Data & Security

How we handle your data

Transparency about data collection, AI processing, encryption, retention, and your rights. We believe in clear communication — no legalese, no fine print.

Data Overview

Glitch Bot is built on a privacy-first architecture. We collect only the data necessary to deliver and improve our AI-powered project planning tools — Gantt charts, Kanban boards, NoteBoards, and AI agents. This page explains what data we collect, how it is processed, where it is stored, and the controls you have over it.

AES-256
Encryption at rest
TLS 1.3
Encryption in transit
GDPR
Fully compliant

What We Collect

Account Data

  • • Email address (verified)
  • • Display name (optional)
  • • Billing information (via Stripe)
  • • Authentication provider ID

Project Data

  • • Gantt charts & task structures
  • • Kanban board states & cards
  • • NoteBoard sticky notes
  • • AI agent outputs & logs

Usage Data

  • • Feature interactions (anonymized)
  • • Page views & navigation paths
  • • API request timestamps
  • • Error logs (no personal data)

What We Do NOT Collect

  • • Passwords (OAuth-only auth)
  • • Content from connected apps
  • • Browsing history outside our domain
  • • Sensitive personal data (health, etc.)

AI Data Processing

When you use AI-powered features — generating Gantt charts, creating Kanban boards, or running AI agents — your prompts and project data are sent to our AI model providers (OpenAI / Anthropic / OpenRouter) solely to generate the requested output.

Key Points

  • • Prompts are not used to train foundation models
  • • Data is processed ephemerally — not stored by AI providers after generation
  • • We do not sell or share your data with third-party advertisers
  • • You can delete any AI-generated output from your dashboard at any time

Encryption & Storage

At Rest

All data stored in our Supabase (PostgreSQL) and blob storage is encrypted using AES-256. Database backups are also encrypted before being stored in geographically separate regions.

In Transit

All HTTP traffic uses TLS 1.3 with strong cipher suites. API calls between our server, AI providers, and Stripe are authenticated and encrypted end-to-end.

Infrastructure

Hosted on Vercel (edge + serverless) and Supabase (database & storage), both SOC 2 compliant with data centres in the US and EU.

API Keys

If you bring your own AI API key, it is encrypted at rest using AES-256-GCMand is never logged or exposed to client-side code.

Data Retention

We retain your data for as long as your account is active. If you cancel your subscription, your data is preserved for 30 days in case you reactivate. After that period:

  • Projects, charts, boards, and notes are permanently deleted from our database and blob storage.
  • Anonymised usage metrics may be retained for product improvement, but are stripped of all personal identifiers.
  • Billing records are retained as required by law (typically 7 years) but are limited to transaction metadata.

Your Rights & Controls

As a user, you have full control over your data. Under GDPR and UK DPA 2018, you can exercise the following rights:

Data Portability

Export all your projects, charts, boards, and notes as structured JSON or CSV from your dashboard settings.

Right to Access

Request a full report of all personal data we hold about you — we respond within 30 days.

Right to Erasure

Delete your account and all associated data from your dashboard. Irreversible after 30 days.

Right to Rectification

Update your account email, name, and preferences at any time from your profile settings page.

Third-Party Processors

We use carefully vetted sub-processors to deliver our service. Each processor is contractually bound to comply with GDPR and our data processing standards.

ProviderPurposeDataLocation
VercelHosting & edge functionsRequest metadataUS / EU
SupabaseDatabase & blob storageAll user & project dataUS / EU
StripePayment processingBilling info (no card numbers)US / EU
OpenAI / AnthropicAI model inferencePrompts (ephemeral)US
PostmarkTransactional emailsEmail addressUS / EU
SentryError monitoringError logs (no PII)US / EU

Security Measures

We implement industry-standard security measures to protect your data. Here is a summary of our security posture:

Authentication

OAuth-only (Google, GitHub). No passwords stored. Row-Level Security (RLS) on all database tables.

Encryption

AES-256 at rest. TLS 1.3 in transit. Database backups encrypted with separate keys.

Access Control

Strict least-privilege IAM policies. All infrastructure access logged and audited.

Monitoring

Real-time anomaly detection. Rate limiting on all API endpoints. Automated vulnerability scanning.

Incident Response

24-hour disclosure policy for data breaches. Documented runbooks for incident containment.

Compliance

GDPR / UK DPA 2018 compliant. SOC 2 Type II infrastructure (Vercel + Supabase).

Contact & DPO

If you have questions about this data policy, wish to exercise your GDPR rights, or need to contact our Data Protection Officer:

  • Email: support@cyberheroes.co.uk
  • Response time: Within 48 hours
  • Data requests: Fulfilled within 30 days

Last updated: July 1, 2026

We review and update this data policy as our infrastructure and practices evolve. Material changes will be communicated via email and in-app notification.