Privacy
Privacy Policy
Effective date: [DATE]
Controller: [LEGAL ENTITY NAME] ("Glint", "we", "us"), [company number / "incorporation pending"], [registered address]
Contact: []
Data protection contact / DPO: [name or "not yet appointed; confirm whether required"]
1. Who this is for and what it covers
This policy explains what personal data Glint collects when you use the Service at [app.withglint.co], why we collect it, how we protect it, and the rights you have. It is written to meet the UK GDPR and the EU GDPR. If you are in California or another region with its own rules, the "Your rights" section notes how those apply. [Confirm target regions with counsel.]
2. The data we collect
You give us:
- Account and context data. Your name, email, role, industry, years of experience, and a short bio or profile. At sign-up you may add context by uploading a CV or giving a LinkedIn URL, or by filling a short form.
- Content samples. Authentic-voice material you choose to provide or link, such as posts, articles, newsletters, podcast or video links, or transcripts. We do not scrape this. It is only what you give or link. [confirm: Edwin] on the ingestion methods actually enabled at launch.
- Your drafts. The text you paste in for diagnosis.
- Captured insights (your "Gems"). The anecdotes, judgements, and points of view Glint draws out during a session, and the memory it builds from them.
- Voice input. If you use voice, your speech is transcribed to text. Audio is discarded by default after transcription. [confirm: Edwin]
- Beta and contact data. If you join the early-access list, your email address and any details you provide.
We collect automatically:
- Usage and technical data. Basic logs needed to run and secure the Service, such as requests, timestamps, error events, access-code usage, and device or browser information. [confirm: Edwin] on exactly what is logged and by which tools (for example Supabase logs, Langfuse traces).
We try to keep collection to what the Service needs. Please do not paste other people's sensitive personal data into your drafts unless you have a lawful basis to do so.
3. Why we use your data, and our legal bases
We do not use your content to train foundation models, and we bind our AI providers not to train on it. [confirm: Edwin] on the exact provider terms.
4. How AI processing works
To diagnose a draft and run the conversation, Glint sends the relevant text to AI model providers through our own secure backend. Prompts are managed in a prompt-management system (Langfuse) and provider keys are held server-side, never in your browser. [confirm: Edwin] on the final production list of model providers and whether any draft text is retained in prompt-management traces.
Current providers in the AI path (to be confirmed and finalised by Edwin):
- Anthropic (Claude models) for diagnosis and conversation.
- [Other model providers via the model-bridge, if any at launch] [confirm: Edwin].
5. Who we share data with (subprocessors)
We do not sell your personal data. We share it only with service providers that process it on our behalf, under contract, to run the Service:
We keep the current list available and update it when it changes. [Consider a public subprocessor page.]
6. International transfers
Your data is stored in the EU ([eu-west-1]). [confirm: Edwin] Some providers (for example AI model providers) may process data outside the UK/EU. Where that happens, we rely on appropriate safeguards such as the UK International Data Transfer Agreement or the EU Standard Contractual Clauses. [confirm: Edwin / counsel] which providers transfer data and which safeguards apply.
7. How long we keep it
- We keep Your Content and account data while your account is active and for as long as needed to provide the Service.
- Voice audio is discarded by default after transcription. [confirm: Edwin]
- Backups and logs are kept for a limited period, then deleted or rotated. [confirm: Edwin] on the exact windows.
- When you delete content or close your account, we delete or de-identify your personal data within [X days], except copies we must keep briefly for backups or to meet a legal duty. [confirm: Edwin on the deletion workflow across Supabase, AI-provider logs, and Langfuse traces.]
8. Your rights
Under the UK/EU GDPR you can ask us to:
- give you a copy of your data (access);
- correct data that is wrong (rectification);
- delete your data (erasure);
- export your data in a portable format (portability), and Glint is designed so you can export all your data layers;
- restrict or object to certain processing;
- withdraw consent you gave, at any time.
To exercise a right, contact []. We respond within one month. You can also complain to your data-protection regulator (in the UK, the Information Commissioner's Office at ico.org.uk). [Confirm the lead supervisory authority with counsel.]
If you are in California, you have similar rights to know, delete, correct, and opt out of "sale" or "sharing" of personal information. We do not sell your personal information. [Confirm CCPA applicability with counsel.]
9. Security
We take reasonable technical and organisational measures to protect your data. These include, subject to Edwin's confirmation before publishing:
- Encryption in transit for data moving between you, our backend, and our providers. [confirm: Edwin]
- Encryption at rest for the database and stored files. [confirm: Edwin]
- Access isolation so you can only access your own data, enforced by row-level security on user-owned data. [confirm: Edwin]
- Secret management, with provider and service keys held server-side (Supabase secrets and a shared secrets vault), never exposed in the browser. [confirmed in engineering docs; reconfirm: Edwin]
- Access controls limiting who on the team can reach production data. [confirm: Edwin]
- A process to detect and, where required, report personal-data breaches to regulators and affected users. [confirm: Edwin]
No service can promise perfect security, but we work to protect your data and to keep these measures current.
10. Cookies and analytics
The Service uses only the cookies and similar technologies it needs to work and to keep you signed in, plus any analytics we disclose. [confirm what is actually used; if any non-essential analytics or marketing cookies are added, add a cookie banner and consent.]
11. Children
The Service is for adults (18+) and is not directed at children. We do not knowingly collect data from children.
12. Changes to this policy
We may update this policy as the Service develops. If a change is material, we will give reasonable notice. The effective date at the top shows when it last changed.
13. Contact
Privacy questions or requests: []. Security concerns: [].