Legal

Privacy Policy

Effective date: 8 June 2026 · Last updated: 8 June 2026

This Privacy Policy describes how Gloow ("Gloow", "we", "us", "our") collects, uses, stores, shares, and protects personal data when you ("the clinic", "you") use the Gloow service available at gloow.ai and the connected web application (the "Service").

Gloow is operated by Gloow (a sole proprietorship registered in Italy). If you have any questions about this policy, contact us at privacy@gloow.ai.

1. Who this policy applies to

This policy applies to two groups:

Clinic users, the clinic owner, manager, or staff members who sign in to Gloow, connect their channels (Gmail, Google Calendar, WhatsApp, Instagram), and operate the service.
End clients, individuals who message a clinic that uses Gloow. Gloow processes their messages on the clinic's behalf in order to reply and book appointments.

2. Data we collect

2.1 Account data (clinic users)

Name, email address, profile picture (from your Google account, if you sign in with Google).
Clinic name, address, calendar configuration, opening hours, services offered.
Authentication tokens and OAuth refresh tokens for connected third-party services.

2.2 Data accessed via Google APIs

When you connect your Gmail and/or Google Calendar account, Gloow requests OAuth permission to access the following data on your behalf:

Gmail, Gloow reads incoming emails that look like client enquiries, generates AI replies, sends those replies from your inbox, and writes drafts. Scopes used: https://www.googleapis.com/auth/gmail.modify.
Google Calendar, Gloow reads your existing events to know what slots are free, and creates/updates new events when a client books an appointment. Scopes used: https://www.googleapis.com/auth/calendar.events.
Basic profile, name, email address, and profile picture used to identify you in the app. Scopes used: openid, email, profile.

Limited Use disclosure. Gloow's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, Gloow does not:

use Google Workspace APIs to develop, improve, or train generalized AI and/or machine learning models;
transfer Google user data to third parties except as necessary to provide or improve user-facing features that are prominent within the Gloow interface, and only with your consent or as required by law;
use Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising;
allow humans to read Google user data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for Gloow's internal operations and even then only when the data have been aggregated and anonymized.

2.3 Data from messaging channels (WhatsApp, Instagram, Messenger, Telegram, Email, SMS & phone)

Client messages sent to channels you've connected to Gloow.
Client phone numbers, social handles, or email addresses (whatever the client uses to message you).
Names, dates, services requested, and any other content the client shares while booking.
Channel-side metadata: thread identifiers, timestamps, message IDs.

2.4 Service usage data

Log data: IP address, browser type, pages visited, timestamps, error reports.
Aggregated analytics on which features are used (no third-party advertising cookies).

3. How we use data

Operate the Service. Read incoming messages, generate AI replies, send replies on your behalf, create calendar events, surface enquiries in your inbox view.
Authenticate you and protect your account.
Support and debugging. Diagnose errors you report. Engineers may inspect a specific message thread only with your explicit request.
Service emails to clinic users (e.g., magic-link login, billing receipts).
Legal compliance, respond to lawful requests and enforce our terms.

We do not sell personal data, share it with advertisers, or use Google user data to train generalized AI models.

4. AI processing

To generate replies and understand client intent, Gloow sends message content to large-language-model providers acting as our data processors:

Anthropic (Claude models), under a zero-retention business agreement: prompts and responses are not retained beyond the duration of the API call and are not used to train models. See Anthropic Commercial Terms.

We never send personal data to consumer-grade chat products (e.g., chatgpt.com, claude.ai), only enterprise APIs with appropriate data-processing terms.

5. How we share data

We share personal data only with:

Infrastructure providers (e.g., DigitalOcean for hosting) acting as data processors under EU SCCs where applicable.
AI providers as described in §4.
Authentication and messaging APIs you have explicitly connected (Google, Meta).
Channel connection providers (Unipile, GDPR compliant and SOC 2 certified) to connect and deliver messages on channels such as WhatsApp, Instagram, Messenger, Telegram and email.
Telephony providers (Twilio) for the phone & SMS channel and missed-call text-back.
Transactional email providers (Postmark) for system email.
Payment processors (Stripe) when you subscribe to a paid plan and when your clients pay deposits, which settle directly in your clinic's own Stripe account.
Authorities when required by valid legal process.

We do not sell or rent personal data. We do not share data with advertisers.

6. Data retention

Account data is retained while your account is active and for up to 90 days after deletion, then permanently erased.
Client message history and booking records are retained for as long as your clinic's account is active, unless you delete specific threads earlier.
OAuth tokens are revoked and deleted immediately when you disconnect a channel.
Backups are encrypted and rotated out within 30 days.

7. Your rights

If you are in the European Union, United Kingdom, or other jurisdictions with similar laws (GDPR, UK GDPR), you have the right to access, correct, port, delete, restrict processing of, or object to the processing of your personal data, and to lodge a complaint with your supervisory authority.

To exercise these rights, email privacy@gloow.ai. We respond within 30 days.

You can also:

Revoke Google access at any time from your Google Account: myaccount.google.com/permissions. Revocation immediately stops Gloow from accessing your Gmail and Calendar.
Disconnect channels from inside Gloow at Settings → Channels.
Delete your account entirely at Settings → Account → Delete account.

8. Security

We protect personal data with industry-standard measures:

TLS 1.2+ for all data in transit.
Encryption at rest for OAuth tokens and client messages.
Principle-of-least-privilege access controls and audit logging for engineer access.
Regular dependency scanning and security patching.

No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you and the relevant authorities within 72 hours as required by GDPR Art. 33.

9. International transfers

Gloow is operated from the European Union. Some processors (Anthropic, DigitalOcean) may process data in the United States under EU Standard Contractual Clauses (SCCs) and supplementary measures.

10. Cookies

We use first-party cookies strictly necessary for authentication and theme preference. We do not use third-party tracking or advertising cookies.

11. Children

Gloow is a business tool for clinics. We do not knowingly collect data from anyone under 16. If you believe we have, contact us and we will delete it.

12. Changes to this policy

We may update this Policy from time to time. We will notify clinic users by email at least 14 days before material changes take effect. The "Last updated" date at the top reflects the current version.

13. Contact

Gloow · Data Protection Contact
Email: privacy@gloow.ai
Support: support@gloow.ai