Privacy Policy

1. Who this notice applies to

This Privacy Policy describes how GLACIS Technologies, Inc. (“GLACIS”, “we”, “our”) processes personal information when you visit glacis.io, autoredteam.com, overt.is, trust.glacis.io, or any subdomains; use our products and services (collectively, the “Services”); contact us; attend our events; or otherwise interact with us.

Where we process personal data on behalf of a customer as a processor or service provider (for example, data processed through the Enforce runtime on a customer’s own systems), that processing is governed primarily by the customer’s privacy notice and the Data Processing Agreement (DPA) between GLACIS and that customer, available at trust.glacis.io. Questions about such processing should be directed to the relevant customer.

2. Information we collect

2.1 Information you provide

• Account and contact details — name, work email, company, job title, phone (optional), country, billing address.
• Authentication data — password hashes, MFA tokens, single-sign-on identifiers, session cookies.
• Communications — messages you send to support, sales, legal, or security channels, including attachments.
• Event and sales interactions — meeting registrations, demo requests, content downloads, responses to surveys, feedback.
• Billing and payment details — tax identifiers and billing contact. Card numbers are handled directly by our payment processor (currently Stripe) under its own privacy notice; GLACIS does not store card details.

2.2 Information collected automatically

• Device and connection data — IP address, user-agent, browser and operating-system version, device identifiers, referring URL, language preference.
• Usage data — pages visited, features used, API calls, timestamps, request and response metadata.
• Telemetry and diagnostic logs — error logs, performance metrics, security-event logs. These logs are retained as described in Section 9 and are reviewed as part of our SOC 2 security program.
• Cookies and similar technologies — as described in our Cookie Policy.

2.3 Information from third parties and public sources

• Identity providers (SSO) used for account access.
• Enrichment providers that provide firmographic context for account records.
• Public sources (company websites, public filings) when researching prospective customers or verifying information.
• Integrations authorized by you or your employer (e.g., CRM, analytics, calendar).

2.4 Sensitive categories

We do not intentionally collect sensitive personal information (for example, precise geolocation, biometric identifiers, health data, government-issued identifiers, sexual-orientation or political-opinion data). If you provide such data voluntarily, we will treat it with the heightened care required by law, but we ask that you do not do so.

3. Sources of information

We collect information directly from you, automatically through your interaction with the Services, and from the third parties identified in Section 2.3. When we combine information from multiple sources, we protect the combined record under the same standards applicable to the most sensitive underlying data.

4. How we use information

We use personal information for the following purposes:

• Providing the Services — authenticate users, process requests, issue OVERT Receipts, generate Evidence Packs, deliver support.
• Security and abuse prevention — detect fraudulent or unauthorized use, investigate Security Incidents, enforce our Terms, monitor for compliance with acceptable use.
• Product improvement — understand how the Services are used, diagnose errors, and improve quality, performance, and reliability. We prefer aggregated or de-identified data for this purpose wherever practicable.
• Customer support and communications — respond to you, send service-related communications (account, security, billing, incident) you cannot opt out of while you have an account, and, where you have consented or have a pre-existing customer relationship, send marketing messages you can opt out of at any time.
• Sales and marketing — manage prospective-customer relationships, tailor content to your role and industry (profile-based, not surveillance-based), measure campaign effectiveness.
• Compliance and legal — meet legal, regulatory, tax, audit, and law-enforcement obligations; establish, exercise, and defend legal claims; manage risk.
• Corporate transactions — evaluate and execute mergers, acquisitions, financings, and similar transactions, subject to confidentiality protections.

5. AI-specific processing

GLACIS is an AI-governance company, and we are explicit about how our own AI systems process data.

5.1 What our AI systems do

Portions of the Services use purpose-built small language models (“SLMs”) and classical classifiers to evaluate AI behavior against policy. These systems operate inside the customer perimeter (Enforce) or against customer-submitted prompts/responses (autoredteam). Outputs are policy verdicts (permit / deny / escalate / flag), cryptographic commitments (OVERT Receipts), and diagnostic metadata.

5.2 What these systems do NOT do

• They do not make legally significant decisions about any individual.
• They do not perform credit, employment, insurance, housing, or similar evaluations within the meaning of GDPR Article 22, CCPA § 1798.185(a)(16), or the EU AI Act’s high-risk-system categories, unless a customer has specifically deployed them in such a context — in which case that customer is the controller for the decision.

5.3 Training-data boundaries

We are explicit about what our AI systems are and are not trained on:

• Foundation models. We do not use Customer Services data to train our foundation models. Foundation-model training uses licensed corpora, open-source datasets, and internally generated synthetic data only.
• Customer-specific models. Where Customer opts into model tuning or fine-tuning (a paid capability), the resulting Customer-specific model is trained solely on that Customer’s data, is ring-fenced to that Customer’s tenant, and its weights are not reused outside that tenant.
• Federated threat intelligence. Anonymised indicators of attacks, adversarial techniques, and classes of prompt-injection observed across the GLACIS witness fabric may be aggregated into non-identifying threat signals that strengthen defenses for all Customers. These signals contain no Customer Content and no personal information. This is the threat-intelligence commons our platform maintains.
• Open-source data. Data from open-source sources — including autoredteam OSS telemetry voluntarily contributed by the community, publicly available research corpora, and public security datasets — is fair use for improving our detection capabilities, subject to the licensing terms of each source.

5.4 AI management system

Our AI systems are governed under an internal AI management system (AIMS) with AI impact assessments, risk registers, human-oversight controls, continuous monitoring, incident procedures, and lifecycle governance. The current AIMS scope, AI policy, and supporting documentation are published at trust.glacis.io.

5.5 Your rights in automated processing

To the extent we ever process personal data by solely automated means that produce legal or similarly significant effects, you have the right under applicable law (including GDPR Article 22) to obtain human review, express your point of view, and contest the decision. Requests should be directed to [email protected].

6. Legal bases (EU/UK/EEA)

Where GDPR or UK GDPR applies, we rely on the following legal bases:

• Performance of a contract — to provide the Services you or your employer have requested.
• Legitimate interests — operating and improving our business, securing the Services, measuring marketing effectiveness, preventing fraud, and defending legal claims. We carry out legitimate-interest balancing tests and document them.
• Legal obligation — compliance with tax, accounting, and other laws.
• Consent — for certain direct marketing, cookies that are not strictly necessary, and (where required) international transfers. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

7. Sharing and disclosure

We disclose personal information only in the following circumstances:

• Service providers and subprocessors — vendors that host infrastructure, send emails, process payments, provide analytics, or otherwise perform functions on our behalf. A current list with role and processing location is maintained at trust.glacis.io. Subprocessors are bound by written agreements that impose confidentiality, data-protection, and security requirements no less protective than this policy.
• Enterprise customers — if you use the Services through your employer’s account, your employer’s administrator may have access to your account and usage data.
• Legal and safety disclosures — when required by a valid legal process, or when disclosure is necessary to enforce our agreements, protect our rights, investigate fraud, or protect the safety of any person.
• Business transfers — in connection with a merger, acquisition, reorganization, financing, sale of assets, or bankruptcy, subject to appropriate confidentiality obligations and, where required, notice to affected individuals.
• With your direction or consent — including public content you choose to share, case studies you authorize, or integrations you enable.

No sale. We do not sell personal information as “sale” is defined under the CCPA/CPRA or comparable state laws. We have not done so in the preceding twelve months.

Cross-context behavioral advertising (“share”). For B2B marketing measurement, we run third-party pixels — LinkedIn Insight, StackAdapt, and Leadfeeder/Dealfront — that transmit limited browsing signals to those platforms. Under California’s CPRA this is a “share” even though we do not currently purchase ads against it. You can opt out of this sharing through: (a) the cookie-consent banner on first visit, (b) the “Do Not Sell or Share My Personal Information” link in the footer, or (c) a Global Privacy Control signal sent by your browser, which we honor automatically. A full inventory of the cookies and pixels involved is published in our Cookie Policy.

8. International transfers

GLACIS is headquartered in the United States. Personal information may be accessed by GLACIS personnel and subprocessors in the US and in other countries where we operate or where our service providers operate.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States or to other countries not recognized as providing an adequate level of protection, we rely on:

• the European Commission’s Standard Contractual Clauses (2021);
• the UK International Data Transfer Addendum (or the UK International Data Transfer Agreement) issued by the ICO;
• the Swiss addendum where applicable; and
• where we have certified, the EU–US Data Privacy Framework and its UK and Swiss extensions.

A copy of the relevant transfer instrument and our transfer impact assessments are available on request at [email protected].

9. Data retention

We retain personal information only for as long as necessary to fulfill the purposes described in this policy, including providing the Services, complying with legal obligations, resolving disputes, and enforcing agreements. Specific retention periods are set out in our internal Records Retention Schedule; general guidelines:

Backups are retained on a rolling basis (typically not more than 35 days) and are overwritten in normal course; deletion requests affecting backups are fulfilled as those backups cycle.

10. Your privacy rights

10.1 Rights summary

Depending on where you live, you have some or all of the following rights:

• Access — ask what personal information we hold about you.
• Correction — ask us to correct inaccurate data.
• Deletion — ask us to delete data (subject to legal retention and legitimate-interest exceptions).
• Portability — receive your data in a structured, commonly used, machine-readable format.
• Object or restrict — object to processing or ask us to restrict it.
• Withdraw consent — where we rely on consent.
• Opt out of sale or sharing — though we do not engage in either.
• Limit use of sensitive personal information — where applicable under CPRA and comparable laws.
• Non-discrimination — we will not discriminate against you for exercising any right.
• Appeal — if we deny a rights request, you may appeal to [email protected].
• Lodge a complaint — with your local supervisory authority (EU/UK/Switzerland) or your state Attorney General (applicable US states).

10.2 How to exercise your rights

Email [email protected] with the nature of your request. We will verify your identity before responding (verification methods are proportionate to the sensitivity of the request). Authorized agents acting under CCPA/CPRA or equivalent laws must provide signed written permission and proof of their authority.

We will respond within the time required by applicable law — generally 45 days under CCPA/CPRA (extendable once by 45 days where necessary) and one month under GDPR (extendable by up to two months for complex requests).

10.3 California-specific disclosures (CCPA/CPRA)

The categories of personal information we have collected in the preceding twelve months are those described in Section 2. We have not “sold” personal information in that period. We have “shared” personal information for cross-context behavioral advertising (as CPRA defines “share”) via the marketing pixels identified in our Cookie Policy and in Section 7 above; these are opt-out via the mechanisms described in Section 7. We have not knowingly sold or shared the personal information of minors under 16.

10.4 European, UK, Swiss rights

Data-subject rights under GDPR/UK GDPR/nLPD can be exercised by contacting [email protected]. You may lodge a complaint with your local supervisory authority, a list of which is available at edpb.europa.eu (EU), the ICO at ico.org.uk (UK), and the FDPIC (Switzerland).

11. Children

The Services are not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact [email protected] and we will take appropriate steps to delete it.

12. Security

We maintain administrative, technical, and physical safeguards reasonably designed to protect personal information. Controls include (without limitation) access control and least-privilege, multi-factor authentication, encryption of data in transit and at rest, key management, secure software development, vulnerability management, continuous logging and monitoring, incident response, vendor risk management, and regular independent assessments.

Our security program is attested against the SOC 2 Trust Services Criteria (Security, Availability, Confidentiality) at the Type II level and is aligned with ISO/IEC 27001 and ISO/IEC 42001. Current reports, policy extracts, penetration-test summaries, and subprocessor information are available under NDA at trust.glacis.io. No security program can guarantee absolute security; we commit to continuous improvement.

13. Cookies and tracking

Our use of cookies, pixels, local storage, and similar technologies, and the choices available to you, are described in our Cookie Policy.

14. Changes to this policy

We may update this Privacy Policy from time to time. For material changes, we will provide advance notice by updating the “Effective” date at the top of this page and, where appropriate, by email to registered users. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

15. Contact · Data Protection Officer

GLACIS Technologies, Inc.
Seattle, Washington, USA
Privacy questions and rights requests: [email protected]
Security incidents: [email protected]
Trust Center: trust.glacis.io

EU / UK representative. Where required by GDPR Article 27 or UK GDPR, GLACIS has appointed an EU and/or UK representative. Contact details are available on request at [email protected].

Data Protection Officer. Our DPO can be reached at [email protected].