Privacy Policy & GDPR Notice

GliminTor OS Privacy Policy & GDPR Notice Controller Notice for Account, Billing, Website, and Support Data Product GliminTor OS Controller XBLANC SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ Registered office ul. Henryka Sienkiewicza 22, 60-818 Poznań, Poland KRS / NIP / REGON 0001206396 / 7812100149 / 543298631 Privacy contact [email protected] Effective date April 2026 *v3.0 — April 2026* *Xblanc acts as a controller for account, billing, website, and marketing data. For data processed on behalf of business customers, Xblanc acts as a processor — governed by the Data Processing Addendum (DPA).*

Controller: XBLANC SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ Registered office: ul. Henryka Sienkiewicza 22, 60-818 Poznań, Poland KRS: 0001206396 | NIP: 7812100149 | REGON: 543298631 Registry court: Sąd Rejonowy Poznań – Nowe Miasto i Wilda w Poznaniu, VIII Wydział Gospodarczy KRS Privacy contact: [email protected] General contact: [email protected]

Account data Name, email, password hash (via Clerk), organisation name, role. Billing data Payment method (tokenised by Stripe), subscription history, invoices, VAT number. Usage data Feature usage, credit consumption, Auto-Engage activity, Broadcast send logs, API call logs. Contacts/CRM data Names, email addresses, platform handles, engagement scores, lifecycle stages, and tags stored in the Contacts module. Broadcast data Message content, send timestamps, delivery status, opt-out records for Broadcast messaging. Zoom Studio data Meeting and live stream metadata, participant counts, streaming destinations. Content data Text, images, video, and audio created or uploaded through the Service. Connected platform data Tokens, profile IDs, messages, and metrics from platforms you connect. Support data Communications with support, bug reports, feedback. Technical data IP address, browser type, device identifiers, cookies, log files.

Provide and administer the Service Art. 6(1)(b) — contract. Manage accounts (Clerk), subscriptions (Stripe), AI features (OpenRouter, fal.ai), Zoom Studio (Zoom). Operate Contacts/CRM module Art. 6(1)(b) — contract; (f) — legitimate interest. Process contact records to enable CRM features on your instructions. Operate Auto-Engage Art. 6(1)(b) — contract. Process incoming comments and DMs to generate and dispatch automated responses. Operate Broadcast Art. 6(1)(b) — contract; your consent obligation to your own contacts. Transmit outreach messages via connected messaging platforms. Billing and fraud prevention Art. 6(1)(b), (c), (f) — contract, legal obligation, legitimate interest. Security and abuse prevention Art. 6(1)(f) — legitimate interest. Protect Railway and Cloudflare infrastructure; detect spam and Broadcast abuse. Analytics and product improvement Art. 6(1)(f) — legitimate interest; consent where ePrivacy rules apply. Marketing communications Art. 6(1)(a) — consent; or (f) where soft opt-in permitted. Via Resend. Legal compliance and claims Art. 6(1)(c) and (f).

The Service uses AI models via OpenRouter (routing to Anthropic, Google, OpenAI, and others), image and video generation via fal.ai (all tiers), and Zoom integration via Zoom SDK. Auto-Engage uses AI to generate response drafts sent under your account. No solely automated decisions with legal or similarly significant effects are made without human review. Customer Content is not used to train third-party models without express written agreement.

Railway (US) Application hosting — PostgreSQL, Redis, API, Worker services. Clerk (US) Authentication and identity management. Stripe (US) Payment processing and billing. Cloudflare (US) CDN, DDoS protection, R2 object storage. OpenRouter (US) AI model routing for LLM text operations. fal.ai (US) Image generation (all plans) and video generation (all paid tiers, via Kling and Seedance). Zoom Video Communications (US) Live meeting and live streaming infrastructure for Zoom Studio. Resend (US) Transactional and marketing email delivery. Sub-processors outside the EEA: transfers covered by Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914.

Account data 30 days after account deletion, then purged. Billing records 10 years (Polish and EU tax law requirement). Contacts/CRM records Retained while your subscription is active. Deleted 30 days after account termination. Broadcast consent records Retained for the duration of the subscription plus 3 years for compliance purposes. Usage and log data 90 days rolling. Support communications 3 years after ticket closure. Marketing consent records Until consent withdrawn plus 3 years.

Under GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing based on legitimate interest. Contact: [email protected]. You may also lodge a complaint with the Polish Personal Data Protection Office (UODO) at https://uodo.gov.pl.

See the Cookie Policy at https://glimintor.com/legal/cookies.

Material changes communicated by email or in-app notification. Continued use constitutes acknowledgment.

Privacy: [email protected] Postal: Xblanc Sp. z o.o., ul. Henryka Sienkiewicza 22, 60-818 Poznań, Poland