We only use or disclose personal information for the primary purpose of collection, or for a secondary purpose that is directly related and within reasonable expectations.
APP 7
Direct Marketing
We only send direct marketing communications with your consent. Every marketing message includes a clear and functional unsubscribe mechanism. We honor all opt-out requests promptly.
APP 8
Cross-border Disclosure
Before disclosing personal information to overseas recipients, we take reasonable steps to ensure equivalent privacy protection. See Section 6 for details.
APP 9
Government Related Identifiers
We do not collect, use, or disclose government-related identifiers (such as Tax File Numbers or Medicare numbers) unless required by law.
APP 10
Quality of Personal Information
We take reasonable steps to ensure that personal information we collect, use, or disclose is accurate, up-to-date, and complete. You may update your information at any time.
APP 11
Security of Personal Information
We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorized access. See Section 8 for our security measures.
APP 12
Access to Personal Information
You have the right to access personal information we hold about you. We will respond to access requests within 30 days. See Section 11 for how to make a request.
APP 13
Correction of Personal Information
If you believe personal information we hold is inaccurate, out of date, or misleading, you may request correction. We will respond within 30 days.
Australian Privacy Complaints
If you are located in Australia and have a complaint about how we have handled your personal information, please contact us first at hello@glowloop.io. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
10 Your Rights — EU & UK (GDPR / UK GDPR)
If you are located in the European Economic Area or the United Kingdom, you have the following rights under the GDPR or UK GDPR:
- Right of access (Art. 15 GDPR): Request a copy of the personal data we hold about you
- Right to rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete data
- Right to erasure / "right to be forgotten" (Art. 17 GDPR): Request deletion of your personal data, subject to legal retention obligations
- Right to restriction of processing (Art. 18 GDPR): Request that we restrict processing of your data in certain circumstances
- Right to data portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format and transfer it to another controller
- Right to object (Art. 21 GDPR): Object to processing based on legitimate interests or for direct marketing purposes
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
- Right not to be subject to automated decision-making: We do not make solely automated decisions that produce significant legal effects on you
To exercise any of these rights, contact us at hello@glowloop.io. We will respond within 30 days (extendable to 90 days for complex requests). We may ask you to verify your identity before acting on a request.
If you are located in Germany, you have the right to lodge a complaint with your local Data Protection Authority (Datenschutzbehörde). If you are in the UK, you may complain to the Information Commissioner's Office (ICO) at ico.org.uk.
11 Your Rights — Australia
If you are located in Australia, under the Privacy Act 1988 and the Australian Privacy Principles you have the right to:
- Access: Request access to the personal information we hold about you (APP 12)
- Correction: Request correction of personal information that is inaccurate, out of date, or misleading (APP 13)
- Opt out of direct marketing: Opt out of receiving direct marketing communications from us at any time (APP 7)
- Complain: Lodge a complaint with us or with the OAIC if you believe we have breached the APPs
To exercise your rights, contact us at hello@glowloop.io. We will respond within 30 days. If you are not satisfied, you may contact the OAIC at oaic.gov.au or by calling 1300 363 992.
12 Your Rights — United States
The United States does not have a single federal privacy law. Instead, a growing patchwork of state privacy laws applies depending on where you live. As of 2026, over 20 states have enacted comprehensive data privacy legislation. We comply with all applicable US federal and state privacy laws. If your state is not listed below, you may still have rights — contact us at hello@glowloop.io to find out.
12.1 Federal Laws — All US Residents
CAN-SPAM Act
All marketing emails we send include: a clear identification of us as the sender, a physical or electronic mailing address, a clear subject line, and a functioning unsubscribe link. We honor all unsubscribe requests within 10 business days.
TCPA (Telephone Consumer Protection Act)
We obtain prior express written consent before sending marketing SMS messages. Every marketing SMS includes an opt-out instruction (e.g., "Reply STOP to unsubscribe"). We honor all STOP requests immediately. We do not send automated SMS to numbers on the National Do Not Call Registry without consent. TCPA violations carry statutory penalties of $500–$1,500 per message — we take compliance seriously.
COPPA (Children's Online Privacy Protection Act)
Our services are not directed at children under 13. We do not knowingly collect personal information from children under 13. If we learn we have inadvertently done so, we will delete it immediately.
12.2 State Privacy Laws
The following state laws grant residents specific privacy rights. We honor these rights regardless of your state of residence, applying the highest applicable standard across all users.
California — CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act)
California residents have the most comprehensive state privacy rights in the US. Your rights include:
- Right to know: What personal information we collect, the purposes for which we use it, and with whom we share it
- Right to delete: Request deletion of personal information we hold about you, subject to certain exceptions
- Right to correct: Request correction of inaccurate personal information
- Right to opt out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising
- Right to limit use of sensitive personal information: You may direct us to use sensitive personal information only for necessary purposes
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights
- Right to data portability: Receive your personal information in a usable format
- Shine the Light: California residents may request information about disclosures of personal information to third parties for their direct marketing purposes. We do not make such disclosures.
To submit a CCPA request, contact us at hello@glowloop.io. We will respond within 45 days (extendable by a further 45 days where reasonably necessary). We do not charge a fee for requests unless they are manifestly unfounded or excessive. Enforcement: California Privacy Protection Agency (CPPA) — cppa.ca.gov. Penalties: up to $7,500 per intentional violation.
Virginia — VCDPA (Virginia Consumer Data Protection Act) · Effective January 1, 2023
- Right to access, correct, delete, and obtain a copy of personal data
- Right to opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of decisions producing legal effects
- Right to appeal a refusal to act on a privacy request
Colorado — CPA (Colorado Privacy Act) · Effective July 1, 2023
- Right to opt out of targeted advertising, sale of personal data, and profiling
- Right to access, correct, delete, and obtain a portable copy of personal data
- Right to appeal
- Universal Opt-Out Mechanisms (UOOMs) honored — including Global Privacy Control (GPC) signals
Connecticut — CTDPA (Connecticut Data Privacy Act) · Effective July 1, 2023
- Rights to access, correct, delete, and port personal data
- Right to opt out of targeted advertising, sale, and profiling
- Right to appeal
- We honor Global Privacy Control (GPC) signals from Connecticut residents
Texas — TDPSA (Texas Data Privacy and Security Act) · Effective July 1, 2024
- Rights to access, correct, delete, and obtain a copy of personal data
- Right to opt out of the sale of personal data and targeted advertising
- Right to appeal
- Note: Texas law applies to entities processing data of Texas residents without standard revenue thresholds
Oregon — OCPA (Oregon Consumer Privacy Act) · Effective July 1, 2024
- Rights to access, correct, delete, and port personal data
- Right to opt out of targeted advertising, sale, and profiling
- Broad protections for sensitive data including health data
Montana — MTCDPA (Montana Consumer Data Privacy Act) · Effective October 1, 2024
- Rights to access, correct, delete, and port personal data
- Right to opt out of targeted advertising, sale, and profiling
- Right to appeal
Utah — UCPA (Utah Consumer Privacy Act) · Effective December 31, 2023
- Right to access and delete personal data
- Right to opt out of the sale of personal data and targeted advertising
- Right to obtain a portable copy of personal data
Iowa — ICDPA (Iowa Consumer Data Protection Act) · Effective January 1, 2025
- Right to access and delete personal data
- Right to opt out of the sale of personal data and targeted advertising
- Right to data portability
Delaware — DPDPA (Delaware Personal Data Privacy Act) · Effective January 1, 2025
- Rights to access, correct, delete, and port personal data
- Right to opt out of targeted advertising, sale, and profiling
- Applies to minors under 18 (not 16 as in other states)
New Hampshire — NHPA · Effective January 1, 2025
- Rights to access, correct, delete, and port personal data
- Right to opt out of targeted advertising, sale, and profiling
- Right to appeal
New Jersey — NJDPA · Effective January 15, 2025
- Rights to access, correct, delete, and port personal data
- Right to opt out of targeted advertising, sale, and profiling
- Right to appeal
Tennessee — TIPA (Tennessee Information Protection Act) · Effective July 1, 2025
- Rights to access, correct, delete, and port personal data
- Right to opt out of targeted advertising, sale, and profiling
- Right to appeal
Minnesota — MCDPA · Effective July 31, 2025
- Rights to access, correct, delete, and port personal data
- Right to opt out of targeted advertising, sale, and profiling
- Right to contest automated decision-making — including explanations of profiling results
Maryland — MODPA (Maryland Online Data Privacy Act) · Effective October 1, 2025
- Rights to access, correct, delete, and port personal data
- Right to opt out of targeted advertising, sale, and profiling
- Stricter "strictly necessary" standard for sensitive data processing
- Geofencing restrictions near sensitive locations
Indiana — INCDPA · Effective January 1, 2026
- Rights to access, correct, delete, and port personal data
- Right to opt out of targeted advertising, sale, and profiling
- Right to appeal
12.3 States Without Comprehensive Laws (As of April 2026)
Residents of states not listed above — including New York, Florida, Illinois, Washington, and others — may still have rights under sector-specific laws (e.g., Illinois BIPA for biometric data, Washington My Health My Data Act for health data). We apply our general privacy standards to all US residents regardless of state law status. Contact us at hello@glowloop.io to submit any privacy request.
12.4 Exercising Your US Privacy Rights
To exercise any of the rights listed above:
- Email us at hello@glowloop.io with the subject line "Privacy Request — [Your State]"
- We will acknowledge your request within 10 business days
- We will respond substantively within 45 days (extendable to 90 days where permitted by law)
- We may verify your identity before acting on your request
- We will not discriminate against you for exercising your privacy rights
12.5 Email and SMS Opt-Out
You may opt out of marketing emails at any time by clicking "unsubscribe" in any email. You may opt out of SMS communications by replying STOP to any text message. We honor all opt-out requests immediately for SMS and within 10 business days for email.
12.6 Health Data — HIPAA & Washington My Health My Data Act
HIPAA (Health Insurance Portability and Accountability Act)
Glowloop is a business-to-business SaaS platform. We are not a Covered Entity or Business Associate under HIPAA. We do not store, process, or transmit Protected Health Information (PHI) as defined by HIPAA. Our platform is designed for business operations such as scheduling, client communication, and retention workflows — not for clinical or medical record management. If your use of our platform involves PHI, you are solely responsible for ensuring your own HIPAA compliance. We do not provide a Business Associate Agreement (BAA) unless separately negotiated and executed in writing.
Washington — My Health My Data Act (MHMD) · Effective March 31, 2024
Washington's My Health My Data Act is one of the broadest health data privacy laws in the US — it applies beyond HIPAA and covers any entity that collects consumer health data from Washington residents, regardless of size or revenue threshold. Under this law:
- We do not collect, use, or sell consumer health data as defined by Washington MHMD
- Washington residents have the right to access, delete, and withdraw consent for any health data we may hold
- We do not use geofencing within 2,000 feet of a healthcare facility to collect health data
- If you believe we hold any health data about you, contact us at hello@glowloop.io
12.7 Biometric Data — Illinois BIPA
Illinois — BIPA (Biometric Information Privacy Act)
Illinois BIPA is one of the strictest biometric privacy laws globally, with a private right of action and statutory damages of $1,000–$5,000 per violation. We explicitly state: Glowloop does not collect, store, use, or transmit biometric data of any kind — including fingerprints, facial geometry, voiceprints, retina or iris scans, or any other biometric identifier or information. No biometric data is required to use our platform. If this ever changes, we will update this policy and obtain express written consent from all affected individuals before collection.
Washington — My Health My Data Act (MHMDA) · Effective March 31, 2024
Washington's My Health My Data Act is one of the broadest health data privacy laws in the US — it applies to any entity that collects health data from Washington residents, regardless of whether it is covered by HIPAA. "Consumer health data" is broadly defined to include any data that identifies a consumer's attempt to obtain health services, health conditions, and related behavioral data.
- Right to access health data we hold about you
- Right to withdraw consent for collection and sharing of health data
- Right to delete health data
- Right to know with whom health data has been shared
As a platform serving med spas, we may indirectly process health-adjacent data (such as treatment history). We do not sell or share this data. Washington residents may contact us at hello@glowloop.io to exercise any MHMDA rights.
12.6 HIPAA Notice
Important: Glowloop is not a HIPAA-covered entity and does not represent that its platform is HIPAA-compliant. If your med spa is subject to HIPAA (e.g., you qualify as a covered entity or business associate under US law), you are solely responsible for ensuring your use of Glowloop complies with HIPAA requirements. We do not offer a Business Associate Agreement (BAA) as a standard feature. If you require a BAA, please contact us at
hello@glowloop.io to discuss your specific situation. We recommend consulting qualified healthcare compliance counsel to determine your HIPAA obligations before using any third-party platform to store or process protected health information (PHI).
12.7 Biometric Data — Illinois BIPA
Glowloop does not collect, store, or process biometric identifiers or biometric information of any kind — including fingerprints, facial geometry, voiceprints, iris scans, or any other biometric data as defined under the Illinois Biometric Information Privacy Act (BIPA) or similar state laws. If you believe biometric data has been inadvertently collected through our platform, please contact us immediately at hello@glowloop.io.
Our commitment: We apply the highest applicable privacy standard across all US users — not just the minimum required by your state. If you have a privacy concern, we will take it seriously regardless of where you live.
13 Cookies & Tracking
Our website (glowloop.io) uses cookies and similar tracking technologies. We use:
- Strictly necessary cookies: Required for the website to function. Cannot be disabled.
- Analytics cookies: Help us understand how visitors use our website (e.g., pages visited, time on site). We use only anonymized, aggregated data. These require your consent in the EU/UK.
- Functionality cookies: Remember your preferences and settings.
We do not use advertising or tracking cookies for third-party advertising purposes. You can manage cookie preferences through your browser settings. EU and UK visitors will be presented with a consent banner for non-essential cookies.
Third-party services embedded in our website (such as Google Fonts) may set their own cookies. We have no control over these cookies and recommend reviewing the privacy policies of those providers.
14 Children's Privacy
Our services are directed at business owners and are not intended for individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently collected data from a child under 18, we will delete it promptly. If you believe we have collected data from a minor, please contact us at hello@glowloop.io.
15 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (to the address associated with your account) and by posting the updated policy on this page with a new effective date. We encourage you to review this policy periodically.
Your continued use of our services after the effective date of any updated Privacy Policy constitutes your acceptance of the changes.
16 Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:
Glowloop
Attn: Privacy / Data Protection
Email: hello@glowloop.io
Website: glowloop.io
Address: Willi-Ricker-Weg 5, 48249 Dülmen, Germany
We aim to respond to all privacy-related inquiries within 30 days. For urgent matters relating to a potential data breach, please mark your email as urgent.
Supervisory Authorities:
Germany: BfDI (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit) — bfdi.bund.de
United Kingdom: ICO (Information Commissioner's Office) — ico.org.uk
Australia: OAIC (Office of the Australian Information Commissioner) — oaic.gov.au
This Privacy Policy was last reviewed and updated on April 4, 2026. This document is provided for informational purposes. While we have made every effort to ensure accuracy and compliance, it does not constitute legal advice. We recommend consulting qualified legal counsel in your jurisdiction for specific guidance.