This Privacy Policy explains what personal data Glim ("Glim", the "Service", "we", "us") collects when you use the Service, how we use it, who we share it with, and the choices available to you.
1. What we collect
Information you provide
- Account data: email address, password (stored only as an Argon2id hash), and — if you sign in via Google, Discord, Telegram, or X — the minimum profile fields the provider returns (account id, display name, verified email).
- Inputs & Outputs: images or other media you upload, prompts you supply, and the generations produced in response.
- Payment metadata: order id, pack purchased, amount, currency, payment channel, Stripe payment identifiers, and transaction status. We never store your credit card number, expiry, or CVC; those are handled by Stripe.
- Support communications: email threads, Feedback submissions, and any information you include when contacting us.
Information collected automatically
- Usage metadata: which templates you use, how many credits you spend, generation timestamps, approximate device / browser info from request headers, and IP addresses (used for rate limiting, abuse detection, and geographic service availability).
- Moderation records: for every upload and every generated output, our automated content-safety systems may analyze the media and store a moderation event (verdict, policy, detection labels, confidence, file type, and size) for safety, audit, and compliance purposes.
- Session cookies: a single first-party cookie that keeps you signed in.
- Product analytics and advertising attribution events: when analytics or advertising pixels are enabled, PostHog, Meta, and TikTok may receive page views and conversion events such as landing-page views, account registration, checkout starts, purchases, and generation starts. We do not send prompts, uploaded images, generated media, passwords, or payment card numbers in these events.
2. How we use your data
- Deliver and operate the Service (authentication, generations, credit accounting, moderation);
- Send transactional email — verification codes, invoices, account notices — via our email vendor;
- Detect, prevent, and investigate abuse, fraud, and violations of our Terms;
- Enforce our Content Safety Policy, including by scanning uploads before storage and generated outputs before delivery;
- Improve and troubleshoot the Service (aggregated, not at the individual level);
- Measure product usage, conversion funnels, and paid advertising campaigns when analytics or ad pixels are enabled;
- Comply with legal obligations and respond to lawful requests.
We do not sell your personal data. We do not use your Inputs or Outputs to train generative AI models that go beyond your own account's personalization.
3. Who processes your data on our behalf
We rely on a small set of well-known sub-processors:
- Neon (US) — managed PostgreSQL hosting for account and generation metadata.
- Cloudflare R2 — object storage for your uploaded Inputs and generated Outputs. Served via Cloudflare's global edge.
- Stripe — payment processing for card payments, supported wallets, checkout, fraud screening, receipts, and related payment compliance.
- Resend — transactional email delivery (verification codes and similar service emails).
- Google / Discord / X / Telegram (OAuth) — only when you use the corresponding sign-in option.
- PostHog — product analytics, funnels, retention, and session-level usage measurement, only when PostHog is configured on the website.
- Meta and TikTok — advertising measurement and attribution, only when the corresponding advertising pixels are configured on the website.
Each sub-processor receives only the data necessary to perform its function, under contractual confidentiality and data-protection commitments.
4. International transfers
The Service is operated from infrastructure located in the United States and the European Union. If you are accessing Glim from a different region, your data will be transferred to and processed in those locations.
5. Retention
We retain account and generation data for as long as your account is active. After account deletion, personal data is removed within 90 days, except (a) records we are legally required to retain (e.g. financial records for tax purposes — typically 7 years), and (b) anonymized or aggregated data that can no longer be linked to you.
6. Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you;
- Correct inaccurate data;
- Delete your account and associated personal data (subject to Section 5);
- Export your data in a portable format;
- Object to or restrict certain processing;
- Lodge a complaint with your local data-protection authority.
To exercise any of these rights, email [email protected] from the email address on your account, or send the request while signed in through Feedback.
7. Security
Data is encrypted in transit (HTTPS) and at rest at our sub-processors. Passwords are stored as Argon2id hashes; payment card numbers never touch our servers. Administrative access to production data is role-restricted and audit-logged.
8. Children
Glim is not intended for children under 18. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact us so we can delete it.
9. Changes
We may update this Privacy Policy from time to time. Material changes will be reflected in the "Last updated" date above and, where appropriate, announced by email or in-product notice.
10. Contact
Glim is operated by our Hong Kong business entity. Privacy questions, data requests, or business contact requests: email [email protected] or send us an in-product message through Feedback.