Privacy policy

Glimly is operated by Paul Rugała, a Polish sole trader doing business as PR Development, registered in the Polish Central Register and Information on Economic Activity (CEIDG), NIP 9691496332, REGON 366312753, with principal place of business at ul. Zamkowa 6, 44-180 Toszek, Poland ("Glimly", "we", "us"). We are the data controller for the personal data described in this policy.

For privacy questions, data-subject requests, or notices under this policy, write to hello@glimly.dev.

We handle the following categories of personal data:

• Account data — your email address and display name, captured when you sign in via GitHub OAuth or magic-link email through our authentication provider.
• Monitor configurations — the URLs, request headers, and request bodies you choose to probe. You decide what goes here; do not put secrets you would not want stored at rest.
• Check results — HTTP status, latency, and content-match outcome for each probe we run on your behalf. Retained per the schedule in §5.
• Notification settings — the email recipients and webhook URLs you configure for incident alerts.
• Billing data — handled by Paddle as merchant of record; we receive a subscription identifier, plan, status, and renewal date. We do not store card numbers. See §4 and the Paddle callout below.
• Operational logs — request and error logs generated by the service, pseudonymous where feasible, used for debugging and abuse prevention.

Glimly is not designed to process special categories of personal data (Article 9 GDPR) or criminal-conviction data. You should not configure monitors that would cause such data to be transmitted to us.

We process personal data under the following lawful bases of Articles 6(1) GDPR (and the equivalent UK GDPR provisions):

• Contract performance — to provide the service you signed up for: running probes, delivering alerts, serving Badge and Card embeds, processing your subscription.
• Legitimate interests — to prevent abuse, secure the service, debug failures, and keep the product running reliably. We weigh these interests against your rights and freedoms.
• Consent — for any marketing communication we may send in the future. We do not send marketing email in v1, and you can withdraw consent at any time.

We do not sell personal data, and we do not carry out automated decision-making that produces legal or similarly significant effects. We do not use customer data, Monitor configurations, or check results to train machine-learning models — ours or any third party's.

The following third parties process personal data on our behalf. The list is current as of the "Last updated" date; we will notify you of material changes per §10.

• Amazon Web Services, Inc. — hosting (compute, storage, transactional email via SES). EU region (Frankfurt).
• Neon, Inc. — managed PostgreSQL database. EU region (Frankfurt).
• Paddle.com Market Limited — billing, tax, payments, and customer portal. Acts as merchant of record.
• GitHub, Inc. — OAuth identity provider, used only if you sign in with GitHub.

Where a processor or sub-processor accesses personal data from outside the European Economic Area (for example, US-based corporate access by Paddle or GitHub staff), transfers are protected by the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

We will give at least 30 days' notice of any new or replacement sub-processor via an in-app banner and email to account owners. If you reasonably object to the change, you may terminate your paid subscription without penalty for the affected period.

Business and Pro customers can request a GDPR-compliant Data Processing Agreement by emailing hello@glimly.dev. Once signed, the DPA forms part of your contract with us.

Account data, services, monitors, and notification settings are retained for the life of the account. Check results are retained for the period stated on the pricing page — currently 7 days on Free, 30 days on Pro, and 90 days on Business — and older rows are purged on a rolling basis.

Indicative retention by category: account data and configurations are kept for the life of the account; check results for 7, 30, or 90 days by plan; billing records for 5 years (Polish tax and accounting law); operational logs for 30 days; security and abuse logs for up to 90 days; backups are overwritten on a rolling 30-day cycle.

When you delete your account, we remove customer data within 30 days, except for billing records that Paddle is required to retain under applicable tax and accounting law and minimal logs we retain for security and abuse-prevention purposes (typically 30–90 days).

Under the GDPR and UK GDPR you have the right to access your personal data and to request its rectification, erasure, restriction of processing, portability, or to object to processing based on our legitimate interests. To exercise any of these rights, write to hello@glimly.dev. We will respond within 30 days; we may extend this by two further months for complex requests and will tell you if we do.

You have the right to lodge a complaint with a data-protection supervisory authority. For EU residents this is typically the authority in your country of residence; for users in Poland, that is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, UODO).

California residents have equivalent rights under the CCPA / CPRA — to know, delete, correct, and to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under California law.

We protect personal data in transit with TLS 1.2 or higher and at rest with AES-256 encryption provided by our database and storage vendors. Access to production systems is role-based and requires multi-factor authentication; secrets are managed through AWS Secrets Manager and never committed to source control.

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, as required by Article 34 GDPR. No system is perfectly secure, and we do not claim otherwise; we will tell you honestly when something goes wrong.

Glimly uses one first-party session cookie set by our authentication provider (Better Auth) to keep you signed in. We do not set third-party tracking cookies, advertising cookies, or analytics that assign identifiers to your browser. Because we set only strictly-necessary cookies, no consent banner is required under the ePrivacy Directive. We will update this section if that ever changes.

Glimly is a tool for site owners and developers and is not directed at children under 16 (the GDPR Article 8 threshold). We do not knowingly collect personal data from children. If we learn that we have, we will delete that data. If you believe a child has provided us with personal data, contact us at hello@glimly.dev.

We may update this Privacy policy from time to time. For material changes we will announce the update 30 days in advance via an in-app banner and email to account owners; for minor clarifications we will update the policy and bump the "Last updated" date. The effective date is the "Last updated" date shown at the top of this page.

For privacy questions, data-subject requests, and formal notices under this policy, contact hello@glimly.dev.

Postal: ul. Zamkowa 6, 44-180 Toszek, Poland.