Privacy Policy

This Privacy Policy describes how Xblanc Sp. z o.o. ("GliminTor", "we", "us"), registered at ul. Henryka Sienkiewicza 22, 60-818 PoznaĹ„, Poland (KRS: 0001206396, NIP: 7812100149), processes your personal data when you use GliminTor OS. Xblanc Sp. z o.o. is the data controller for personal data processed in connection with your account and use of the Service. Where you are a business customer and have entered into a Data Processing Agreement with us, you are the controller for the personal data of your own customers that you process through the platform, and we act as your data processor for that data. Privacy contact: [email protected]

## 2.1 Account and Identity Data Name, email address, company name (where provided), billing address, and payment method details. Payment card data is held by Stripe, Inc. in its capacity as a licensed payment processor. We do not store full card numbers. ## 2.2 Usage Data Features accessed, content created, posts scheduled, AI features used, Ops Credits consumed, session timestamps, device type, browser, and operating system. ## 2.3 Connected Account Data When you connect third-party social media, inbox, or CRM accounts via OAuth, we access data from those platforms as authorised by you. This includes profile information, post data, engagement metrics, message data (where inbox features are enabled), and analytics. We access only what is necessary to provide the features you use. ## 2.4 AI and Brand Data Prompts, inputs, and content you provide when using AI features. Your brand voice data is processed and stored exclusively within your workspace. We do not use your prompts, brand data, or AI-generated outputs to train AI models. ## 2.5 Communications Data Emails and messages you send to our support, billing, and legal teams. ## 2.6 Technical and Security Data IP addresses, cookies, log data, device identifiers, and authentication records used for security, fraud prevention, and service operation.

Processing purpose Lawful basis (GDPR) Account registration and management Contract — Art. 6(1)(b) Service delivery including AI features Contract — Art. 6(1)(b) Payment processing (instruction to Stripe) Contract — Art. 6(1)(b) Connected account data access Contract — Art. 6(1)(b) Security and fraud prevention Legitimate interest — Art. 6(1)(f) Platform analytics and service improvement Legitimate interest — Art. 6(1)(f) Marketing communications (opt-in only) Consent — Art. 6(1)(a) Tax and accounting records Legal obligation — Art. 6(1)(c) Checkout consent logging Legal obligation — Art. 6(1)(c)

Stripe, Inc. acts in a dual capacity: as our data processor for payment execution (acting on our instruction), and as an independent data controller for its own fraud detection, financial compliance, and regulatory obligations including KYC, AML, and sanctions screening. For Stripe's independent controller activities, Stripe's Privacy Policy at stripe.com/privacy governs.

We do not sell your personal data. We do not use your data for advertising. Data is shared only with service providers acting under data processing agreements. A full vendor list with roles, data locations, and transfer safeguards is published at glimintor.com/legal/subprocessors. Provider Role Purpose Location Stripe, Inc. Processor / Controller (dual) Payment processing USA Clerk, Inc. Processor Authentication and sessions USA Railway Corp. Processor Cloud infrastructure and hosting USA Cloudflare, Inc. Processor / Controller (partial) CDN, security, DNS, email routing USA/Global Resend, Inc. Processor Transactional email USA OpenRouter, Inc. Processor AI language model routing USA fal.ai, Inc. Processor AI image, video, audio generation USA Cloudflare R2 Processor Media asset storage USA/EU International transfers to US-based processors are made under Standard Contractual Clauses (SCCs, European Commission, June 2021). We provide at least 30 days advance notice of material changes to our subprocessor list.

Category Retention period Account and profile data Duration of account plus 3 years following closure Billing and transaction records 7 years from transaction date (Polish accounting law) Connected account and post data Duration of connection plus 30 days after disconnection AI prompts and generated content Duration of subscription plus 30 days Support and legal communications 3 years from last communication Security and access logs 12 months Checkout consent records 7 years Marketing consent records Until withdrawal plus 3 years

We respond to all data subject requests without undue delay and in any event within one month of receipt. This period may be extended by two further months where necessary, in which case we will inform you within the first month with reasons. You have the right to: access your personal data; rectify inaccurate data; erasure where no longer necessary; restrict processing; receive your data in a portable format; object to processing based on legitimate interest; and withdraw consent at any time without affecting prior lawful processing. Exercise your rights by contacting [email protected]. You may also lodge a complaint with the Polish supervisory authority, UrzÄ…d Ochrony Danych Osobowych (UODO), at uodo.gov.pl, or with the supervisory authority in your EU/EEA country of residence.

Our use of cookies is governed by the Cookie Policy at glimintor.com/legal/cookies. Cookie preferences are managed via the consent banner on glimintor.com.

The Service is not directed at persons under 18. We do not knowingly collect personal data from minors. If we become aware that a minor has provided data, we will delete it without undue delay.

We implement appropriate technical and organisational measures including encryption in transit and at rest, access controls, authentication requirements, and regular security reviews. No internet transmission is guaranteed to be 100% secure.

Material changes to this Policy will be communicated by email and in-platform notification before taking effect.

California residents have the right to: know what personal information is collected, used, shared, or sold; request deletion; opt out of sale or sharing; correct inaccurate information; limit use of sensitive personal information; and non-discrimination for exercising these rights. We do not sell or share personal information as defined under CCPA/CPRA. To exercise California privacy rights, contact [email protected] with the subject line "California Privacy Request".

For users in the United Arab Emirates, GliminTor processes personal data in accordance with Federal Decree-Law No. 45 of 2021 on Personal Data Protection. We process UAE resident data on the basis of contractual necessity and consent where required under the PDPL. Personal data may be transferred to and processed in the European Union (Poland) and via US-based service providers under appropriate contractual safeguards. UAE residents have the right to access, correct, and request deletion of their personal data. We do not represent that data is stored locally within the UAE. Contact [email protected] for data subject requests. Arabic language assistance is available upon request.

For users in the Kingdom of Saudi Arabia, GliminTor processes personal data in compliance with the Personal Data Protection Law (PDPL, Royal Decree M/19 of 1443H) and its implementing regulations. We obtain explicit consent where required under the PDPL. Personal data may be transferred outside the Kingdom under appropriate contractual safeguards. We do not represent that data is stored locally within KSA. KSA residents have the right to access, correct, and request deletion of their personal data. Contact [email protected]. Arabic language assistance is available upon request.

For users in Egypt, GliminTor processes personal data in accordance with Egypt's Personal Data Protection Law No. 151 of 2020 and its executive regulations. We obtain consent where required. Personal data may be transferred outside Egypt under appropriate contractual safeguards. We do not represent that data is stored locally within Egypt. Egyptian residents have the right to access, correct, and object to processing of their personal data. Contact [email protected].

Purpose Contact Privacy requests and data subject rights [email protected] Legal notices and formal data protection matters [email protected] EU supervisory authority — UODO (Poland) uodo.gov.pl Registered address Xblanc Sp. z o.o., ul. Henryka Sienkiewicza 22, 60-818 PoznaĹ„, Poland