Privacy Policy

1. Introduction

Welcome to Glow Reports ("we," "our," or "us"). We are committed to protecting your privacy and ensuring transparency about how we collect, use, and protect your personal information. This Privacy Policy explains our practices regarding data processing in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

Glow Reports is an AI-powered data analysis and report generation platform that helps users transform their data into insights. Our services are available at glowreports.com (landing page) and app.glowreports.com (application). Our infrastructure operates under SOC2 security standards with EU-based servers to ensure maximum data protection.

2. Data Controller Information

3. Information We Collect

3.1 Account Information

• Authentication Data: Email address, name, profile picture (via Google OAuth or Microsoft Entra ID)
• Account Details: Username, first name, last name, organization information
• Preferences: Theme settings, font preferences, notification preferences

3.2 Usage Data

• Application Usage: Features used, reports created, analysis requests
• Technical Data: IP address, browser type, device information, session data
• Performance Data: Error logs, performance metrics (via Sentry)

3.3 Content Data

• Uploaded Files: Excel, CSV, and other data files you upload
• Reports: Generated reports, analysis results, custom content
• Messages: Chat interactions with AI assistant
• Images: Charts, graphs, and other visual content you create

4. How We Use Your Information

4.1 Service Provision

• Authenticate and authorize access to your account
• Process and analyze your data to generate reports
• Store and organize your files and reports
• Provide AI-powered insights and recommendations

4.2 Service Improvement

• Monitor application performance and identify issues
• Analyze usage patterns to improve features (via PostHog)
• Debug technical problems and enhance security
• Develop new features and capabilities

4.3 Legal Basis for Processing (GDPR)

• Contract Performance: Processing necessary to provide our services
• Legitimate Interest: Improving service quality and security
• Consent: Optional third-party AI analysis (OpenAI)
• Legal Compliance: Meeting regulatory requirements

5. Third-Party Services

5.1 OpenAI (Optional)

• Purpose: Enhanced AI analysis when explicitly enabled by user
• Data Shared: Report content and uploaded file data (no personal information)
• Control: Completely optional - you can disable at any time
• Policy: OpenAI Data Usage Policies

5.2 PostHog (Analytics)

• Purpose: Anonymous usage analytics and product insights
• Data Shared: Feature usage, page views, technical metrics
• Privacy: No personal identifiers, anonymized data only

5.3 Sentry (Error Tracking)

• Purpose: Monitor application errors and performance
• Data Shared: Error logs, stack traces, technical diagnostics
• Privacy: Automatically scrubs personal information from logs

5.4 Authentication Providers

• Google OAuth: Receives basic profile information during login
• Microsoft Entra ID: Receives basic profile information during login
• Usage: Only for authentication - no ongoing data sharing

6. Data Storage and Security

6.1 Infrastructure

• Location: All servers located in the European Union
• Standards: SOC2 Type II compliance for security controls
• Database: PostgreSQL with encryption at rest
• File Storage: MinIO with secure object storage

6.2 Security Measures

• End-to-end encryption for data transmission
• Regular security audits and vulnerability assessments
• Access controls and authentication mechanisms
• Automated backup and disaster recovery procedures
• 24/7 monitoring and incident response

6.3 Data Retention

• Account Data: Retained while account is active
• Reports and Files: Retained until deleted by user or account closure
• Usage Analytics: Aggregated data retained for 2 years
• Error Logs: Retained for 90 days for debugging purposes

7. Your Rights Under GDPR

As an EU data subject, you have the following rights:

7.1 Access and Portability

• Right to Access: Request a copy of your personal data
• Data Portability: Receive your data in a machine-readable format
• Implementation: Available through account settings or by contacting support

7.2 Correction and Deletion

• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Delete your personal data ("right to be forgotten")
• Account Deletion: 24-hour grace period for account deletion requests

7.3 Processing Controls

• Right to Restrict: Limit how we process your data
• Right to Object: Object to processing based on legitimate interests
• Withdrawal of Consent: Withdraw consent for optional features (e.g., OpenAI analysis)

7.4 Exercising Your Rights

To exercise any of these rights, please contact us at support@glowreports.com. We will respond within 30 days as required by GDPR.

8. Cookies and Tracking

8.1 Essential Cookies

We use essential cookies that are necessary for the website to function properly. These cannot be disabled as they are required for:

• User authentication and session management
• Security and fraud prevention
• Storing your preferences and settings
• Ensuring proper functionality of our services

8.2 Analytics Cookies

We use analytics cookies (PostHog) to understand how users interact with our service. These help us improve the user experience and are always anonymized. These are always active to ensure we can maintain and improve our service quality.

9. International Data Transfers

Our primary infrastructure is located in the European Union, ensuring GDPR compliance. When we do transfer data internationally (such as to OpenAI when you enable third-party analysis), we ensure appropriate safeguards are in place, including:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs)
• Explicit user consent for optional services
• Data minimization (only content data, never personal information)

10. Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Inform affected users without undue delay
• Provide clear information about the nature and impact of the breach
• Outline the measures taken to address the breach
• Provide recommendations to protect your data

11. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately so we can delete such information.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

• Posting the updated policy on our website
• Sending email notifications for significant changes
• Displaying in-app notifications when you next log in

Your continued use of our service after changes take effect constitutes acceptance of the updated policy.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

You also have the right to lodge a complaint with your local data protection authority if you believe we have not adequately addressed your concerns.

14. Supervisory Authority

If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with the relevant data protection authority in your EU member state. A list of data protection authorities can be found at: https://edpb.europa.eu/about-edpb/board/members_en