Transparency about data collection, AI processing, encryption, retention, and your rights. We believe in clear communication — no legalese, no fine print.
Glitch Bot is built on a privacy-first architecture. We collect only the data necessary to deliver and improve our AI-powered project planning tools — Gantt charts, Kanban boards, NoteBoards, and AI agents. This page explains what data we collect, how it is processed, where it is stored, and the controls you have over it.
When you use AI-powered features — generating Gantt charts, creating Kanban boards, or running AI agents — your prompts and project data are sent to our AI model providers (OpenAI / Anthropic / OpenRouter) solely to generate the requested output.
All data stored in our Supabase (PostgreSQL) and blob storage is encrypted using AES-256. Database backups are also encrypted before being stored in geographically separate regions.
All HTTP traffic uses TLS 1.3 with strong cipher suites. API calls between our server, AI providers, and Stripe are authenticated and encrypted end-to-end.
Hosted on Vercel (edge + serverless) and Supabase (database & storage), both SOC 2 compliant with data centres in the US and EU.
If you bring your own AI API key, it is encrypted at rest using AES-256-GCMand is never logged or exposed to client-side code.
We retain your data for as long as your account is active. If you cancel your subscription, your data is preserved for 30 days in case you reactivate. After that period:
As a user, you have full control over your data. Under GDPR and UK DPA 2018, you can exercise the following rights:
Export all your projects, charts, boards, and notes as structured JSON or CSV from your dashboard settings.
Request a full report of all personal data we hold about you — we respond within 30 days.
Delete your account and all associated data from your dashboard. Irreversible after 30 days.
Update your account email, name, and preferences at any time from your profile settings page.
We use carefully vetted sub-processors to deliver our service. Each processor is contractually bound to comply with GDPR and our data processing standards.
| Provider | Purpose | Data | Location |
|---|---|---|---|
| Vercel | Hosting & edge functions | Request metadata | US / EU |
| Supabase | Database & blob storage | All user & project data | US / EU |
| Stripe | Payment processing | Billing info (no card numbers) | US / EU |
| OpenAI / Anthropic | AI model inference | Prompts (ephemeral) | US |
| Postmark | Transactional emails | Email address | US / EU |
| Sentry | Error monitoring | Error logs (no PII) | US / EU |
We implement industry-standard security measures to protect your data. Here is a summary of our security posture:
OAuth-only (Google, GitHub). No passwords stored. Row-Level Security (RLS) on all database tables.
AES-256 at rest. TLS 1.3 in transit. Database backups encrypted with separate keys.
Strict least-privilege IAM policies. All infrastructure access logged and audited.
Real-time anomaly detection. Rate limiting on all API endpoints. Automated vulnerability scanning.
24-hour disclosure policy for data breaches. Documented runbooks for incident containment.
GDPR / UK DPA 2018 compliant. SOC 2 Type II infrastructure (Vercel + Supabase).
If you have questions about this data policy, wish to exercise your GDPR rights, or need to contact our Data Protection Officer:
Last updated: July 1, 2026
We review and update this data policy as our infrastructure and practices evolve. Material changes will be communicated via email and in-app notification.