Privacy Policy

• Account information — your name, email address, and authentication credentials when you create an account.
• Business data you provide — the records you create or import to run your business: contacts and clients, projects, invoices and payment schedules, contracts, files, galleries, calendar/booking details, and messages. You are responsible for the personal data of your own clients that you choose to store in Gliss.
• Payment information — when you accept payments, card and bank details are collected and processed by our payment processor (Stripe). Gliss does not store full card numbers; we retain limited metadata (e.g., amounts, status, last four digits) needed to show you your transactions.
• Connected-account data— if you connect a third-party account (such as Google Calendar), we access only the data needed for the feature you enabled (see “Google user data” below).
• Usage and device data — basic logs, IP address, and technical information used to operate, secure, and improve the Service.

We use a small set of trusted providers to operate the Service. They process data only on our instructions and only to provide their function:

• Supabase — database, authentication, and hosting of your application data.
• Cloudflare R2 — storage of files, photos, and video you upload.
• Stripe — payment processing.
• Resend — transactional email delivery (e.g., confirmations and reminders).
• Twilio — SMS notifications, where you enable them.
• Mux — video hosting and playback.
• AssemblyAI — audio transcription for meeting notes you choose to upload.
• Anthropic — AI features (e.g., draft summaries and action plans). Inputs are processed to generate outputs and are not used to train third-party models.
• Google — Google Calendar integration (see below).

When you connect a Google account, Gliss requests permission to read your calendar free/busy times and to create and update calendar events. We use this access for a single, transparent purpose:

• Free/busy (read) — to check when you are already busy so the Service does not offer or accept a double-booked time slot. We store only opaque busy time intervals (start/end). We do not read event titles, descriptions, attendees, or attachments.
• Events (write) — to add or update an event on your calendar when a booking is confirmed, rescheduled, or cancelled, so your calendar stays in sync.

Your Google OAuth tokens are encrypted at rest and used only to provide these scheduling features. You can disconnect the integration at any time from Settings, or revoke access directly at myaccount.google.com/permissions.

Limited Use.Gliss’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. We do not sell Google user data, use it for advertising, transfer it to third parties except as necessary to provide or improve the Service (or as required by law), and we do not allow humans to read it except with your consent, for security, to comply with law, or where the data is aggregated and anonymized.

• To provide, maintain, secure, and improve the Service.
• To process payments, send transactional messages, and operate the features you enable (scheduling, reminders, galleries, etc.).
• To respond to support requests and communicate with you.
• To detect, prevent, and address fraud, abuse, and security issues.
• To comply with legal obligations.

We do not sell your personal information. We share data only with the service providers listed above (to operate the Service), with parties you direct us to (e.g., delivering a gallery or invoice to your client), and where required by law or to protect rights and safety. If Gliss is involved in a merger or acquisition, we will continue to protect your information and notify you of any change in control.

We protect data with encryption in transit and at rest, row-level access controls that isolate each account’s data, and least-privilege access for sensitive credentials (including encrypted storage of connected-account tokens). No method of transmission or storage is perfectly secure, but we work to protect your information and to respond promptly to any incident.

We retain your information for as long as your account is active or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. You may delete records within the app, and you may request deletion of your account and associated data (see “Your rights”).

Depending on where you live, you may have the right to access, correct, export, or delete your personal information, and to object to or restrict certain processing. You can exercise many of these directly in the app, or contact us using the details below and we will respond as required by applicable law.

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal information from children under 16.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you.

Questions about this policy or your data? Email privacy@heygliss.com.