Privacy Policy

Privacy Policy

This Privacy Policy explains how CyberHeroes Ltd collects, uses, processes, and protects your personal data when you use Glitch Bot. It covers your rights under UK GDPR and the Data Protection Act 2018.

Last updated: July 1, 2026Effective: July 1, 2026

1. Scope & Responsibility

Glitch Bot ("we", "our", "us") is a product of CyberHeroes Ltd. This Privacy Policy explains how we collect, use, process, store, and share your personal data when you access or use our AI-powered project planning platform, including Gantt charts, Kanban boards, NoteBoards, and AI agents (collectively, the "Service").

We are the data controller for all personal data collected through the Service. Our registered office is at CyberHeroes Ltd, United Kingdom. We are registered with the Information Commissioner's Office (ICO).

Key Definitions

Personal Data
Any information relating to an identified or identifiable natural person.
Processing
Any operation performed on personal data, including collection, storage, use, and deletion.
Data Controller
The entity that determines the purposes and means of processing personal data.

2. Personal Data We Collect

Account Data

  • Email address (verified via OAuth provider)
  • Display name (optional, user-provided)
  • OAuth provider ID (Google / GitHub user ID)
  • Account creation timestamp and last login timestamp
  • Subscription tier and payment status

Lawful basis: Contractual necessity (Art. 6(1)(b))

Project & Content Data

  • Gantt chart structures, tasks, milestones, dependencies
  • Kanban board columns, cards, assignments, deadlines
  • NoteBoard sticky note content (including Markdown)
  • AI agent prompts, outputs, and execution logs
  • Uploaded files, images, and attachments

Lawful basis: Contractual necessity (Art. 6(1)(b))

Usage & Analytics Data

  • Feature interactions (page views, clicks, feature usage)
  • API request metadata (endpoint, timestamp, status code)
  • Session duration and navigation paths
  • Device type, browser, operating system (anonymized)
  • Error logs and performance metrics (no PII)

Lawful basis: Legitimate interest (Art. 6(1)(f))

Billing Data

  • Billing name and email address
  • Payment method type (not full card numbers — handled by Stripe)
  • Transaction amounts, dates, and invoice history
  • Subscription plan and billing cycle

Lawful basis: Contractual necessity + Legal obligation (Art. 6(1)(c))

Special Category Data

We do not intentionally collect any special category data (race, ethnicity, political opinions, religious beliefs, health data, sexual orientation, or biometric data). If you inadvertently include such data in project content or AI prompts, we will delete it upon discovery or notification.

Children's Data

The Service is not directed at children under 13 (or under 16 in the UK/EU). We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will promptly delete it.

3. How We Use Your Data

We process your personal data only for the following purposes, each grounded in a specific lawful basis under Article 6 of the UK GDPR:

PurposeData UsedLawful Basis
Providing the ServiceAccount, project, billing dataContract (Art. 6(1)(b))
AI feature processingPrompts, project contentContract (Art. 6(1)(b))
Payment processingBilling dataContract (Art. 6(1)(b))
Service improvement & analyticsUsage data (anonymized)Legitimate interest (Art. 6(1)(f))
Security & fraud preventionAccount data, IP, request logsLegal obligation (Art. 6(1)(c))
Transactional emailsEmail addressContract (Art. 6(1)(b))
Marketing (with consent)Email addressConsent (Art. 6(1)(a))
Legal complianceRelevant data as requiredLegal obligation (Art. 6(1)(c))

4. AI Data Processing

Our core features use third-party AI model providers (OpenAI, Anthropic, and/or OpenRouter) to generate content. When you submit a prompt or request AI features:

What Happens

  • Your prompt is sent to the AI provider solely for inference
  • The response is returned and saved in your account
  • Data is processed ephemerally — not stored by the provider

What Does NOT Happen

  • Prompts are NOT used to train or fine-tune foundation models
  • Prompts are NOT sold or shared with advertisers
  • Prompts are NOT retained by providers beyond the inference window
Anthropic:Privacy policy
OpenRouter:Privacy policy

5. Data Sharing & International Transfers

We share personal data only with carefully vetted sub-processors who meet GDPR/UK DPA compliance standards. Each processor is contractually bound via a Data Processing Agreement (DPA).

ProcessorPurposeData CategoryLocationSafeguard
Vercel Inc.Hosting & edge functionsRequest metadataUS / EUSCCs
Supabase Inc.Database & blob storageAll user & project dataUS / EUSCCs
Stripe Inc.Payment processingBilling dataUS / EUSCCs
OpenAIAI inferencePrompts (ephemeral)USSCCs
AnthropicAI inferencePrompts (ephemeral)USSCCs
Postmark (AC)Transactional emailEmail addressUS / EUSCCs
SentryError monitoringError logsUS / EUSCCs

International Transfer Safeguards

Where we transfer your personal data to countries outside the UK/EEA, we ensure an equivalent level of protection through Standard Contractual Clauses (SCCs) adopted by the European Commission and the UK Information Commissioner's Office, and/or adequacy decisions by the UK Government and European Commission.

6. Cookies & Tracking

We use minimal cookies and similar tracking technologies strictly for essential operations and analytics. We do not use advertising cookies.

Cookie / TechnologyPurposeDurationType
sb-access-tokenSupabase auth sessionSessionEssential
sb-refresh-tokenSupabase auth refresh30 daysEssential
next-auth.session-tokenNextAuth sessionSessionEssential
_gaGoogle Analytics (page views)2 yearsAnalytics
_gidGoogle Analytics (session)24 hoursAnalytics

You can control cookies through your browser settings. Disabling essential cookies will prevent the Service from functioning properly.

7. Data Retention & Deletion

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. Our specific retention schedules are:

Data CategoryRetention PeriodRationale
Account & profile dataDuration of account + 30 daysService delivery & reactivation
Project & content dataDuration of account + 30 daysService delivery & reactivation
Billing records7 years after transactionHMRC / legal obligation
Usage analytics24 months (aggregated)Product improvement
Error logs90 daysDebugging & security
BackupsUp to 30 daysDisaster recovery

Deletion Process

When you delete your account or request erasure, your personal data is permanently deleted from our primary database and blob storage within 30 days. Backups containing your data are rotated and overwritten within the same period. We will confirm deletion via email within 48 hours of completion.

8. Your Rights Under UK GDPR

Under the UK GDPR and Data Protection Act 2018, you have the following rights regarding your personal data. We will respond to any request within 30 days free of charge.

Right to be Informed

You have the right to be provided with clear, transparent information about how we use your personal data — this policy fulfils that right.

How to exercise: Read this policy. For further clarification, contact our DPO.

Right of Access (Subject Access Request)

You have the right to access the personal data we hold about you and obtain a copy.

How to exercise: Email dpo@cyberheroes.co.uk with subject 'SAR'. We will respond within 30 days.

Right to Rectification

You have the right to have inaccurate personal data corrected or completed.

How to exercise: Update your profile in account settings, or email our DPO.

Right to Erasure ('Right to be Forgotten')

You have the right to request deletion of your personal data where there is no compelling reason for its continued processing.

How to exercise: Delete your account from dashboard settings, or email our DPO.

Right to Restrict Processing

You have the right to request the restriction of processing your personal data in certain circumstances.

How to exercise: Email our DPO with details of the data and restriction requested.

Right to Data Portability

You have the right to obtain and reuse your personal data for your own purposes across different services.

How to exercise: Export your data from dashboard settings (JSON/CSV format).

Right to Object

You have the right to object to processing based on legitimate interests, including profiling and direct marketing.

How to exercise: Email our DPO. We will stop processing unless we have compelling legitimate grounds.

Rights in relation to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects.

How to exercise: Our AI features assist but do not make automated decisions with legal effects. Contact DPO for concerns.

9. Complaints & Supervisory Authority

If you believe we have not handled your personal data in accordance with data protection law, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Tel: 0303 123 1113

ico.org.uk/make-a-complaint

We encourage you to contact us first at support@cyberheroes.co.uk so we can address your concerns directly. We aim to resolve all data protection inquiries within 48 hours.

10. Changes to This Policy

We review and update this Privacy Policy as our practices evolve or legal requirements change. Material changes will be communicated through:

  • Email notification to the address associated with your account
  • In-app banner notification on your dashboard
  • Updated "Last modified" date at the top of this page

We recommend checking this page periodically. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

11. Contact & DPO

If you have any questions, wish to exercise your data rights, or need to contact our Data Protection Officer:

Data Protection Officer

  • Email: support@cyberheroes.co.uk
  • Response time: Within 48 hours
  • SAR fulfilment: Within 30 days

Organisation

  • Controller: CyberHeroes Ltd
  • Service: Glitch Bot
  • Email: support@cyberheroes.co.uk

Last updated: July 1, 2026

This Privacy Policy was drafted to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable.