Luvly Editorial PolicyTerms of UseLuvly Privacy PolicyMedical GuidelinesCookie Policy

Privacy Policy

Effective Date: June 17, 2025
At Gismart, we are dedicated to leveraging technology to enhance your physical and emotional well-being, bring joy through music and entertainment, and improve productivity and convenience in your mobile experience. We believe in the transformative power of technology to create meaningful, positive change in people’s lives.Protecting your privacy and maintaining the highest security standards are fundamental to our mission. We are committed to transparency and accountability in how we handle your personal data, ensuring you have clear insights and control over your information while seamlessly enjoying our Service.

WELCOME TO LUVLY PRIVACY POLICY!

This Privacy Policy (the “Privacy Policy“) sets out the main principles on which the data collected from you, or that you provide to us, will be processed by us in connection with your use of “Luvly” (the “App”), our websites (including but not limited to https://luvly.care), our blog, and all related services, features, materials, and content available for your use (collectively the “Service“) provided by Gismart Limited, a private limited company, incorporated and registered in England and Wales with company number 10152488 whose registered office is at 151 Wardour Street, London, England, W1F 8WE (“we”,“us”, “our” or the “Company”).Depending on your location, selected payment method, or other relevant factors, access to the Service, particularly with respect to sales, billing, and payment processing may be facilitated by Gismart Limited or one of its authorized partners acting as the Merchant of Record. These partners may include Extramile Limited, a company incorporated in Cyprus under registration number ΗΕ 445953, with its registered office at Prodromou 75, Oneworld Parkview House, Floor 4, 2063 Nicosia, Cyprus; and Fulfilling Inc., a Delaware corporation with a registered address at 1007 N Orange St., 4th Floor, Site 1382, Wilmington, New Castle, Delaware, 19801, USA. The Merchant of Record does not provide the Service, manage subscriptions, or assume any obligations related to the operation, support, or performance of the Service. Your contractual relationship remains solely with Gismart Limited. Your rights and obligations under these Terms are unaffected by the designation of a Merchant of Record, and neither Gismart Limited nor its partners shall be jointly liable for each other’s obligations unless expressly stated in these Terms.We encourage you to review our Privacy Policy in its entirety to gain insight into our personal data handling practices.

HOW TO REACH US?

We have carefully designed this Privacy Policy to be clear, transparent, and accessible. However, if you have any questions or concerns regarding your privacy rights or how we handle your personal data, please feel free to contact us through:For EEA/UK and Non-EU/EEA Data Subjects:
Online Contact Form: https://account.luvly.care/contact-formMailing Address: Gismart Limited, 151 Wardour Street, London, England, W1F 8WE
Email: dpo@gismart.com

CHANGES TO THIS PRIVACY POLICY

We may revise this Privacy Policy from time to time to reflect:
  1. changes in applicable laws or regulatory requirements;
  2. updates to our data practices or the features and functionality of our Service provided to you;
  3. advancements in technology or other relevant changes.
Staying Informed. We encourage you to review this page periodically to stay informed about how we protect your personal data. The "Effective Date" at the top of this Privacy Policy indicates when the most recent changes were made.Notification of Significant Changes. If we make material changes to this Privacy Policy that affect your rights or require your consent, we will notify you in advance through appropriate channels, such as:
  1. posting a prominent notice on our websites;
  2. sending an email to the contact information you have provided, if applicable.
Please note that your continued use of our Service following the Effective Date of the updated Privacy Policy constitutes your acknowledgment and acceptance of the changes.

CONTENTS

WHAT IS PERSONAL DATA, AND WHO OVERSEES ITS PROCESSING?
WHAT PERSONAL DATA DO WE COLLECT?
WHAT ARE THE PURPOSES FOR PROCESSING YOUR DATA?
WHAT ARE THE LEGAL BASIS FOR PROCESSING YOUR DATA?
WHEN AND WHY DO WE SHARE YOUR DATA?
WHERE IS YOUR DATA STORED AND TRANSFERRED?
WHAT ACTIONS DO WE AVOID WHEN HANDLING YOUR DATA?
WHAT ARE OUR RULES FOR STORING YOUR DATA?
WHAT SECURITY MEASURES DO WE USE?
HOW DO WE RESPOND TO SECURITY INCIDENTS?
WHAT ARE YOUR RIGHTS OVER YOUR DATA?
HOW CAN YOU MANAGE YOUR DATA?
HOW WE PROCESS YOUR REQUESTS?
PRIVACY NOTICE FOR CALIFORNIA RESIDENTS, US
PRIVACY NOTICE FOR VIRGINIA, CONNECTICUT, COLORADO, UTAH, AND NEVADA, US

WHAT IS PERSONAL DATA, AND WHO OVERSEES ITS PROCESSING?

Personal Data” refers to any information that identifies you as an individual or relates to an identifiable individual. Gismart Limited acts as the ‘controller’ of your Personal Data. As the controller, we determine the purposes and means of the processing of your personal data when you use our Service. In certain situations, as specified within this Privacy Policy, we may act as a ‘processor’ of your personal data, meaning we process data on behalf of another controller.For the purposes of data protection laws in the United Kingdom, including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”), Gismart Limited is the controller of your personal data. Additionally, for specific categories of personal data, we may act as a processor, as detailed below.Certain aspects of our Service may be provided by our authorized partners Extramile Limited and Fulfilling Inc., both of which act as ‘processors’ of your personal data. This means that:
  • Extramile Limited, a company incorporated in Cyprus (Company No. ΗΕ 445953), with a registered office at Prodromou, 75, Oneworld Parkview House, Floor 4, 2063, Nicosia, Cyprus, processes data on our behalf in accordance with our instructions.
  • Fulfilling Inc., a Delaware corporation, with a registered address at 1007 N Orange St, 4th Floor, Site 1382, Wilmington, New Castle, 19801, also processes certain personal data as a data processor, operating strictly under our direction.
These partners process your personal data solely for the purposes defined by us, ensuring compliance with applicable data protection laws and maintaining the security and confidentiality of your information.This Privacy Policy also considers the requirements of the EU General Data Protection Regulation (“GDPR”) for users located within the European Union and relevant U.S. privacy laws, including but not limited to the California Consumer Privacy Act (“CCPA”) to ensure compliance in jurisdictions where our Service is accessible. Further details about how we fulfill these obligations are provided in the sections below.

WHAT PERSONAL DATA DO WE COLLECT?

As you access and use our Service, we gather certain personal data through the following means:
Data Directly Provided by You:Basic Information. We collect the information necessary to personalize your account and provide you with tailored Service. This includes: your name, email address, age, gender, account and profile credentials, skin type, target areas, any other information you choose to share to personalize your account or profile, and optional information, such as preferences or interests, that you provide during onboarding or while using the Service.Purchase and Subscription Information. Payment information is required to process your subscription. This includes subscription plan details, and payment information. Note that we do not store or process your credit card information. This information is handled securely and directly by our third-party payment processing partners in accordance with their privacy policies.Health and Wellness Information. If you choose to share information related to your health or wellness, we may process information about your skin, physical attributes, skincare preferences, nutritional preferences, exercise routines, and other information you provided during the onboarding questions. With your explicit consent, we may also import data from third-party services, such as Google Health Connect, including but not limited to information about fitness activities, weight, height etc. This information will be processed solely to provide the functionality and features of the App. Imported data remains subject to the privacy policies of the relevant third-party providers.Survey and Communication Information. We may collect any information you voluntarily provide when: participating in surveys, questionnaires, or Service testing, communicating with us or directed to us via letters, emails, and social media, or submitting reviews or testimonials regarding our Service. If you participate in any promotions or competitions we may run, we process information relevant to your participation. This data is processed to assess user opinions, improve our Service, and support the development of new features.Face and Cosmetic Scan Information. We may process photos submitted for Face and Cosmetic Scan features to enhance our Service only with your express consent. The use of these scanned photos is entirely voluntary and will only occur when you actively choose to use these features. They are processed exclusively to improve our Service and are not used for identification purposes. You may withdraw your consent at any time by contacting us at https://account.luvly.care/contact-form. Upon withdrawal, we will cease processing any future Face and Cosmetic Scan data for Service improvement purposes. For further details about the Face and Cosmetic Scan feature in our App, please refer to our TermsAI Assistant Interaction Information. When you engage with our AI Assistant based on OpenAI technology (e.g., GPT-4 API), we process and store the content of your conversations to improve the functionality of our Service and enhance the user experience. You can read more about the AI Assistant feature in our Terms.User-Generated Content. We process any content you publish or upload on our Service, including but not limited to posts, messages, images, and other materials, in accordance with the provisions set out in our Terms regarding User-Generated Content.Data Automatically Collected by Us:Log and Technical Information. When you access our website or use the App, certain information is automatically collected by your browser or device. This may include: your IP address, browser type, time zone, language settings, the date and time of your access, details about the features you use, actions you take within the Service, interactions with specific areas of the interface, and patterns of App usage, including session frequency and duration.Device-Related Information. We collect information about the device you use to access our Service, including device model, type, unique device identifiers, operating system version, Internet service provider details, mobile carrier information, and hardware ID.Face and Cosmetic Scan Feature. If you choose to use the Face Scan feature, we process the photos you upload to assess specific facial characteristics, skin attributes, and other visual details. This information enables us to create a tailored wellness program designed to meet your individual needs. When you use the Cosmetic Scan feature, we process the photos you provide to evaluate product compatibility with your skin type or offer insights into current products on the market, including detailed reports on their ingredients. Please note that the photos and data collected through these features are used exclusively to deliver the requested Service. We may keep the photos and associated information for up to one month to further develop and improve the accuracy and effectiveness of our Face and Cosmetic Scan features.Other Sources. We may augment the information you provide with data obtained from third parties or other external sources. This additional data may include: details about how you interact with our Service or information from third parties to support marketing communications (only where you have opted in), refine our research, or enhance the delivery of our Service.Data Collected via Cookies.To provide you with an enhanced experience, our Service relies on technologies such as cookies, SDKs, and similar tools. These technologies assist us in tailoring your interactions, delivering relevant advertisements, and gaining insights into how our Service is used. They are triggered when you browse our website, navigate the App, or activate specific features. While you have the option to disable these tools in your settings, doing so may limit the availability or performance of certain functionalities, however, the essential aspects of our Service will remain accessible.Please learn more about this in our Cookie Policy.
Please note that this Privacy Policy does not apply to information collected by:Third-Party Service. Any third party, including through any application or content (including advertising) that may link to or be accessible from or through our Service.Personnel and Job Applicants: This Privacy Notice does not apply to the collection of personal data from employees, job applicants, contractors, business owners, directors, officers, or other staff members except for California Residents.Non-Personal Data: Information that cannot reasonably identify, relate to, describe, or be linked (directly or indirectly) to a specific individual is not considered personal data. This Privacy Notice does not govern the processing of such non-personal information.

WHAT ARE THE PURPOSES FOR PROCESSING YOUR DATA?

We collect and process personal data to deliver, enhance, and secure our Service, ensuring a seamless and personalized experience. Below, we outline the purposes for which your data is processed:To Ensure Access to and Proper Delivery of our Service. We process your personal data to enable your access to and use of our Service, including features such as Face and Cosmetic Scan tools, AI Skin Helper, and wellness or beauty plans. This includes: verifying your identity and providing uninterrupted access to our Service, promptly addressing any operational or technical problems.To Fulfill Transactions. We collect the information required to process your transactions, which includes managing subscription payments and providing any related services to ensure seamless access to the features you have subscribed to.To Customize Your Experience. We process your personal data to tailor the Service to your individual preferences and needs. By analyzing your interactions and behavior, we deliver content, recommendations, and features aligned with your specific goals. This allows us to provide you with a more personalized experience, whether through customized wellness plans, targeted content, or recommendations for relevant products. To Analyze Usage and Performance. We use your personal data to gain insights into how you interact with our websites and App. This helps us identify the most popular features, assess the effectiveness of our content, and understand user behavior. These insights are used to refine functionality, improve usability, and ensure that the Service operates effectively and efficiently for all users.To Improve the Service. We process personal data to enhance the overall quality and functionality of the Service. By refining features and developing new tools, we ensure that the Service evolves to meet your needs. Data is also used to optimize our offerings, conduct research and surveys, and perform financial analyses to assess billing, pricing, and other processes that may require improvement. These efforts enable us to create a better user experience and provide innovative, value-driven solutions. For Advertising and Marketing Purposes. We may process your personal data to enhance and deliver targeted advertising within our Service and on third-party platforms. Your information helps us display personalized ads and content that reflect your interests and preferences. We work with external advertising networks, social media platforms, and analytics providers to promote our Service across various channels. Additionally, we analyze the performance of our marketing campaigns to assess their effectiveness and refine our advertising strategies for better engagement. To Ensure the Security and Integrity of our Service. We process your personal data to safeguard the security and stability of our systems, networks, and users. Measures are taken to prevent unauthorized access, detect misuse or fraudulent activities, and ensure the integrity of our IT infrastructure through consistent monitoring and maintenance.To Provide Support and Communicate with You. When you reach out to us with inquiries, concerns, or feedback, we process your personal data to assist you and address your requests. This may include sending responses via email, providing updates related to your use of our Service, or resolving reported issues. We may also review communications and interactions with you to ensure the quality of our support, improve staff training, and effectively handle any complaints you raise. We may process your inquiries, subscription details, and communication content using the AI API to generate personalized responses. This includes analyzing your inquiries to identify dissatisfaction or disputes and routing your request to the appropriate support workflow. The AI Assistant does not engage in autonomous decision-making that produces legal or similarly significant effects concerning individuals. All final decisions are made by human personnel, with the AI system used solely to assist in providing timely and relevant support.To Comply with Legal Obligations. We process your personal data to meet our responsibilities under applicable laws and regulations. This may involve using your information to investigate disputes or claims related to our Service or to respond to legal, governmental, or regulatory requests. Your information may also be processed to fulfill obligations related to anti-money laundering measures, fraud prevention efforts, tax compliance, sanctions adherence, or other legal requirements. We may use your personal data to assert or protect our legal rights when appropriate.

WHEN AND WHY DO WE SHARE YOUR DATA?

To provide our Service effectively, we may need to share your personal data with certain third parties. Such sharing will be carried out in compliance with applicable privacy laws.Third-Party Service Providers.We may share your personal data with carefully selected service providers that assist in operating, maintaining, and enhancing our Service. These may include but are not limited to:
  1. hosting and cloud infrastructure providers;
  2. email communication service;
  3. payment processing partners;
  4. fraud prevention and cybersecurity vendors;
  5. analytics and data aggregation service;
  6. customer support and engagement platforms.
These third parties will only process your personal data under contractual obligations ensuring they adhere to strict data protection standards, and they are prohibited from using your personal data for any purpose other than those specified in our Privacy Policy.Third-Party Marketing Partners.If you have provided your explicit consent to receive marketing communications, we may share certain personal data (such as your email address) with our marketing service providers. This may include digital advertising platforms, social media advertising providers, or marketing automation tools that assist us in delivering targeted communications and promotions. You may withdraw your consent at any time by following the unsubscribe instructions provided in our emails by the support team.Legal Compliance and Protection of Rights.We may disclose your personal data when required to do so under applicable law, regulation, or legal process, including:
  1. Compliance with legal obligations: To comply with any legal requests, court orders, or law enforcement investigations.
  2. Service security and integrity: To prevent or address fraudulent, malicious, or unauthorized activities that may compromise the security of our Service.
  3. Protection of rights and safety: Where disclosure is necessary to protect our Company, customers, or the public against harm, legal violations, or imminent risks to personal safety.
  4. Emergencies: If necessary, to prevent death or serious bodily injury based on a legitimate good-faith belief.
Data Transfers Within Our Corporate Group. To support our global business operations and provide seamless services, we may share your personal data with our affiliated entities, subsidiaries, and trusted partners. These transfers are conducted strictly in accordance with applicable data protection laws and are governed by robust data protection agreements.

WHERE IS YOUR DATA STORED AND TRANSFERRED?

Data Storage. We primarily store and process your personal data within the United Kingdom (UK) and European Economic Area (EEA) to ensure compliance with applicable data protection laws. Our commitment to data security and privacy means that all personal data is stored on secure servers that we either own or license from trusted third-party providers. These servers are protected using industry-standard security measures to prevent unauthorized access, data loss, or misuse.Data Transfers Outside the UK & EEA. In certain circumstances, we may need to process or transfer your data to trusted third-party service providers outside the UK and EEA to ensure the effective operation and delivery of our Service. This may include servers or partners based in the United States or other jurisdictions.Before engaging any third-party processor located outside these regions, we conduct thorough risk assessments and ensure they meet strict privacy and security requirements aligned with international data protection standards. We do not transfer personal data to jurisdictions that lack adequate data protection frameworks.Legal Safeguards for International Transfers. Whenever personal data is transferred outside the UK or EEA, we comply with UK GDPR and EU GDPR by implementing legally recognized safeguards, including:
  • For transfers outside the UK: We use International Data Transfer Agreements (IDTAs) or UK Addendums to ensure data protection in line with UK regulations.
  • For transfers outside the EEA: We rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring an equivalent level of data protection.
Where an adequacy decision is unavailable, we apply additional safeguards such as encryption, strict access controls, and security audits to mitigate risks associated with cross-border data transfers.To learn more about International Data Transfer Agreements and UK guidance, please follow this link. For additional information on Standard Contractual Clauses under EU law, please visit this link.Data Minimization and Anonymization. To further enhance privacy and security, we apply principles of data minimization and anonymization, ensuring that only the necessary data is transferred outside the UK or EEA to fulfill specific purposes. This reduces potential risks associated with international data transfers.Your Consent to International Transfers. By using our Service and providing your personal data, you explicitly acknowledge and consent to its transfer, storage, and processing outside the UK or EEA as outlined in this Privacy Policy. All transfers are conducted in strict compliance with applicable data protection laws to ensure your rights and personal data remain protected.

Processor’s name

Processor’s privacy policy

Purpose

Amplitude
https://amplitude.com/privacy
Tracking user interactions and engagement within the App. Collecting user behavior data, event tracking, and App usage statistics to analyze user behavior, measure App performance, and improve user experience.
AppsFlyer
https://www.appsflyer.com/legal/privacy-policy/
Providing mobile attribution and marketing analytics, including deep linking functionality. Collecting device information, user interactions, and attribution data to measure the effectiveness of marketing campaigns, improve user acquisition strategies, and facilitate deep linking within the App.
Firebase Crashlytics
https://firebase.google.com/support/privacy?hl=ru
Tracking and reporting App crashes and stability issues. Collecting crash reports, device state information, and user interactions leading up to a crash to help us identify and fix bugs, ensuring a stable and reliable App experience.
Firebase Authentication
https://firebase.google.com/support/privacy?hl=ru
Providing secure authentication for users signing in to our App. Collects user identifiers (e.g., email, phone number) and authentication tokens to manage user sessions and secure access to the App.
Firebase Analytics
https://firebase.google.com/support/privacy?hl=ru
Tracking user interactions and engagement within the App. Collecting user behavior data, event tracking, and app usage statistics to analyze user behavior, measure App performance, and improve user experience.
Facebook (Analytics)
https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0
Tracks user interactions and engagement within the App. Collects user behavior data, event tracking, and App usage statistics to analyze user behavior, measure App performance, and improve user experience.
Google Sign-In
https://policies.google.com/privacy
Allowing users to sign in to our App using their Google account. Collecting user’s Google ID, name, email address, and profile picture to authenticate users and enable a seamless login and personalized experience.
AWS AppSync
https://aws.amazon.com/privacy/
Enabling real-time data synchronization between the App and backend services. Used for querying, mutating, and subscribing to data through a secure GraphQL interface. Collecting and syncing user and application data across devices to maintain app performance, reliability, and data consistency.
OpenAI (ChatGPT API)
https://openai.com/privacy
Processing customer support inquiries and subscription details to generate personalized responses and analyze tone for routing to appropriate support workflows.
Reteno
https://reteno.com/privacy-policy
Enhancing user engagement through personalized communication and retention strategies, including marketing emails and push notifications. Collecting user activity data, preferences, engagement metrics, and contact information to create personalized user experiences, improve retention efforts, and send targeted marketing emails and push notifications.
Wellhub
https://wellhub.com/en-us/privacy/
Tracking user interactions and engagement within the App. Collecting user behavior data, event tracking, and wellness-related analytics to enhance personalized features, measure App performance, and improve user experience.

WHAT ACTIONS DO WE AVOID WHEN HANDLING YOUR DATA?

We are dedicated to respecting your privacy and safeguarding your personal data. In line with this commitment, we adhere to principles regarding the handling of your information, as detailed below:No Sale, License, or Rental of Personal Data. We do not sell or rent your personal data for financial gain. Your personal data is only disclosed as outlined in this Privacy Policy.Limited Sharing with Service Providers. We share your personal data exclusively with service providers who assist in delivering and supporting our Service, as described herein. We ensure that no data is shared with external providers or partners without appropriate data protection agreements or contractual terms in place to safeguard your information.Protection of Children’s Data. We do not knowingly collect personal data from children who do not meet the minimum age requirement in their jurisdiction. If you are under the applicable minimum age, as defined in our Terms, you are not permitted to use our Service.

WHAT ARE OUR RULES FOR STORING YOUR DATA?

We store your personal data only for as long as it is necessary and relevant to achieve the purposes for which it was originally collected. This includes providing our Service, maintaining security, resolving disputes, and complying with legal and regulatory obligations.Retention Periods. When your personal data is no longer required for its original purpose, we will either securely delete or anonymize it so that it can no longer be linked to you. If you deactivate or delete your account, we will retain your personal data for no longer than two (2) months, unless retention is required for legal, regulatory, or contractual obligations. In cases where legal or regulatory requirements necessitate longer retention, we will store only the minimum personal data necessary and ensure it is appropriately protected.Exceptions to Deletion Requests. Even if you request the erasure of your personal data, certain circumstances may require us to retain minimal personal data, including:
  1. Legal compliance: to adhere to applicable laws, regulations, or law enforcement requests.
  2. Dispute resolution: to investigate, defend, or settle legal claims.
  3. Contract enforcement: to uphold our agreements and protect our legitimate business interests.
Once retention is no longer required for these purposes, we will ensure the final deletion or anonymization of your personal data securely.

WHAT SECURITY MEASURES DO WE USE?

We take data security seriously and have implemented both organizational and technical safeguards to protect your personal information against unauthorized access, loss, alteration, or misuse.Organizational Security Measures. We enforce strict internal policies and procedures to maintain the security and confidentiality of personal data, including:
  1. Access Control Policies: Only authorized personnel with a legitimate need can access sensitive data.
  2. Login & Password Management: We enforce multi-factor authentication (MFA) and strong password policies.
  3. Physical Security: Our premises and data storage facilities are secured through restricted access, surveillance, and security protocols.
Technical Security Measures. We deploy reasonable cybersecurity protections to safeguard your personal data, including:
  1. Encryption & Pseudonymization: Sensitive data is encrypted at rest and in transit to prevent unauthorized access.
  2. Secure Networks & Firewalls: We use firewalls, intrusion detection systems (IDS), and endpoint protection to prevent cyber threats.
  3. Regular Security Audits & Assessments: We conduct penetration testing, vulnerability scanning, and security reviews to proactively identify and mitigate risks.
  4. Backups & Disaster Recovery: Our systems include secure backups and failover mechanisms to ensure resilience against data loss or service disruptions.
Acknowledgment of Security Limitations. We take commercially reasonable measures to protect your personal data, utilizing security technologies and best practices to guard against unauthorized access, data breaches, and cyber threats. However, no security system is entirely impervious to risks. Ensuring the safety of your information is an ongoing effort that involves continuous monitoring, risk evaluation, and enhancement of security protocols. The presence of a security incident does not automatically imply non-compliance with legal requirements or industry standards.

HOW DO WE RESPOND TO SECURITY INCIDENTS?

Immediate Assessment and Containment. In the unlikely event of a personal data breach, we will promptly assess the incident, contain its impact, and evaluate the risks to individuals’ rights and freedoms. Our breach response may involve actions such as logging affected users out, resetting passwords, and enhancing security protocols to mitigate potential harm. By maintaining strong personal security practices and promptly reporting any concerns, you can help us protect your information effectively.Regulatory Reporting Obligations. If the breach is likely to result in a high risk, we will notify affected individuals without undue delay, providing details of the breach, mitigation steps, and recommended protective actions. When required, we will report the breach to the relevant supervisory authority - such as the Information Commissioner’s Office (ICO) for the UK or the appropriate EU authority - within 72 hours of becoming aware. All breaches will be documented, and measures will be implemented to prevent recurrence.To report a personal data breach or seek assistance, please contact us via https://account.luvly.care/contact-form or dpo@gismart.com. We will address your concerns accordingly.

WHAT ARE YOUR RIGHTS OVER YOUR DATA?

As a resident of the European Union (EU), European Economic Area (EEA), or the United Kingdom (UK), you are entitled to certain rights regarding your personal data under the General Data Protection Regulation (GDPR) and the UK GDPR. Below is a summary of your key rights and how you can exercise them:Right to Access Your Data. You have the right to request access to the personal data we hold about you. Upon request, we will provide a copy of your personal data along with details about how it is processed, shared, and stored.Right to Rectification. If your personal data is inaccurate, incomplete, or outdated, you have the right to request corrections or updates to ensure it is accurate and complete.Right to Erasure (‘Right to be Forgotten’). You can request the deletion of your personal data where:
  1. the data is no longer necessary for the purposes for which it was collected;
  2. you withdraw consent and there is no other legal basis for processing;
  3. you object to processing and there are no overriding legitimate grounds;
  4. your data was unlawfully processed; or
  5. deletion is required to comply with a legal obligation.
Your right to erasure may not apply where processing is necessary for legal compliance, public interest, or the establishment, exercise, or defense of legal claims.Right to Restrict Processing. You may request that we restrict the processing of your personal data if:
  1. you contest its accuracy (while we verify the accuracy);
  2. processing is unlawful, and you prefer restriction over deletion
  3. we no longer need the data, but you require it for legal claims; or
  4. you object to processing, pending verification of our legitimate interests.
Right to Data Portability. You have the right to receive your personal data in a structured, commonly used, and machine-readable format and, where feasible, request the direct transfer of this personal data to another service provider.Right to Object to Processing. You have the right to object to the processing of your personal data where:
  1. processing is based on legitimate interests or public interest unless we demonstrate compelling legitimate grounds that override your interests.
  2. your data is used for direct marketing purposes, in which case we will immediately stop processing for this purpose.
Right to Withdraw Consent. If we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing conducted before consent was withdrawn.Right to Lodge a Complaint. If you believe your privacy rights have been violated, you have the right to file a complaint with your local data protection authority (DPA).
  1. EU Residents: You can find your relevant supervisory authority here.
  2. UK Residents: You can lodge a complaint with the UK’s Information Commissioner’s Office (ICO) here.
To exercise your rights, please contact us via https://account.luvly.care/contact-form or write to us at the address set forth above.If you reside outside the European Union (EU), European Economic Area (EEA), or the United Kingdom (UK), you may have specific privacy rights under your country’s applicable data protection laws. Below is a summary of key rights based on various jurisdictions:United States – State-Specific Privacy RightsIf you are a resident of California, Virginia, Colorado, Connecticut, or other U.S. states with privacy laws, you may have certain rights under laws such as the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and others.If applicable, you have the right to:
  1. Access Your Data: Request details about the categories and specific pieces of personal data we collect, use, disclose, or sell.
  2. Request Deletion: Ask us to delete your data, subject to legal exceptions.
  3. Opt-Out of Sale or Sharing of Data: If applicable, opt out of the sale or sharing of your data for targeted advertising or analytics purposes.
  4. Correct Your Data: Request correction of inaccurate personal information we maintain.
  5. Limit Use of Sensitive Data: If applicable, restrict the processing of sensitive personal information.
  6. Non-Discrimination: You will not be discriminated against for exercising your privacy rights.
If you are a California resident, you may also use an authorized agent to submit requests on your behalf.Canada – Personal Information Protection and Electronic Documents Act (PIPEDA)If you are a resident of Canada, you have the following rights under PIPEDA:
  1. Right to Access and Portability: Request a copy of the data we hold about you.
  2. Right to Correction: Request modifications to any inaccurate or incomplete personal information.
  3. Right to Withdraw Consent: If we process your data based on consent, you can withdraw it at any time.
  4. Right to Challenge Compliance: You can challenge our privacy practices with Canada’s Office of the Privacy Commissioner (OPC).
Brazil – Lei Geral de Proteção de Dados (LGPD)
If you are a resident of Brazil, you are entitled to rights under the LGPD, including:
  1. Right to Confirm Processing: Request confirmation on whether we process your data.
  2. Right to Access and Correction: Request access to or corrections of your data.
  3. Right to Anonymization or Blocking: Request anonymization, blocking, or deletion of unnecessary or excessive data.
  4. Right to Data Portability: Receive your data in a structured format or transfer it to another provider.
  5. Right to Withdraw Consent: Revoke your consent for data processing at any time.
For privacy concerns, you may contact the Brazilian Data Protection Authority (ANPD) at ANPD website.Australia – Privacy Act 1988 & Australian Privacy Principles (APPs)If you are a resident of Australia, you have rights under the Privacy Act 1988, including:
  1. Right to Know: Request information about how we collect, use, and disclose your data.
  2. Right to Access and Correction: Request copies of your data and corrections if inaccurate.
  3. Right to Restrict Processing: Limit how we use your personal data.
Japan – Act on the Protection of Personal Information (APPI)
If you are located in Japan, your rights under the APPI include:
  1. Right to Notification of Purpose of Use:Request details on how and why your personal data is being used.
  2. Right to Access: Request disclosure of your personal data held by us.
  3. Right to Correction or Deletion: Request correction, addition, or deletion of data that is inaccurate or outdated.
  4. Right to Suspension of Use or Erasure: Request us to stop using or delete your data if we are using it in violation of the APPI.
  5. Right to Object to Third-Party Transfer: Object to the sharing of your personal data with third parties without your consent.
We will respond to requests within a reasonable timeframe, as required by Japanese law.Mexico – Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP)If you reside in Mexico, you are granted rights under the LFPDPPP, commonly known as ARCO rights:
  1. Access: Know what personal data we hold about you and how we use it.
  2. Rectification: Request corrections to inaccurate or incomplete data.
  3. Cancellation: Request deletion of your data when it is no longer necessary or used without your consent.
  4. Objection: Object to the processing of your data for specific purposes, such as marketing.
You also have the right to revoke consent for the use of your personal data, subject to certain exceptions. To exercise your rights, you may contact our privacy team using the details in the “Contact Us” section.

HOW CAN YOU MANAGE YOUR DATA?

We provide you with the ability to access, update, and delete your personal data in accordance with applicable privacy laws.Accessing, Correcting, or Updating Your Data.You can review, modify, or update your personal data at any time by contacting us via our support form: https://account.luvly.care/contact-formDeleting Your Data. If you wish to delete your personal data, you may do so using the following methods:Option 1: Submit a request via our support form at: https://account.luvly.care/contact-formPlease include a brief description of your request.
Option 2: Delete Your Account via the App
Android Users:
Open Profile → Settings.
Select Manage Account Details.
Press Delete Account and confirm on the popup.Contact our support team via https://account.luvly.care/contact-form for final confirmation.
iOS Users:
Open Profile → Settings.
Select Profile Details.
Press Delete Account and confirm on the popup.If you purchased a subscription via the App Store or Google Play, your account will be deleted automatically with no further action required.If you purchased a subscription on our website, you must send a request to our support team via our contact form at: https://account.luvly.care/contact-formImportant Considerations for Account Deletion. If you delete your Account, you will lose access to all associated subscriptions, progress, and Content (including User-Generated Content) in the App. Once your Account is deleted, we may not be able to restore any lost data. If you purchased a subscription via our website, deleting your Account means you will no longer have access to your subscription.For any further assistance, please contact our support team via https://account.luvly.care/contact-form.

HOW WE PROCESS YOUR REQUESTS?

If you submit a request to exercise your data protection rights, we will process it as follows:Response Timeframe. We aim to respond to valid requests within 30 days from the date of receipt. If your request is complex, or we receive a high volume of requests, we may require additional time. In such cases, we will inform you of the extension and provide a revised timeline for our response.Right to Decline Requests. We reserve the right to decline requests that are manifestly unfounded, excessive, or repetitive under applicable privacy laws. If your request falls into this category, we will notify you of our decision and provide reasons where required by law.Identity Verification. To protect your privacy and prevent unauthorized access, we may request additional information to verify your identity before processing your request. This step is necessary to ensure:
  1. the requestor is entitled to access or modify the personal data;
  2. the rights and privacy of third parties are not compromised.
If we are unable to reasonably verify your identity, we may be unable to fulfill your request. We will inform you of this and provide guidance on any alternative steps you may take.

PRIVACY NOTICE FOR CALIFORNIA RESIDENTS, US

General Details. Residents of certain U.S. states, such as California, may have additional rights regarding their personal information under applicable state laws. These include the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), among other state privacy laws. Where specific legal provisions in this notice do not apply, the Privacy Policy shall govern the processing and handling of personal information.Exercising Your Rights. Only you or an authorized representative legally permitted to act on your behalf may submit a request related to your personal information. Please refer to the previous section for details on the rights available to you and how to exercise them. In addition to those rights, this section provides further information about the processing, collection, and disclosure of personal information under U.S. State Privacy Laws.Definition of Personal Information. Personal Information refers to any information that identifies, relates to, describes, or can reasonably be linked to you as an individual.Pursuant to the CCPA, the term “personal information” excludes:
  • information that is publicly available through official government sources;
  • consumer data that has been de-identified, anonymized, or aggregated in a manner that prevents re-identification
Data Controller Responsibilities. Gismart Limited is responsible for determining how your personal information is collected, used, disclosed, and shared in accordance with applicable US privacy laws, including the CCPA and other state-level privacy regulations.No Sale of Personal Information. We do not sell your personal information in exchange for money, nor are we in the business of trading or monetizing user information. However, like many online businesses, we collaborate with advertising and analytics partners to deliver relevant ads across different platforms.How This May Be Considered “Selling” or “Sharing” Under the CCPA? Under the CCPA, the sharing of personal information for targeted advertising or cross-context behavioral advertising may be classified as "selling" or "sharing", even if no money is exchanged. This means that certain activities, such as allowing advertising networks to collect identifiers or browsing behavior to show you personalized ads, could be considered data sharing under California law.Your Right to Opt-Out of Targeted Advertising and Data Sharing. Even though we do not sell your personal information for direct monetary gain, you still have the right to opt out of any sharing of your personal information with our advertising and analytics partners. This includes targeted advertising, personalized marketing, behavioral tracking and analytics-based audience insights.You can exercise this right by:
  • Submitting an opt-out request via https://account.luvly.care/contact-form
  • Adjusting your cookie and tracking preferences through our website’s settings.
  • Configuring your browser or device settings to restrict online tracking.
Please note that under California’s "Shine the Light" law (California Civil Code § 1798.83), residents of California may request information about the disclosure of their personal information to third parties for direct marketing purposes. If applicable, you may submit such a request by contacting us.Do Not Track. The "Do Not Track" (DNT) feature is a privacy preference that some web browsers offer, allowing users to indicate their preference not to be tracked by websites or online services. However, at this time, there is no universally accepted standard for implementing DNT signals, and not all browsers support this feature. Consequently, we do not currently respond to DNT signals.Request for Access: you have the right to ask for access to (i) the personal and sensitive information we have about you and how we use it; and (ii) the categories, sources, and third parties that have received your personal information or to whom it has been "sold" or disclosed in the past 12 months. You can make this request once a year at no cost. Please ensure the subject line reads "California Privacy Rights Request," and include relevant details such as your name, street address, city, state, and zip code. Once we validate your request, we will provide the requested disclosure within 30 days of receipt, unless an extension is necessary. If we require additional time due to the complexity of the request or the high volume of requests, we may extend the response period by an additional 30 days. In such cases, we will notify you within the initial 30-day period, explaining the reason for the extension and the expected response timeline.Under the CCPA, privacy rights extend beyond users to all individuals, including job applicants, employees, independent contractors, and business partners who are California residents. These individuals may request information about our information collection practices regarding their personal information and may also exercise rights to access, delete, correct, or opt out of certain information sharing as permitted under California law. To make a request, please follow the instructions outlined in this Privacy Policy.Categories of Personal Information Collected & Disclosed. We collect the following categories of personal information in connection with the Service. The table below outlines:
  1. the specific categories of personal information we collect;
  2. the business purposes for which this information is collected and disclosed;
  3. the categories of service providers to whom we have disclosed this personal information in the past 12 months.

CATEGORY

EXAMPLE

BUSINESS PURPOSE

WHO WE SHARE IT WITH

Identifiers
Name, email address, phone number, account username, IP address etc.
Facilitating business operations and service delivery.Engaging in lawful advertising, marketing, and promotional efforts.Managing account registration, authentication, and support functions.Maintaining, enhancing, and safeguarding the functionality, reliability, and security of the Service.
Advertising platforms, technology and service providers, analytics and research firms, cloud storage providers, social media companies, business partners, affiliated companies, and payment processors.
Physical characteristics as indicated by you
Height, weight, or other self-reported physical attributes.
Facilitating business operations and service delivery.Engaging in lawful advertising, marketing, and promotional efforts.Maintaining, enhancing, and safeguarding the functionality, reliability, and security of the Service.
Advertising platforms, technology and service providers, analytics and research firms, cloud storage providers.
Gender and age, as identified by you
Gender and age details as voluntarily provided by you.
Facilitating business operations and service delivery.Engaging in lawful advertising, marketing, and promotional efforts.Maintaining, enhancing, and safeguarding the functionality, reliability, and security of the Service.
Advertising platforms, technology and service providers, analytics and research firms, cloud storage providers.
Wellness data to the extent it contains identifying information
Any exercise or activity-related data that may be associated with your identity.
Facilitating business operations and service delivery.Engaging in lawful advertising, marketing, and promotional efforts.Maintaining, enhancing, and safeguarding the functionality, reliability, and security of the Service.
Technology and service providers, analytics and research firms, cloud storage providers.
Visual or similar information to the extent it contains identifying information
Photos, User-Generated Content or other materials created within our Service.
Facilitating business operations and service delivery.Maintaining, enhancing, and safeguarding the functionality, reliability, and security of the Service.
Technology and service providers, analytics and research firms, cloud storage providers
Payment information
Purchase history, transaction details, subscription data etc.
Facilitating business operations and service delivery.Processing transactions, fraud detection, maintaining financial records
Payment processors
Internet or network activity
Browsing history, usage logs, App interactions, cookies etc.
Facilitating business operations and service delivery.Maintaining, enhancing, and safeguarding the functionality, reliability, and security of the Service.
Advertising platforms, technology and service providers, analytics and research firms, cloud storage providers.
Geolocation data
Approximate location based on IP address etc.
Facilitating business operations and service delivery.Maintaining, enhancing, and safeguarding the functionality, reliability, and security of the Service.
Advertising platforms, technology and service providers, analytics and research firms, cloud storage providers.
Inferences drawn from personal information
User preferences, behavioral trends, if applicable, etc.
Facilitating business operations and service delivery.Engaging in lawful advertising, marketing, and promotional efforts.Maintaining, enhancing, and safeguarding the functionality, reliability, and security of the Service.
Advertising platforms, technology and service providers, analytics and research firms, cloud storage providers, social media companies, business partners, and affiliated companies.

PRIVACY NOTICE FOR VIRGINIA, CONNECTICUT, COLORADO, UTAH, AND NEVADA, US

We include this section for residents of other US states with privacy laws that may impact them. These privacy laws include the Virginia Consumer Data Privacy Act (“VCDPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), the Colorado Privacy Act (“CPA”), and the Nevada Privacy Law (“NPL”), the Montana Consumer Data Privacy Act (“MCDPA”), the Oregon Consumer Privacy Act (“OCPA”), and the Texas Data Privacy and Security Act (“TDPSA”). This section is intended to comply with these laws by supplementing the information provided elsewhere in the Privacy Policy.Collection of Personal Information. We may collect personal information as described and categorized elsewhere in this Privacy Policy. The specific definitions of sensitive information vary by state law.Use of Personal Information. We may collect, use, and disclose personal information for the purposes outlined in this Privacy Policy. This includes providing services, improving our products, and complying with legal obligations.Disclosure of Personal Information. We may disclose personal information to third parties and service providers as described in this Privacy Policy. We ensure such disclosures comply with applicable laws to protect your privacy and rights.General Privacy RightsResidents of Colorado, Connecticut, Virginia, Utah, Montana, Oregon, and Texas are entitled to the following rights concerning their personal information:
  1. Access: You have the right to request and receive a copy of the personal information we have collected about you.
  2. Correction: You can request corrections to inaccurate or outdated personal information.
  3. Deletion: You have the right to request the deletion of your personal information, subject to specific exceptions under the law.
  4. Data Portability: You can request that personal information be provided in a portable, easy-to- read format to enable its transfer to another service provider.
  5. Opt-Out Rights:
    • Targeted Advertising: You can opt out of your personal information being used for targeted advertising.
    • Sale of Personal Information: You can opt out of the sale of your personal information to third parties. Note: We do not sell personal information for monetary consideration.
    • Profiling: You can opt out of automated decision-making processes that profile you for significant decisions, such as those affecting your legal, financial, or employment status.
State-Specific Rights.Each state has unique provisions under its privacy laws. Below are additional details for residents of Montana, Oregon, Texas, and Nevada.Montana
  • Profiling Opt-Out*: You may opt out of the use of your personal information for profiling purposes.
  • Data Sales Opt-Out: You can opt out of the sale of personal information.
*We do not engage in profiling or sell personal information for monetary consideration.
Oregon
  • Access, Correction, and Deletion Rights: You can request access to your personal information, correct inaccuracies, or request its deletion.
  • Data Sales and Targeted Advertising Opt-Out: You have the right to opt out of the sale of your personal information and the use of your information for targeted advertising.
  • Compliance: We fully comply with the requirements of the Oregon Consumer Privacy Act (OCPA) to safeguard your rights and personal information.
Texas
  • Transparency: You have the right to know the types of personal information we collect, process, and store about you.
  • Data Correction and Deletion: You may request corrections to inaccuracies or deletion of your personal information.
  • Opt-Out Rights: You can opt out of targeted advertising and profiling practices.
Nevada
  • Sale of Information*: Nevada residents have a limited right to opt out of the sale of personal information.
*We do not engage in selling personal information for monetary consideration.How to Exercise Your Rights.To exercise any of the rights outlined above:
  1. Submit a Request: Contact us using the methods specified in our Privacy Policy. Include your full name, state of residence, and details of the request to help us process it efficiently.
  2. Verification Process: We may require you to verify your identity to protect your personal information and comply with legal obligations.
  3. Response Timeline: We will respond to verifiable requests within the timeframe specified by applicable state laws (typically 30 to 45 days).