Legal
Privacy Policy
Effective Date: March 1, 2026
Last Updated: March 1, 2026
1. Introduction
Glacis Technologies, Inc. (“GLACIS,” “we,” “us,” or “our”) is a Delaware corporation that builds AI governance infrastructure. We provide cryptographic attestation services that verify AI governance controls executed on enterprise AI deployments.
This Privacy Policy explains how we collect, use, disclose, and protect personal information when you visit our website at www.glacis.io (the “Website”) or interact with us as a prospective or existing customer.
Important distinction: This policy covers data we collect directly through our Website and business operations. Our platform’s processing of customer data — including attestation metadata, policy execution logs, and compliance evidence — is governed by our Data Processing Agreements (DPAs) with each customer, not this Privacy Policy. See Section 8 for details.
2. Data Controller
For the personal information described in this policy, Glacis Technologies, Inc. is the data controller. You can reach us at:
- Email: [email protected]
- Address: Glacis Technologies, Inc., 1209 Orange St, Wilmington, DE 19801, United States
3. Information We Collect
3.1 Information you provide to us
- Contact information: name, work email address, company name, job title, and phone number — when you fill out a form, request a demo, subscribe to our newsletter, or contact us directly.
- Account information: email address and authentication credentials when you create an account on our platform.
- Communications: the content of messages you send us via email, contact forms, or support channels.
- Event and meeting information: details you share when registering for webinars, events, or scheduling meetings.
3.2 Information collected automatically
- Website analytics: pages visited, time on page, referral source, and general interaction patterns. We use minimal, privacy-respecting analytics.
- Device and browser information: browser type, operating system, screen resolution, and language preferences.
- Network information: IP address (used for approximate geographic location and security purposes, not stored long-term in identifiable form).
- Cookies and similar technologies: see Section 7 for details on our limited use of cookies.
3.3 Information from third parties
- Business data enrichment: we may supplement contact information with publicly available business data (company size, industry) to improve relevance of our communications.
- Referrals: if a colleague or partner refers you to us, we may receive your business contact information.
4. How We Use Your Information
We use personal information for the following purposes and legal bases:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Responding to inquiries and providing customer support | Legitimate interest; contract performance |
| Processing account registration and service delivery | Contract performance |
| Sending product updates and relevant communications | Legitimate interest; consent (where required) |
| Website analytics and improving user experience | Legitimate interest |
| Security, fraud prevention, and abuse detection | Legitimate interest; legal obligation |
| Complying with legal obligations (tax, reporting) | Legal obligation |
Where we rely on legitimate interest as a legal basis, we have conducted balancing assessments to ensure our interests do not override your rights and freedoms. You may request details of these assessments by contacting us at [email protected].
5. How We Share Your Information
We do not sell, rent, or trade your personal information. We share personal information only in the following circumstances:
- Service providers: we use a limited number of third-party vendors to help operate our business (hosting, email delivery, analytics, CRM). These providers process data on our behalf under contractual obligations that restrict their use of your information to providing services to us.
- Legal requirements: we may disclose information when required by law, subpoena, court order, or government request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
- Business transfers: in connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change.
- With your consent: we may share information in other circumstances with your explicit consent.
6. Data Retention
- Contact and account information: retained for as long as you have an active relationship with us, plus up to 1 year after last interaction to allow for re-engagement. You may request earlier deletion at any time.
- Website analytics data: aggregated and anonymized within 90 days of collection.
- Support communications: retained for up to 1 year to maintain context for ongoing relationships.
- Legal and financial records: retained as required by applicable law (typically 7 years for financial records).
7. Cookies and Tracking Technologies
We use a minimal set of cookies and similar technologies on our Website. We do not use invasive tracking, behavioral advertising cookies, or third-party advertising networks.
| Category | Purpose | Duration |
|---|---|---|
| Essential | Site functionality, security (e.g., Cloudflare bot protection) | Session / up to 1 year |
| Analytics | Understanding how visitors use our site so we can improve it | Up to 1 year |
| Functional | Remembering your preferences (e.g., form pre-fill) | Up to 1 year |
Do Not Track and Global Privacy Control: we recognize and honor the Global Privacy Control (GPC) browser signal. When we detect a GPC signal, we treat it as a valid opt-out request for the sale or sharing of personal information under applicable state privacy laws.
8. Product Data — Data Processor Role
When our enterprise customers use the GLACIS platform, we process certain data on their behalf. In this context, our customers are the data controllers and GLACIS acts as a data processor.
What our platform processes
- Attestation metadata: cryptographic hashes, timestamps, policy execution records, and compliance evidence commitments.
- Configuration data: governance policies, framework mappings, and organizational settings defined by the customer.
What our platform does not process
- Underlying AI model inputs or outputs (prompts, responses, predictions)
- End-user personally identifiable information (PII)
- Protected health information (PHI)
- The content of AI inferences — only cryptographic commitments (hashes and signatures) proving that governance controls executed
This “zero-egress” architecture means sensitive data stays within the customer’s own infrastructure. Only cryptographic commitments leave the customer’s environment and reach our platform.
Processing of customer data through our platform is governed by individual Data Processing Agreements (DPAs) between GLACIS and each customer, not this Privacy Policy. Our DPAs address subprocessor management, data retention, security measures, and international transfer mechanisms in accordance with GDPR Article 28 requirements. Customers may request a copy of our standard DPA by contacting [email protected].
9. International Data Transfers
GLACIS is based in the United States. If you are located outside the United States, your personal information may be transferred to and processed in the United States or other countries where our service providers operate.
For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Additional supplementary measures where appropriate, as recommended by the EDPB
- Adequacy decisions where available
You may request a copy of the applicable transfer mechanisms by contacting [email protected].
10. Your Rights
10.1 Rights under the GDPR (EEA and UK residents)
If you are located in the EEA or UK, you have the following rights:
- Access: request confirmation of whether we process your personal data and receive a copy of it.
- Rectification: request correction of inaccurate or incomplete personal data.
- Erasure: request deletion of your personal data in certain circumstances (e.g., when data is no longer necessary for its original purpose).
- Restriction: request that we temporarily stop processing your data while a dispute is being resolved.
- Data portability: receive your data in a structured, machine-readable format (e.g., JSON or CSV) and transmit it to another controller.
- Objection: object to processing based on legitimate interests or for direct marketing. We will stop processing for direct marketing immediately.
- Automated decision-making: you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently engage in such processing for Website visitors.
- Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
We will respond to rights requests within 30 days, with a possible extension of up to 60 additional days for complex requests (with notice). You also have the right to lodge a complaint with your local data protection supervisory authority.
10.2 Rights for US residents
Regardless of where you reside in the United States, we extend the following rights to all US residents:
- Right to know: what personal information we collect and how we use it.
- Right to access: request the specific pieces of personal information we hold about you.
- Right to delete: request deletion of personal information we have collected.
- Right to correct: request correction of inaccurate personal information.
- Right to data portability: receive your data in a portable, machine-readable format.
- Right to opt out: opt out of the sale or sharing of personal information, targeted advertising, and profiling for decisions that produce legal or similarly significant effects.
- Right to non-discrimination: we will not discriminate against you for exercising any of these rights.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use automated decision-making technology for decisions that produce legal or similarly significant effects.
We will respond to verifiable consumer requests within 45 days, with a possible extension of up to 45 additional days with notice.
10.3 How to exercise your rights
To submit a rights request, email us at [email protected]. We may need to verify your identity before processing your request. We will not require you to create an account to submit a request.
11. Security
We implement appropriate technical and organizational measures to protect personal information, including encryption in transit (TLS), access controls, and regular security reviews. No system is perfectly secure, but we are committed to protecting your information using industry-standard practices.
12. Children’s Privacy
Our Website and services are designed for business use and are not directed at children under 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us at [email protected] and we will promptly delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. We will post the updated policy on this page with a revised “Last Updated” date. For material changes, we will provide prominent notice (such as a banner on our Website or an email to affected individuals).
14. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
- Email: [email protected]
- Address: Glacis Technologies, Inc., 1209 Orange St, Wilmington, DE 19801, United States