Privacy Policy for Let's Glow
Version 2.6 – Effective: March 15, 2026
Your trust is important to us. This Privacy Policy provides comprehensive information about the personal data we collect, for what purposes, on what legal basis, and what rights you have. Please read it carefully. If you have any questions, you can contact us at any time.
1. Data Controller
The data controller within the meaning of the General Data Protection Regulation (GDPR) is:
Johannes Reusch Heinrich-Heine-Platz 9A 10179 Berlin, Germany
Email: support@lets-glow.de
Josefine Patzelt is co-founder of Let's Glow.
For data protection inquiries, please contact us at the email address above.
2. Overview – Our Principles
- Data Minimization: We only collect data that is actually necessary for the operation of the app.
- Transparency: You can view at any time what data we have stored about you.
- Control: You can edit, export, or completely delete your data at any time.
- Security: All data is transmitted encrypted and stored on servers within the EU.
- No Selling: We do not sell your data to third parties.
3. Minimum Age
Use of Let's Glow requires a minimum age of 18 years. We do not knowingly collect data from individuals under 18. If we become aware that an underage person has created an account, we will promptly delete it.
4. What Data We Collect
4.1 Account Data (upon registration)
- Email address
- Display name
- Phone number (when signing in via phone)
- Avatar (selectable from predefined avatars, no personal photo)
- Authentication method (Google Sign-In, Apple Sign-In, or phone number)
- Firebase Auth UID (unique user identifier)
4.2 Profile Data (within the app)
- Character selection and character values
- Interests and strengths
- Level, XP (experience points), Karma, Streak
- Settings and preferences
4.3 User-Generated Content
- Posts (text, images)
- Challenge photos (taken with your device camera or selected from your photo library – your camera is used exclusively for creating challenge posts). We will inform you in the app about this purpose before the first camera access.
- Challenges (created and completed)
- Comments
- Team memberships
4.4 Social Interaction Data
- Blocked users (block lists)
- Reports about other users or content
- Ban status and ban history (in case of policy violations)
4.5 Usage Data (automatically collected)
- App usage statistics (Firebase Analytics): page views, interactions, feature usage
- Crash and error reports (Firebase Crashlytics): device information, operating system, app version, stack traces
- Performance data (Firebase Performance Monitoring): loading times, network latency
4.6 Technical Data
- Device type, operating system, app version
- IP address (temporary, for authentication and security)
- Timestamps of actions
4.7 Support and Optional Diagnostic Data (App Logs)
When creating a support ticket, you may optionally send anonymized diagnostic data (app logs). Before upload, we automatically redact such data (e.g. names, email addresses, IP addresses, and phone numbers are removed). Data is only transmitted if you expressly consent in the app (toggle). Storage: Firebase Cloud Storage, EU only. Retention: 90 days, after which log files are automatically deleted (see section 7.2).
4.8 Data We Do NOT Collect
- No fitness or health data
- No location data (GPS)
- No contact lists or phone books
- No biometric data
- No payment data (payments are processed exclusively via Apple App Store, Google Play Store, or Stripe – we do not store any credit card or banking details)
5. Purpose and Legal Basis of Processing
5.1 Performance of Contract (Art. 6(1)(b) GDPR)
| Purpose | Data |
|---|---|
| Provision and operation of the app | Account data, profile data |
| Challenge system (creation, completion, tracking) | Challenges, scores, XP, streaks |
| Team features | Team memberships |
| User profiles and community | Posts, comments, display name, avatar |
| Account management (modification, export, deletion) | All account-related data |
| Email communication (verification, critical actions) | Email address |
5.2 Consent (Art. 6(1)(a) GDPR)
| Purpose | Data |
|---|---|
| Firebase Analytics (app usage statistics) | Usage data, device information |
| Firebase Performance Monitoring | Performance metrics |
| Optional diagnostic data (app logs) when contacting support | Anonymized app logs (PII removed before upload) |
You may withdraw your consent at any time by adjusting the corresponding settings in the app or by contacting us. A withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
5.3 Legitimate Interest (Art. 6(1)(f) GDPR)
| Purpose | Data | Interest |
|---|---|---|
| Firebase Crashlytics (crash reports) | Crash data, device information | App stability and quality assurance |
| Security and abuse prevention | Login data, IP address, audit logs | Protection of platform and users |
| Content moderation (reports, blocking, banning) | Reports, block lists, ban data | Safe community, DSA compliance |
| Audit logging (admin and system actions) | Admin audit logs, system audit logs | Accountability, compliance |
| Bug fixes and app improvement | Technical data, anonymized usage data | Quality assurance |
Note on Firebase Crashlytics: Crashlytics is active from app start in order to monitor app stability from the outset and resolve crashes quickly. This is based on our legitimate interest in maintaining a stable and functional app (Art. 6(1)(f) GDPR). You can disable the collection of crash reports at any time after login in the app settings (opt-out).
5.4 Legal Obligation (Art. 6(1)(c) GDPR)
| Purpose | Data |
|---|---|
| Retention of audit logs (documentation obligation) | Admin audit logs, system audit logs |
| Compliance with regulatory requests | Data required by the specific request |
6. Processors and Third-Party Services
We use the following service providers who process personal data on our behalf:
6.1 Google / Firebase (Google Ireland Ltd.)
| Service | Purpose | Data |
|---|---|---|
| Firebase Authentication | User login (Google/Apple Sign-In) | Email, name, Auth UID |
| Cloud Firestore | Database (user profiles, challenges, posts, etc.) | All app data |
| Cloud Storage for Firebase | Media storage (post images, challenge images) | Image files |
| Firebase Analytics | App usage statistics | Anonymized usage data |
| Firebase Crashlytics | Crash reports | Crash data, device information |
| Firebase Performance Monitoring | Loading time and performance analysis | Performance metrics |
| Firebase Remote Config | Feature flags and configuration | Device ID (anonymized) |
| Firebase Cloud Functions (Gen2) | Server-side logic | Processing data |
| Firebase Hosting | Serving web applications | Access data |
| Firebase Cloud Messaging (FCM) | Push notifications | Device push token, notification payload |
Storage Location: Region europe-west3 (Frankfurt, Germany) and europe-west1 (Belgium) – both EU Legal Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCC) DPA: Google Cloud Data Processing Amendment
6.2 Email and SMS
| Service | Purpose | Data |
|---|---|---|
| Firebase Extension "Trigger Email from Firestore" (via ALL-INKL SMTP, German host) | Transactional emails (verification, PIN codes, notifications) | Email address, email content |
| Twilio Verify (Twilio Inc., via Firebase Phone Auth) | SMS verification for phone sign-in | Phone number, SMS verification code |
Note: Emails are sent via a German host (ALL-INKL). SMS verification runs via Twilio servers in the EU (Ireland). Legal Basis for Third-Country Transfer (Twilio): EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCC) DPA: ALL-INKL.COM – Neue Medien Münnich (Data Processing Agreement for email delivery); Twilio Data Protection Addendum (for SMS service)
6.3 AI Service Providers (OpenAI, Anthropic, Google)
We use AI services from OpenAI (OpenAI, L.L.C.), Anthropic (Anthropic PBC), and Google (Google Ireland Ltd. / Google LLC) for content review, categorization, text generation, and image generation. No personal user data is transmitted to these services.
| Provider | Purpose | Data |
|---|---|---|
| OpenAI | Content review, categorization, text generation | No personal data |
| Anthropic (Claude) | Content review, categorization | No personal data |
| Google (Gemini, Imagen) | Content review, image generation | No personal data |
Note: No personal user data is transmitted to any of these services. Legal Basis for Third-Country Transfer: EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCC) DPA: Respective Data Processing Addendums of each provider
6.4 Apple (Apple Inc.)
| Service | Purpose | Data |
|---|---|---|
| Sign in with Apple | Authentication | Apple ID, email (optional relay), name |
| Apple In-App Purchase | Payment processing for subscriptions and in-app purchases via the App Store | Transaction ID, purchase receipt. Payment data (credit card etc.) is processed exclusively by Apple — we do not receive any payment data. |
Note: Apple may provide an anonymized relay email address. We only receive the data released by the user. For App Store purchases, we only receive a purchase confirmation — no credit card or banking details. Legal basis: Art. 6(1)(b) GDPR (contract performance)
6.5 Google (Google Ireland Ltd.)
| Service | Purpose | Data |
|---|---|---|
| Google Sign-In | Authentication | Google account, email, name |
| Google Play Billing | Payment processing for subscriptions and in-app purchases via the Google Play Store | Transaction ID, purchase confirmation (Purchase Token). Payment data is processed exclusively by Google — we do not receive any payment data. |
Legal basis: Art. 6(1)(b) GDPR (contract performance)
6.6 Cloudflare (Cloudflare Inc.)
| Service | Purpose | Data |
|---|---|---|
| Cloudflare Turnstile | Bot protection for web forms (e.g. support request, account deletion on lets-glow.de) | Processing for verification only (no advertising cookies, minimal data); e.g. IP, device signals for risk assessment |
Note: Turnstile is used solely for abuse prevention. No personal data is used for advertising purposes. Storage / Legal basis: Cloudflare (US/EU); EU-US Data Privacy Framework (DPF); purpose: legitimate interest (fraud/spam protection, Art. 6(1)(f) GDPR).
6.7 Stripe (Stripe, Inc.)
| Service | Purpose | Data |
|---|---|---|
| Stripe Payments | Payment processing for subscriptions and in-app purchases (outside app stores) | Email address, payment information (credit card/SEPA — processed by Stripe, not stored by us), transaction data, IP address |
Note: We do not store any credit card or bank details. Stripe processes this data as an independent payment service provider. We only receive confirmation of payment status and a customer ID. Legal basis: Art. 6(1)(b) GDPR (contract performance) Legal basis for third-country transfer: EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCC)
7. Data Storage and Retention Periods
7.1 Storage Location
All data is stored in the EU:
- Cloud Firestore: europe-west3 (Frankfurt, Germany)
- Cloud Storage: europe-west3 (Frankfurt, Germany)
- Cloud Functions: europe-west1 (Belgium, EU)
7.2 Retention Periods
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion |
| Profile data and user-generated content | Until account deletion |
| Firebase Analytics | 14 months (Google default) |
| Firebase Crashlytics | 90 days (Google default) |
| Admin audit logs | 10 years (documentation obligation) |
| System audit logs | 10 years (documentation obligation) |
| Content reports | Until reviewed + 1 year (verification obligation) |
| Ban history | Duration of ban + 1 year (verification obligation) |
| Account deletion queue | 30 days grace period, then complete deletion |
| Email delivery logs | 90 days |
| Uploaded diagnostic logs (support) | 90 days, then automatic deletion (GDPR Art. 5(1)(e)) |
8. Account Deletion and Data Export
8.1 Account Deletion (GDPR Art. 17)
You can delete your account at any time directly within the app or via our website at https://lets-glow.de/account-loeschen. This way, you always have the option to fully delete your account, even without the app. The deletion process works as follows:
- Grace Period: After your deletion request, you have 30 days to reverse the deletion.
- Complete Deletion: After the grace period, all your data will be irreversibly deleted:
Account data (Firebase Auth)
Profile data (Firestore)
Posts, comments, challenges
Uploaded media (Storage)
Team memberships and references
The technical completion of full deletion may take up to 90 days after the grace period (e.g., for removal from backups and cache systems). During this time, your data is no longer accessible. 3. Automated Cleanup: A scheduled cleanup process (scheduledPrivacyCleanup) ensures that expired deletion requests are fully executed.
Exceptions to Deletion:
- Audit logs are anonymized, not deleted (legal documentation obligation, 10 years).
- Aggregated, anonymized statistics are retained.
8.2 Data Export (GDPR Art. 15 / Art. 20)
You can request an export of your stored data at any time within the app. The export includes:
- Account and profile data
- Posts and comments
- Challenges and scores
- Team memberships
The export is provided as a JSON file and is available for download for 7 days.
9. Content Moderation and Community Safety
9.1 Reporting
Users can report other users, posts, or challenges. The following data is processed:
- Reason for the report and details
- Type of reported content (user, post, challenge)
- Timestamp of the report
- Anonymized reporter ID (for internal tracking only)
9.2 Blocking
You can block other users. Block lists are stored in your user profile and are visible only to you.
9.3 Banning
If you violate the community guidelines, your account may be suspended by an administrator. The following information is stored:
- Reason and date of the ban
- Duration of the ban (temporary or permanent)
- Reviewing administrator (anonymized)
- Ban history
9.4 Complaint and Appeal Mechanism (DSA Art. 20)
If your account is suspended or your content is moderated, you have the right to appeal. Contact us at support@lets-glow.de.
10. Email Communication
We use emails for the following purposes:
- Transactional Emails: Account verification, PIN codes for critical actions, security notifications
- System Notifications: Information about account changes, deletion confirmations
Emails are sent via a German host (ALL-INKL SMTP). We do not send marketing emails without your explicit consent.
11. AI Features (Artificial Intelligence)
11.1 Use of AI
Challenges on Let's Glow are created by the community or set up as personal/team challenges – not by AI. We use AI-powered features in a supporting role:
- Content Review: All challenges – whether community, personal, or team challenges – are automatically reviewed for community guideline compliance (first check before human review)
- Categorization: Automatic classification and tagging of challenges
- Text Generation: AI-assisted creation of descriptive texts and summaries
AI services from OpenAI, Anthropic, and Google are used for this purpose (see §6.3). No personal user data is transmitted to these services.
11.2 Automated Decision-Making (Art. 22 GDPR)
The AI-based content review may result in challenges being automatically held back for human review. No purely automated decisions are made that significantly affect you legally — every rejecting decision regarding your content is reviewed by our moderation team. You have the right at any time to request human review, to express your point of view, and to contest the decision (see Community Guidelines, Section 6: Right of Appeal).
12. Cookies and Tracking
12.1 Flutter App (iOS / Android)
The mobile app uses no cookies. Tracking is performed exclusively via Firebase Analytics (with your consent). If we use Google Tag Manager in the future (e.g. for web), we will do so without personal data and only with your consent.
12.2 Web Applications (Admin Panel)
The web applications use Firebase Authentication session cookies, which are strictly necessary for authentication and session management (technically required cookies). No marketing or tracking cookies are used.
13. Security Measures
We protect your data through technical and organizational measures, including encryption during transmission and storage, role-based access control, and regular security reviews. No personal data is processed during AI-based content review.
14. Your Rights (Art. 15–21 GDPR)
You have the following rights regarding your personal data:
| Right | Description | Implementation |
|---|---|---|
| Access (Art. 15) | You can find out at any time what data we store about you. | Data export in the app or via email request |
| Rectification (Art. 16) | You can have incorrect data corrected. | Profile editing in the app or via email |
| Erasure (Art. 17) | You can request the deletion of your data. | Account deletion in the app (see Section 8.1) |
| Restriction (Art. 18) | You can request the restriction of processing. | Via email request |
| Data Portability (Art. 20) | You can receive your data in a common format. | Data export in the app (JSON) |
| Objection (Art. 21) | You can object to processing based on legitimate interest. | Via email to support@lets-glow.de |
For all requests, contact: support@lets-glow.de
We will process your request within 30 days (pursuant to GDPR Art. 12(3)).
15. Third-Country Transfers
Your data is predominantly processed and stored in the EU:
Processing in the EU:
- Google / Firebase: Firestore, Storage, Cloud Functions — region europe-west3 (Frankfurt) and europe-west1 (Belgium)
- Twilio: SMS verification via Twilio servers in the EU (Ireland) — only the phone number and a verification code are transmitted
- ALL-INKL: Email delivery via German host
Services based in the USA (safeguarded by DPF and/or SCC):
- AI services (OpenAI, Anthropic, Google): API calls for content review — no personal data is transmitted (see §6.3)
- Stripe: Payment processing — we do not store any credit card or banking details
- Cloudflare: Bot protection (Turnstile) for web forms
- Google / Firebase (partial): For certain platform services (e.g. push notifications, authentication), processing in the USA may occur
All named US providers are certified under the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCC) pursuant to Art. 46 GDPR are in place.
16. Changes to This Privacy Policy
We reserve the right to update this Privacy Policy in the event of legal or technical changes. For material changes, we will notify you:
- Via an in-app notification
- Via an update to the version identifier in the app
The current version is available at any time in the app under Settings > Privacy and on our website at https://lets-glow.de/datenschutz.
17. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data violates the GDPR.
Competent supervisory authority:
Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit) Friedrichstraße 219, 10969 Berlin, Germany Phone: +49 30 13889-0 Email: mailbox@datenschutz-berlin.de Website: https://www.datenschutz-berlin.de
18. Contact
If you have questions about this Privacy Policy or the processing of your data, please contact:
Johannes Reusch Heinrich-Heine-Platz 9A 10179 Berlin, Germany
Email: support@lets-glow.de Website: www.lets-glow.de
Version 2.6 – March 15, 2026