Privacy Policy

1. Introduction

Glidebase ("we," "us," or "our") operates an AI-powered agency management platform. This privacy policy explains exactly what personal data we collect, how we use it, who we share it with, and your rights under the General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable privacy laws.

Data Controller: For agency account owners, Glidebase acts as the data controller for account data and as a data processor for client data managed through the platform. Agencies are the data controllers for their clients' personal data.

2. Information We Collect

2.1 Information You Provide

• Account information: Name, email address, password (stored as a bcrypt hash, never in plaintext)
• Agency information: Agency name, billing configuration
• Client data: Client names, company names, email addresses, phone numbers, addresses, billing details, internal notes
• Task and project data: Task titles, descriptions, comments, time logs, work descriptions
• Email content: When you connect your email, we process inbound and outbound email messages including sender/recipient addresses, subject lines, and email body content
• SMTP credentials: If you configure outbound email, we store your SMTP server credentials (passwords are encrypted using AES-256-CBC encryption)

2.2 Information Collected Automatically

• IP addresses: Recorded during registration, consent actions, login, and portal access for security and audit purposes
• User agent strings: Browser and device information recorded with consent actions
• Session data: Authentication cookies, CSRF tokens, session context (pages visited within the app)
• Usage data: AI feature usage (token counts, features used, timestamps)

2.3 Information Generated by AI Processing

Our platform uses artificial intelligence to generate derived data from your content. This constitutes automated profiling under GDPR Article 22. The following data is generated:

• Email sentiment analysis: Mood indicators (e.g., frustrated, satisfied), urgency scores, risk assessments
• Client mood tracking: Frustration and satisfaction levels (0-10 scale) derived from email communication patterns
• Task prioritization: AI-suggested task priorities and smart actions
• Daily briefings: AI-generated summaries of daily priorities
• Email draft suggestions: AI-generated email response drafts
• Action item extraction: Automatically identified action items from email threads

These AI-generated insights are advisory only and do not result in decisions that produce legal or similarly significant effects. You can request all AI-derived data about you via the data export feature in your privacy settings.

3. How We Use Your Information

• Provide the service: Process your data to deliver task management, email management, time tracking, and team collaboration features
• AI-powered features: Send portions of your data to our AI provider (see Section 4) to generate insights, summaries, and recommendations
• Security: Detect and prevent fraud, abuse, and unauthorized access using IP logging, rate limiting, and abuse detection
• Communication: Send you service-related emails (password resets, email verification, account notifications)
• Legal compliance: Maintain records required by law, respond to legal requests

Legal Basis for Processing (GDPR Article 6)

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the service you signed up for
• Consent (Art. 6(1)(a)): AI processing of your data, marketing communications
• Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement
• Legal obligation (Art. 6(1)(c)): Tax and billing record retention

4. Third-Party Data Sharing

We do not sell your personal data. We share data with the following third-party services strictly for the purposes described:

International data transfers: Google Gemini API processes data in Google's infrastructure, which may include servers in the United States. Postmark and Stripe are US-based companies. These transfers are governed by their respective data processing agreements and Standard Contractual Clauses where applicable.

AI data usage: We use Google Gemini's API, which processes your data to generate responses but does not use your data to train Google's models per Google's API Terms of Service.

5. Your Rights Under GDPR

If you are in the European Economic Area (EEA) or UK, you have the following rights:

• Right of access (Art. 15): Request a copy of all personal data we hold about you, including AI-derived data
• Right to rectification (Art. 16): Correct inaccurate personal data via your profile settings
• Right to erasure (Art. 17): Request permanent deletion of your account and all associated data. After a 30-day grace period, all PII is permanently erased including anonymization of associated records.
• Right to data portability (Art. 20): Download all your data in machine-readable JSON format
• Right to withdraw consent (Art. 7(3)): Withdraw marketing consent at any time from privacy settings
• Right to object to automated decision-making (Art. 22): Our AI features generate advisory insights only and do not make automated decisions with legal or significant effects. You may contact us to object to specific processing.

Exercise these rights from your Privacy Settings page, or contact us at privacy@glidebase.io.

6. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to know: You may request the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it
• Right to delete: You may request deletion of your personal information, subject to legal exceptions
• Right to opt out of sale/sharing: We do not sell personal information. You may opt out of sharing your data with third-party AI services via the "Do Not Sell or Share My Personal Information" toggle in your Privacy Settings. This will disable AI-powered features.
• Right to limit use of sensitive personal information: You may request we limit use of sensitive personal information to what is necessary to provide the service
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights

Categories of Personal Information Collected (CCPA)

• Identifiers: Name, email address, IP address, account ID
• Commercial information: Subscription tier, billing history
• Internet activity: Feature usage, pages visited, session data
• Professional information: Agency name, client relationships, task and project data
• Inferences: AI-generated sentiment scores, mood indicators, priority recommendations

7. Data Retention

We retain data for the following periods:

When you request account deletion, after a 30-day cancellation grace period, we permanently erase all your personal data. This includes force-deleting your account record, deleting all AI logs, anonymizing your comments and time log descriptions, and removing your avatar. Orphaned records (tasks you created, emails you sent) are anonymized to preserve data integrity for other agency members.

8. Security

We implement the following security measures:

• Passwords hashed using bcrypt (cost factor 12)
• SMTP credentials encrypted using AES-256-CBC (Laravel Crypt)
• CSRF protection on all forms
• Rate limiting on authentication endpoints (5 attempts/minute)
• HTTP-only, encrypted session cookies
• Webhook signature verification (HMAC-SHA256 for Mailgun, token-based for Postmark)
• AI abuse detection and IP blocking
• Multi-tenant row-level data isolation
• Soft deletes with eventual hard deletion for account erasure

No method of electronic transmission or storage is 100% secure. If you discover a security vulnerability, please report it to security@glidebase.io.

9. Cookies

We use essential cookies for authentication (session cookies, CSRF tokens) and functional cookies for preferences (theme). We do not use third-party advertising or tracking cookies. See our Cookie Policy for details.

10. Client Portal

If your agency grants you access to the Client Portal, you can view tasks assigned to your projects and add comments. Your portal activity (pages viewed, IP address) is logged for security purposes. The agency that invited you is the data controller for your portal data; Glidebase acts as their data processor.

11. Children's Privacy

Glidebase is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. We will notify you of material changes by email or through an in-app notification at least 30 days before the changes take effect. Your continued use after the effective date constitutes acceptance.

13. Contact Us

For privacy questions, data requests, or complaints:
Email: privacy@glidebase.io

If you are in the EU/EEA and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.