This Privacy Policy explains how CyberHeroes Ltd collects, uses, processes, and protects your personal data when you use Glitch Bot. It covers your rights under UK GDPR and the Data Protection Act 2018.
Glitch Bot ("we", "our", "us") is a product of CyberHeroes Ltd. This Privacy Policy explains how we collect, use, process, store, and share your personal data when you access or use our AI-powered project planning platform, including Gantt charts, Kanban boards, NoteBoards, and AI agents (collectively, the "Service").
We are the data controller for all personal data collected through the Service. Our registered office is at CyberHeroes Ltd, United Kingdom. We are registered with the Information Commissioner's Office (ICO).
Lawful basis: Contractual necessity (Art. 6(1)(b))
Lawful basis: Contractual necessity (Art. 6(1)(b))
Lawful basis: Legitimate interest (Art. 6(1)(f))
Lawful basis: Contractual necessity + Legal obligation (Art. 6(1)(c))
We do not intentionally collect any special category data (race, ethnicity, political opinions, religious beliefs, health data, sexual orientation, or biometric data). If you inadvertently include such data in project content or AI prompts, we will delete it upon discovery or notification.
The Service is not directed at children under 13 (or under 16 in the UK/EU). We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will promptly delete it.
We process your personal data only for the following purposes, each grounded in a specific lawful basis under Article 6 of the UK GDPR:
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Providing the Service | Account, project, billing data | Contract (Art. 6(1)(b)) |
| AI feature processing | Prompts, project content | Contract (Art. 6(1)(b)) |
| Payment processing | Billing data | Contract (Art. 6(1)(b)) |
| Service improvement & analytics | Usage data (anonymized) | Legitimate interest (Art. 6(1)(f)) |
| Security & fraud prevention | Account data, IP, request logs | Legal obligation (Art. 6(1)(c)) |
| Transactional emails | Email address | Contract (Art. 6(1)(b)) |
| Marketing (with consent) | Email address | Consent (Art. 6(1)(a)) |
| Legal compliance | Relevant data as required | Legal obligation (Art. 6(1)(c)) |
Our core features use third-party AI model providers (OpenAI, Anthropic, and/or OpenRouter) to generate content. When you submit a prompt or request AI features:
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. Our specific retention schedules are:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account & profile data | Duration of account + 30 days | Service delivery & reactivation |
| Project & content data | Duration of account + 30 days | Service delivery & reactivation |
| Billing records | 7 years after transaction | HMRC / legal obligation |
| Usage analytics | 24 months (aggregated) | Product improvement |
| Error logs | 90 days | Debugging & security |
| Backups | Up to 30 days | Disaster recovery |
When you delete your account or request erasure, your personal data is permanently deleted from our primary database and blob storage within 30 days. Backups containing your data are rotated and overwritten within the same period. We will confirm deletion via email within 48 hours of completion.
Under the UK GDPR and Data Protection Act 2018, you have the following rights regarding your personal data. We will respond to any request within 30 days free of charge.
You have the right to be provided with clear, transparent information about how we use your personal data — this policy fulfils that right.
How to exercise: Read this policy. For further clarification, contact our DPO.
You have the right to access the personal data we hold about you and obtain a copy.
How to exercise: Email dpo@cyberheroes.co.uk with subject 'SAR'. We will respond within 30 days.
You have the right to have inaccurate personal data corrected or completed.
How to exercise: Update your profile in account settings, or email our DPO.
You have the right to request deletion of your personal data where there is no compelling reason for its continued processing.
How to exercise: Delete your account from dashboard settings, or email our DPO.
You have the right to request the restriction of processing your personal data in certain circumstances.
How to exercise: Email our DPO with details of the data and restriction requested.
You have the right to obtain and reuse your personal data for your own purposes across different services.
How to exercise: Export your data from dashboard settings (JSON/CSV format).
You have the right to object to processing based on legitimate interests, including profiling and direct marketing.
How to exercise: Email our DPO. We will stop processing unless we have compelling legitimate grounds.
You have the right not to be subject to decisions based solely on automated processing that produce legal effects.
How to exercise: Our AI features assist but do not make automated decisions with legal effects. Contact DPO for concerns.
If you believe we have not handled your personal data in accordance with data protection law, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
ico.org.uk/make-a-complaintWe encourage you to contact us first at support@cyberheroes.co.uk so we can address your concerns directly. We aim to resolve all data protection inquiries within 48 hours.
We review and update this Privacy Policy as our practices evolve or legal requirements change. Material changes will be communicated through:
We recommend checking this page periodically. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
If you have any questions, wish to exercise your data rights, or need to contact our Data Protection Officer:
Last updated: July 1, 2026
This Privacy Policy was drafted to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable.