1. Who We Are
GlideRun is operated by GlideRun Ltd., a technology company providing AI workflow automation services to businesses. GlideRun provides AI workflow automation services to business customers, primarily in the European Union.
For GDPR purposes, GlideRun acts as a Data Processor when processing customer data to deliver automation services, and as a Data Controller for data collected through our website, demo booking flow, marketing activities, and direct business communications.
This Privacy Policy explains how we collect, use, share, retain, and protect personal data. It applies to business representatives who interact with GlideRun, not to consumer-facing services.
2. Data We Collect
We collect contact and account data such as name, work email, company name, job title, country, company size, and role. We collect booking data such as calendar preferences, call type, automation challenge, and source attribution.
We collect usage data related to automation services, including automation run logs, timestamps, API call metadata, system events, and operational status. We do not intentionally collect personal end-user content unless a customer configures a workflow to process it.
We collect technical data such as IP address, browser type, device data, session data, cookies, and page interaction data. We also collect communication data, including emails, support tickets, meeting notes, and call recordings where consent has been obtained.
We do not collect special category data, including health, biometric, political, religious, or trade-union data, through our platform by default. We do not collect data from individuals as consumers; our services are provided to business customers and their authorised representatives.
3. Legal Basis for Processing (GDPR)
Where GlideRun acts as Controller, we process personal data only where a lawful basis under GDPR Article 6 applies. Where GlideRun acts as Processor, we process personal data only on documented customer instructions under the applicable Data Processing Agreement.
| Data Type | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| Contact and account data | Demo booking, onboarding, account administration | Contract performance, Art. 6(1)(b) | Contract term + 2 years |
| Usage and security data | Service delivery, monitoring, fraud prevention | Legitimate interests, Art. 6(1)(f) | 12 months rolling unless audit retention applies |
| Marketing preferences | Marketing emails and event invitations | Consent, Art. 6(1)(a) | Until withdrawal or 3 years inactive |
| Tax and audit records | Legal, accounting, and compliance obligations | Legal obligation, Art. 6(1)(c) | 7 years |
Legitimate interests are assessed to ensure they are not overridden by the rights and freedoms of data subjects. Consent can be withdrawn at any time without affecting processing that occurred before withdrawal.
4. How We Use Your Data
We use data to deliver and improve automation services, configure integrations, monitor workflows, troubleshoot incidents, and communicate about service updates, account matters, security events, and support requests.
We use audit logs and compliance records to maintain regulatory evidence, support customer audits, and verify that automations operate within agreed instructions. Marketing communications are sent only where permitted by law and, where required, based on explicit consent.
We never sell personal data. We never use customer automation data to train our models unless a customer provides explicit written consent in a separate agreement.
5. Data Sharing and Processors
We use carefully selected sub-processors to provide hosting, compliance infrastructure, email delivery, and website operations. Each sub-processor is contractually bound by GDPR-compliant data processing terms.
- CompliVibe (complivibe.in): compliance infrastructure, EU AI Act documentation, audit logging, and regulatory evidence management. Data Processing Agreement in place. EU data residency controls apply.
- AWS (eu-central-1, Frankfurt): cloud hosting and data storage.
- Azure (westeurope, Amsterdam): alternative hosting region where selected by customer.
- Resend: transactional email delivery.
- Vercel: website hosting. No customer automation data is stored in Vercel.
A full sub-processor list is available on request. GlideRun remains responsible for ensuring sub-processors process data only within the scope permitted by customer agreements.
6. International Data Transfers
Where transfers of personal data from the European Economic Area to India occur, they are governed by Standard Contractual Clauses under GDPR Article 46 where an adequacy decision does not apply.
Customers receive signed Standard Contractual Clauses as part of their Data Processing Agreement. Operational customer data is processed within the EU, typically in Frankfurt or Amsterdam, and does not leave EU borders except where an approved transfer mechanism is in place.
7. Data Retention
We retain data only for as long as necessary to provide services, satisfy legal obligations, resolve disputes, maintain audit trails, and enforce agreements.
| Data Category | Retention Period |
|---|---|
| Account data | Duration of contract + 2 years |
| Automation run logs | 12 months rolling |
| Compliance audit logs | 7 years where required for regulatory evidence |
| Marketing data | Until consent withdrawn or 3 years inactive |
| Support records | 2 years after ticket closure |
8. Your Rights (GDPR)
Subject to applicable conditions, individuals may exercise the right of access under Article 15, rectification under Article 16, erasure under Article 17, restriction under Article 18, portability under Article 20, objection under Article 21, and rights related to automated decision-making under Article 22.
Requests can be submitted to privacy@gliderun.ai. We respond within 30 calendar days unless a lawful extension applies. We do not charge a fee unless a request is manifestly unfounded or excessive.
Where GlideRun acts as Processor, we will refer the request to the relevant customer Controller and provide reasonable assistance in fulfilling it.
10. Security
GlideRun uses TLS 1.3 for data in transit and AES-256 encryption for data at rest. Internal access is role-based, requires MFA, and is limited to authorised personnel with a legitimate business need.
We conduct annual penetration testing, maintain incident response procedures, and notify affected customers and supervisory authorities within GDPR Article 33 timelines where a notifiable breach occurs.
CompliVibe's Evidence Vault supports hash-chained, tamper-evident audit logs for compliance events and automation runs.
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in law, services, sub-processors, or operational practices. Material changes will be notified by email at least 30 days before they take effect.
Continued use of GlideRun services after the effective date of a notified change constitutes acceptance of the updated policy, except where law requires renewed consent.
12. Contact and Complaints
Privacy requests should be sent to privacy@gliderun.ai. Our standard response time is 30 calendar days.
EU Representative: [placeholder — required under GDPR Article 27 for non-EU companies]. Individuals also have the right to complain to their local EU data protection supervisory authority.
Last updated: June 1, 2025
Questions? Contact legal@gliderun.ai.