DailyGlow Privacy Policy

Document version: 2026-05-11

Controller: Xiangtan Chuanyue Trading Co., Ltd.

Postal address: No. 25, Lubian Villager Group, Huangmao Village, Baishi Town, Xiangtan County, Xiangtan City, Hunan Province

Privacy correspondence: market@chuanyuetrade.com

Article I — Definitions and interpretive rules

Unless the context requires otherwise, references to “processing,” “personal data,” and “controller” follow the usage of Regulation (EU) 2016/679 and the United Kingdom GDPR where those instruments apply. Where United States statutes employ “personal information,” that term is treated as overlapping but not identical to “personal data,” and the stricter reading governs disclosure.

Quoted labels that mirror Google Play Data safety declarations appear solely to maintain alignment between this notice and in-console disclosures; they do not expand processing beyond what the shipped Android client actually performs.

Article II — Identity of the controller and supervisory contacts

The controller for processing described herein is Xiangtan Chuanyue Trading Co., Ltd., reachable at No. 25, Lubian Villager Group, Huangmao Village, Baishi Town, Xiangtan County, Xiangtan City, Hunan Province. The controller has designated Zhu Chuanfeng as Data Protection Officer; correspondence may be directed to dpo@chuanyuetrade.com. General privacy inquiries unrelated to supervisory complaints may be sent to market@chuanyuetrade.com.

Article III — Material and territorial scope

This instrument governs only the Android distribution of DailyGlow obtained through Google Play. It does not purport to regulate hypothetical iOS builds, web clients, or sideloaded packages absent a separate publication.

The controller does not operate credential-based registration or password login for the described build. Access is conditioned on acceptance of in-application Terms of Use, Privacy Notice, and age attestation flows. No in-application purchase, subscription, or paid digital content mechanism falls within the scope of this notice.

Persons who have not reached eighteen (18) years of age are instructed not to use the service; verification is limited to a first-launch declaration rather than documentary proof.

Article IV — Lawful bases (EEA / United Kingdom framing)

Where Article 6 of the GDPR or its UK analogue must be cited, the controller maps processing as follows: performance of measures taken at the data subject’s request prior to contract (and, where applicable, performance of the digital service contract) for real-time communications and chat payloads; legitimate interests in network integrity, incident response, and proportionate analytics for diagnostic telemetry; legal obligation where a competent authority mandates retention; consent only where a discrete consent gate is presented and may thereafter be withdrawn without charge where technically feasible.

Article V — Categories of personal data processed

The controller processes the following categories, each tied to a concrete operational purpose:

The controller does not monetise personal data through sale to third-party advertising marketplaces.

Article VI — Device identifiers and diagnostics

Diagnostic streams may incorporate values colloquially labelled “Device ID” within Google Play questionnaires. Such values may include installation-bound tokens exposed by the operating system or bundled SDKs. They are processed exclusively for session correlation, fraud pattern analysis, and service hardening. They are not repurposed for unrelated profiling. Provider handling follows the contractual mapping set out under Article VIII for analytics infrastructure.

Article VII — Android permissions and foreground use

DailyGlow is a skincare and self-care tips application. The runtime permissions enumerated below correspond to discrete in-client surfaces. Each is requested at the moment the data subject affirmatively engages the associated feature; none is described by the controller as a continuous background surveillance channel.

  1. Camera (android.permission.CAMERA) — invoked when the data subject elects to publish through “Post My Glow” by tapping the camera tile inside the publish picker. Declining suppresses the camera-publish surface only; gallery selection remains operative.
  2. Microphone (android.permission.RECORD_AUDIO) — invoked when the data subject records a short “Mirror Note” voice memo inside the Reset Map feature. Declining suppresses Mirror Note recording only; textual notation remains operative.
  3. Photos / videos (read) (READ_MEDIA_IMAGES / READ_MEDIA_VIDEO on API 33 and above; READ_EXTERNAL_STORAGE on prior releases) — invoked when the data subject selects an existing image from the gallery as the cover of a “Post My Glow” submission. Declining disables the gallery picker only; in-client capture remains operative.
  4. Photos / videos (write to gallery) (MediaStore insertion on API 29 and above; WRITE_EXTERNAL_STORAGE on prior releases) — invoked when the data subject taps “Save to Photos” on a Routine Snapshot export. Declining causes the export to fail at the device-gallery layer; the Routine Snapshot itself remains addressable within the application’s Saved list.

Revocation by means of Android system settings degrades the specific surfaces named above in a predictable, feature-bound manner and does not impair unrelated portions of the application.

Article VIII — Processors and categories of disclosure

Processors receive data only under written instructions and for the following mapped functions: content delivery and object storage (media payloads and related metadata); automated and human-assisted moderation interfaces; analytics and crash ingestion pipelines. Marketing resale is contractually prohibited. The controller reaffirms that it does not sell personal and sensitive user data within the meaning used by Google Play policies.

Article IX — Cross-border processing

Hosting and subprocessors may reside outside the data subject’s country of residence. Where Chapter V of the GDPR or UK transfer rules apply, the controller relies on appropriate safeguards including standard contractual clauses where no adequacy decision covers the destination.

Article X — Retention architecture

Retention is purpose-bound: ephemeral call routing data is minimised; chat artefacts follow operational schedules tied to delivery and moderation; diagnostics roll within finite engineering windows; safety tickets may persist longer when investigations or appeals require an evidentiary trail; device-bound diagnostic identifiers inherit the diagnostics schedule.

Deletion or irreversible pseudonymisation occurs when the underlying purpose lapses, except where statute or lawful order mandates extension. Requests may be lodged at market@chuanyuetrade.com; substantive replies are targeted within fifteen (15) business days where verification succeeds.

Article XI — Technical and organisational measures

The controller maintains access segregation, transport encryption where in transit, monitoring, and incident response procedures proportionate to risk. Absolute security cannot be warranted; legally mandated breach notifications will issue when thresholds are met.

Article XII — Rights of data subjects and complaint pathways

  1. Access, rectification, erasure, restriction, objection where grounded, and portability (where technically feasible) may be asserted under applicable law.
  2. Requests are submitted to market@chuanyuetrade.com; the controller endeavours to conclude verification and response within fifteen business days.
  3. Without login credentials, the controller may request contextual corroboration to avoid erroneous disclosure to third parties.
  4. Supervisory authorities in the EEA or UK remain competent to hear complaints under Articles 77 GDPR / equivalent UK provisions.

Article XIII — United States state law annex

California residents (CCPA / CPRA)

California consumers may enjoy rights to know, delete, correct, and opt out of certain disclosures characterised as “sale” or “sharing” under Cal. Civ. Code § 1798.100 et seq. The controller does not operate a targeted-advertising business model for this app. A consumer may email market@chuanyuetrade.com with subject line “California Privacy Request” and should anticipate a reply within fifteen business days absent exceptional complexity.

Virginia residents (VCDPA)

Virginia residents may contact market@chuanyuetrade.com with subject lines “Virginia Targeted Advertising Opt-Out,” “Virginia Sale Opt-Out,” or “Virginia Profiling Inquiry,” as applicable. The controller’s baseline position is that it does not sell personal data nor conduct regulated profiling producing legal effects solely by automated means in the manner described by Va. Code § 59.1-575 et seq.

Article XIV — Mechanisms relating to sale, sharing, and targeted advertising

Although the controller does not presently monetise personal data through sale or cross-context behavioural advertising for this title, it maintains an operational channel: email market@chuanyuetrade.com with subject “Opt-Out of Sale/Sharing Request” or “Opt-Out of Targeted Advertising”, including jurisdiction and non-sensitive locating context. Acknowledgement and processing follow applicable statutory windows, with an internal target of fifteen business days.

Article XV — Persons below the age of majority

DailyGlow is not directed at children. The controller does not knowingly collect personal information from individuals under eighteen. Misstated age declarations undermine safety objectives; where the controller obtains reliable notice of underage use, it will delete or restrict processing as law demands.

Article XVI — Supplement: retention principles without a login credential

Absence of a persistent account record complicates—but does not eliminate—retention governance. The controller applies category-specific review boards: routing artefacts tied to live sessions are truncated aggressively; chat content may persist for operational delivery and safety review aligned with documented abuse-prevention cycles; diagnostics remain in rolling engineering windows; safety dossiers may outlive other categories when regulatory or investigative defensibility requires. Upon expiry, destruction or robust pseudonymisation is executed save for narrow statutory carve-outs. Deletion enquiries should cite approximate timeframe and device class to aid matching.

Article XVII — Amendments and publication

The controller may revise this notice. Material changes will be reflected through updated version metadata and, where proportionate, additional in-client surfacing linked to Terms or Privacy Notice flows.

Contact (summary)

Privacy desk: market@chuanyuetrade.com. Data Protection Officer: Zhu Chuanfeng, dpo@chuanyuetrade.com.

Article XVIII — Technical stack dependencies (summary)

The Android client may rely on platform frameworks, Google Play distribution services where enabled, real-time communications infrastructure, moderation vendor APIs, and diagnostic SDKs—each only to the extent required for the processing described above.

Return to top