Privacy Policy

1. Introduction

Triple Alpha AB ("Glimt," "we," "us," or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, share, and protect information when you use our website glimt.dev (the "Site") and our AI-powered error detection and remediation services (the "Services").

1.1 Data Controller

1.2 Legal Basis

This Privacy Policy complies with the EU General Data Protection Regulation (GDPR), the Swedish Data Protection Act (Dataskyddslagen), and other applicable data protection laws. If you are located in the European Union, European Economic Area, or Switzerland, you have specific rights regarding your personal data as described in this Policy.

1.3 Scope

This Privacy Policy applies to all users of our Site and Services, including visitors, account holders, organisation administrators, and end users whose data may be processed through our Services.

2. What Data We Collect

We collect several categories of information when you use our Services:

2.1 Account and Profile Data

When you create an account or profile, we collect:

• Identity information: Name, username, email address
• Authentication data: Password (encrypted), authentication tokens, session identifiers
• Organisation information: Company name, organisation role, team membership
• Contact information: Email address, phone number (optional), WhatsApp number (optional)
• Profile preferences: Language, timezone, notification settings

2.2 Billing and Payment Data

When you subscribe to a paid plan, we collect:

• Billing information: Company name, billing address, VAT number (for EU B2B customers)
• Payment information: Credit card details (processed and stored by Stripe, not by us)
• Transaction data: Payment history, invoices, subscription plan, usage records

Important: We do not store your full credit card details. All payment processing is handled by our payment processor, Stripe, which maintains PCI-DSS compliance.

2.3 Telemetry and Service Data

When you use the Services to monitor your applications, we collect telemetry data from your applications and services:

• Error logs: Exception messages, error types, error frequencies
• Stack traces: File paths, line numbers, function names, call stacks
• Source code: Code files and snippets necessary for error analysis and fix generation
• Performance metrics: Response times, throughput, resource usage
• Runtime information: Application version, environment, dependencies, runtime platform
• Session data: User sessions, request patterns, device information
• Integration data: GitHub repository information, commit history, pull requests, Slack messages, Linear issues

Note: Telemetry and source code may contain personal data such as developer names, email addresses in code comments or commit history, usernames, or other information embedded in your code or logs. We treat all such data in accordance with GDPR requirements.

2.4 Usage and Analytics Data

We automatically collect information about how you use the Services:

• Platform usage: Features used, pages viewed, actions taken, time spent
• Session recordings: Interaction patterns, clicks, navigation (via PostHog session replay)
• Device information: Browser type and version, operating system, device type
• Network information: IP address, geolocation (country/city level), ISP
• Referral data: How you found our Site (referral source, search terms, marketing campaigns)
• Feature engagement: Which features you use, how often, success/failure rates

We collect this data using:

• PostHog (including session recording and heatmaps)
• Google Analytics and Google Tag Manager
• Meta (Facebook) Pixel
• Amplitude
• Other analytics tools we may adopt

2.5 Communications

When you communicate with us, we collect:

• Support tickets: Your questions, issues, attachments, and our responses
• Emails: Correspondence with our team
• Chat messages: Conversations via the Platform, Slack, or other channels
• Survey responses: Feedback and satisfaction ratings
• Marketing preferences: Consent for email, SMS, or other marketing communications

2.6 Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential cookies: Authentication, security, session management (required for service functionality)
• Analytics cookies: Understanding usage patterns and improving the Services
• Marketing cookies: Measuring campaign effectiveness and delivering relevant advertising
• Preference cookies: Remembering your settings and preferences

For detailed information about cookies and how to control them, see Section 12 below and our Cookie Consent banner.

3. How We Collect Data

We collect data through several methods:

• Directly from you: When you create an account, fill out forms, configure settings, contact support, or provide information through the Site
• Automatically: Through cookies, analytics tools, session recording, and telemetry instrumentation in your applications
• From integrations: Via APIs from GitHub (repositories, commits, pull requests), Slack (channels, messages), Linear (issues, projects)
• From third parties: Payment status from Stripe, authentication information from OAuth providers
• From your applications: Telemetry data sent via OpenTelemetry or other instrumentation you deploy

4. Why We Use Your Data (Legal Bases)

Under GDPR Article 6, we process your personal data based on the following legal grounds:

4.1 Contract Performance (Art. 6(1)(b))

We process your data to provide the Services you have requested:

• Create and manage your account
• Deliver error detection and AI-powered remediation
• Generate and submit pull requests to your repositories
• Send notifications via Slack and other channels
• Process payments and manage subscriptions
• Provide customer support and technical assistance

4.2 Legitimate Interests (Art. 6(1)(f))

We process your data for our legitimate business interests, which include:

• Improving our Services: Training machine learning models on Customer Data (source code, telemetry, usage patterns) to improve error detection accuracy, fix quality, and AI agent performance
• Security and fraud prevention: Monitoring for abuse, detecting security threats, preventing fraud, maintaining system integrity
• Analytics and optimization: Understanding how users interact with the Platform to improve features, performance, and user experience
• Business operations: Internal record-keeping, accounting, tax compliance, legal compliance
• Marketing to existing customers: Sending product updates, tips, feature announcements (you can opt out at any time)

Important: Our use of your source code and telemetry data to train ML models is based on legitimate interests. We conduct Data Protection Impact Assessments (DPIAs) where required to ensure that this processing does not override the rights and freedoms of data subjects. Where feasible, ML training is performed on anonymized or pseudonymized data. Derived ML models and anonymized insights do not contain personal data and cannot be used to identify individuals or organisations.

If you object to this processing, please contact us at legal@glimt.dev to discuss Enterprise options with ML training opt-out, or exercise your right to object under Section 11.6.

4.3 Consent (Art. 6(1)(a))

We rely on your consent for:

• Marketing/advertising cookies (Meta Pixel) and optional advanced analytics requiring cookies
• Marketing communications via email, SMS, or other channels
• Sharing data with specific third-party analytics providers

You can withdraw consent at any time through your account settings, our Cookie Consent banner, or by contacting us at legal@glimt.dev. Withdrawal does not affect the lawfulness of processing before withdrawal.

4.4 Legal Obligation (Art. 6(1)(c))

We process your data to comply with legal requirements:

• Tax reporting and accounting obligations (Swedish Tax Agency requirements)
• Responding to valid legal requests from law enforcement or regulators
• Compliance with court orders, subpoenas, or legal process
• Compliance with anti-money laundering and know-your-customer regulations

5. How We Use Your Data

We use the data we collect for the following purposes:

5.1 Service Delivery

• Monitor your applications for errors, crashes, and performance issues
• Analyze stack traces and source code to understand root causes
• Generate AI-powered code fixes and create pull requests on GitHub
• Send notifications and alerts via Slack, email, or Linear
• Provide AI chat assistance for problem remediation
• Manage workflows and coordinate automated remediation processes

5.2 Machine Learning and AI Improvement

• Train ML models: Use your source code, telemetry data, error patterns, and usage data to develop, train, and improve our machine learning algorithms
• Pattern recognition: Identify common error patterns, anti-patterns, and best practices across codebases
• Quality improvement: Enhance the accuracy and relevance of AI-generated fixes
• Anomaly detection: Improve our ability to detect unusual errors or emerging issues

Enterprise Opt-Out: If ML training on your data is unacceptable for regulatory, legal, or business reasons, contact us at legal@glimt.dev to discuss Enterprise licensing with opt-out provisions.

5.3 Customer Support

• Respond to your questions, issues, and support requests
• Troubleshoot problems and provide technical assistance
• Access your Customer Data when necessary to resolve issues (with your consent or as necessary to fulfill our contract)
• Improve support quality and response times

5.4 Billing and Account Management

• Process payments and manage subscriptions
• Calculate and bill metered Cognition Unit usage
• Send invoices and payment receipts
• Handle refund requests and billing disputes (subject to Terms of Service)
• Manage trial periods and plan changes

5.5 Analytics and Product Improvement

• Understand how users interact with the Platform
• Identify popular features and pain points
• Measure feature adoption and usage patterns
• Optimize user experience and interface design
• Test new features and improvements
• Generate aggregated, anonymized usage statistics and benchmarks

5.6 Security and Fraud Prevention

• Monitor for suspicious activity, abuse, or Terms of Service violations
• Detect and prevent fraud, spam, or malicious use
• Maintain system security and integrity
• Respond to security incidents and vulnerabilities
• Conduct security audits and assessments

5.7 Marketing and Communications

• Send product updates, feature announcements, and tips (you can opt out)
• Deliver marketing emails, SMS, or other messages (with your consent)
• Conduct surveys and gather feedback
• Measure marketing campaign effectiveness
• Personalize your experience and show relevant content

You can opt out of marketing communications at any time by clicking "unsubscribe" in emails or updating your preferences in account settings.

5.8 Legal and Compliance

• Comply with tax, accounting, and regulatory obligations
• Respond to legal requests and enforce our rights
• Resolve disputes and enforce our Terms of Service
• Protect against legal liability

6. Data Sharing and Third Parties

We share your data with third parties in the following circumstances:

6.1 Service Providers (Data Processors)

We engage third-party service providers to help us deliver the Services. These providers process personal data on our behalf and are contractually obligated to protect your data and use it only for the purposes we specify:

• Supabase (Germany): Database hosting, authentication, backend infrastructure
• Hetzner (Germany): Server hosting and infrastructure
• OpenAI (USA): AI model inference for code analysis and fix generation
• Anthropic (USA): AI model inference for code analysis and fix generation
• Stripe (USA/Ireland): Payment processing and billing management
• GitHub (USA, Microsoft): Repository access, pull request creation, and code hosting
• Slack (USA, Salesforce): Notifications, chat integration, and team communication
• Linear (USA): Issue tracking integration
• Resend (USA): Transactional email delivery (GDPR notifications, account confirmations, security alerts)
• MinIO (Self-hosted, Germany): S3-compatible file storage for data exports and user content (served via cdn.glimt.dev)
• PostHog: Analytics and session recording
• Google (USA): Google Analytics, Google Tag Manager
• Meta/Facebook (USA): Facebook Pixel for advertising measurement
• Amplitude: Product analytics

We may engage additional service providers from time to time. We reserve the right to use alternative AI providers in any jurisdiction to improve service quality, availability, or cost.

6.2 Integration Partners

When you connect third-party services (GitHub, Slack, Linear) to your account, we access and share data with those services as necessary to provide the integrations you have enabled. You are responsible for complying with the terms and privacy policies of these third-party services.

6.3 Legal and Safety

We may disclose your data when we believe it is necessary to:

• Comply with applicable laws, regulations, or legal processes (subpoenas, court orders, etc.)
• Respond to valid requests from law enforcement or government authorities
• Enforce our Terms of Service or other policies
• Protect our rights, property, or safety, or that of our users or the public
• Detect, prevent, or address fraud, security, or technical issues

6.4 Business Transfers

If we are involved in a merger, acquisition, reorganisation, sale of assets, or bankruptcy, your data may be transferred to the successor entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6.5 With Your Consent

We may share your data with other third parties when you explicitly consent to such sharing.

6.6 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that does not identify you with third parties for research, benchmarking, marketing, or other purposes. Such data is not considered personal data under GDPR.

7. International Data Transfers

7.1 Primary Storage Location

Your Customer Data is primarily stored in the European Union (Frankfurt, Germany) on infrastructure provided by Supabase and Hetzner.

7.2 Transfers Outside the EEA

To provide the Services, we transfer personal data outside the European Economic Area (EEA) to service providers located primarily in the United States:

• OpenAI and Anthropic (USA): For AI model inference—this includes sending your source code and error logs. All transfers to AI providers are limited to the minimum data necessary for inference and are governed by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework, where providers are certified.
• GitHub, Slack, Linear (USA): For integrations and API functionality
• Stripe (USA/Ireland): For payment processing
• Google, Meta, Amplitude (USA): For analytics and marketing
• Other AI providers: We reserve the right to use AI providers in any jurisdiction

7.3 Legal Safeguards

For international data transfers, we rely on the following legal mechanisms under GDPR Article 46:

• Standard Contractual Clauses (SCCs): EU Commission-approved contract terms that impose data protection obligations on recipients outside the EEA
• EU-US Data Privacy Framework (DPF): For US-based service providers certified under the DPF (such as many major US tech companies)
• Adequacy Decisions: For countries the EU Commission has determined provide adequate data protection

7.4 Your Acknowledgment

We rely primarily on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework for international data transfers. Where these mechanisms do not apply, we may rely on your explicit consent under GDPR Article 49(1)(a). By using the Services, you explicitly acknowledge and consent to the international transfer of your personal data (including source code) as necessary to provide the AI-powered features you have requested.

If you cannot consent to these transfers, please do not use the Services or contact us at legal@glimt.dev to discuss alternative arrangements.

8. Data Security

8.1 Security Measures

We implement appropriate technical and organisational measures to protect your data, including:

• Encryption: Data encrypted in transit (TLS/HTTPS) and at rest (AES-256 or equivalent)
• Access controls: Role-based access control (RBAC), multi-factor authentication (MFA) for administrative access
• Authentication: Secure authentication via Supabase Auth with industry-standard protocols
• Audit logging: Comprehensive logging of access and changes for security monitoring
• Infrastructure security: Firewalls, intrusion detection, regular security patches
• Vendor security: We select service providers with strong security practices and certifications
• Incident response: Documented procedures for detecting, responding to, and recovering from security incidents

8.2 Limitations

While we use reasonable security measures, no system is 100% secure. We cannot guarantee absolute security, and you acknowledge that data transmission over the internet carries inherent risks. You are responsible for maintaining the security of your account credentials and for any activity under your account.

8.3 Data Breach Notification

If we become aware of a data breach affecting your personal data, we will notify you and applicable supervisory authorities as required by GDPR Articles 33-34, typically within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.

9. Data Retention

9.1 Retention Periods

We retain personal data for as long as necessary to fulfill the purposes described in this Privacy Policy:

• Account data: Retained for the duration of your account plus any period required for legal compliance or dispute resolution
• Telemetry and error logs: Target retention of approximately 2 years, but we do not guarantee this timeframe and may retain data longer for security, fraud prevention, or legal reasons
• Source code: Deleted within 30 days after account termination (unless required by law or ongoing disputes)
• ML models and derived insights: Retained indefinitely—while we delete your raw source code, we retain the machine learning models, algorithms, and patterns derived from your data
• Billing records: Retained for 7 years to comply with Swedish tax and accounting laws (Bokföringslagen)
• Security logs: Retained as long as necessary for security monitoring, fraud prevention, and legal compliance (potentially longer than other data types)
• Marketing communications: Retained until you opt out or request deletion

9.2 Deletion After Termination

When you terminate your account or subscription:

• We delete your source code and raw Customer Data within 30 days
• We retain derived ML models, anonymized insights, and aggregated data indefinitely
• We retain billing records for 7 years as required by Swedish law
• You may request earlier deletion by contacting us at legal@glimt.dev (subject to legal retention requirements)

10. Your Rights Under GDPR

If you are located in the European Union, European Economic Area, or Switzerland, you have the following rights regarding your personal data under the GDPR:

10.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to request a copy of your personal data. We will provide the first copy free of charge; additional copies may incur a reasonable fee.

10.2 Right to Rectification (Article 16)

You have the right to correct inaccurate or incomplete personal data. You can update most information directly in your account settings.

10.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent (where processing was based on consent)
• You object to processing based on legitimate interests and there are no overriding legitimate grounds
• The data was unlawfully processed
• Deletion is required by legal obligation

Limitations: We may be unable to delete data if retention is necessary for legal compliance (e.g., 7-year billing records), establishing/defending legal claims, or exercising freedom of expression. We also retain ML models and derived insights after deleting raw source code.

10.4 Right to Restriction of Processing (Article 18)

You have the right to request that we limit how we process your data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

10.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV) and to transmit it to another controller. This right applies to data you provided to us with your consent or under a contract.

10.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests (including ML training on your data) or for direct marketing purposes. If you object to ML training, we will stop processing your data for that purpose unless we demonstrate compelling legitimate grounds that override your interests.

To object to ML training: Contact us at legal@glimt.dev to discuss Enterprise licensing options with ML opt-out.

10.7 Right to Withdraw Consent

Where we rely on consent (analytics cookies, marketing communications, session recording), you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

How to withdraw: Update your preferences in account settings, use our Cookie Consent banner, or click "unsubscribe" in marketing emails.

10.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights. The relevant authority in Sweden is:

10.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: legal@glimt.dev
• Mail: Triple Alpha AB, Kivra 559226-3429, 106 31 Stockholm, Sweden

We will respond to your request within 30 days (or as otherwise required by law). We may request additional information to verify your identity before processing your request.

11. Automated Decision-Making

11.1 AI-Generated Code Fixes

The Services use AI models to automatically analyze errors and generate code fixes (pull requests). While this is automated processing, it does not constitute automated decision-making with legal or similarly significant effects under GDPR Article 22 because:

• You retain full control over whether to merge AI-generated pull requests
• You are responsible for reviewing and testing AI Output before deployment
• The AI Output is advisory and does not automatically affect legal rights or create legal obligations

11.2 Your Right to Human Review

You have the right to request human review of any AI Output and to contest or provide feedback on AI-generated fixes. Contact support@glimt.dev if you have concerns about specific AI Output.

12. Cookies and Tracking Technologies

12.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember your preferences, authenticate your session, and understand how you use the site.

12.2 Types of Cookies We Use

Essential Cookies (No Consent Required)

These cookies are necessary for the Services to function and cannot be disabled:

• Authentication: Keep you logged in and manage your session
• Security: Prevent cross-site request forgery (CSRF) and other attacks
• Load balancing: Distribute traffic across servers
• Preferences: Remember your settings (language, theme, etc.)

Analytics Cookies (Consent Required)

These cookies help us understand how you use the Services:

• PostHog: Usage patterns, feature engagement, session recordings
• Google Analytics: Traffic sources, page views, user demographics
• Amplitude: Product analytics, cohort analysis, retention metrics

Marketing Cookies (Consent Required)

These cookies help us measure advertising effectiveness:

• Meta (Facebook) Pixel: Track conversions from Facebook/Instagram ads
• Google Tag Manager: Manage marketing tags and track campaigns

12.3 Session Recording

We use PostHog to record user sessions, including mouse movements, clicks, scrolling, and page interactions. Session recordings help us understand how users navigate the Platform and identify usability issues. Recordings do not capture passwords, payment details, or other sensitive input fields.

You can opt out of session recording through our Cookie Consent banner or by contacting us at legal@glimt.dev.

12.4 Managing Cookies

You can control cookies through:

• Our Cookie Consent Banner: Displayed on your first visit; you can change preferences at any time
• Browser Settings: Most browsers allow you to block or delete cookies via settings/preferences
• Opt-Out Tools: Google Analytics Opt-out: https://tools.google.com/dlpage/gaoptout
• Do Not Track: We honor "Do Not Track" browser signals for non-essential cookies

Note: Blocking essential cookies will prevent you from using the Services.

12.5 Third-Party Tracking

Third-party analytics and marketing providers (PostHog, Google, Meta, Amplitude) may set their own cookies when you use our Site. These third parties have their own privacy policies governing their use of cookies and tracking technologies.

13. Children's Privacy

The Services are not intended for individuals under 18 years of age. In the European Economic Area (EEA), we do not knowingly collect personal data from anyone under the age permitted by local law (typically 16, though this may vary by country — for example, 13 in Sweden). Outside the EEA, the minimum age is 18.

If you are under the applicable age limit, you may only use the Services with the consent and supervision of a parent, legal guardian, or authorized organisation administrator.

If we become aware that we have inadvertently collected personal data from a child under the applicable age without appropriate consent, we will take steps to delete such information as quickly as possible.

If you believe we have collected personal data from a child without consent, please contact us immediately at legal@glimt.dev.

14. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, Services, legal requirements, or for other operational, legal, or regulatory reasons.

14.1 Notice of Material Changes

For material changes that significantly affect your rights or how we process your data, we will provide prominent notice at least 30 days in advance via:

• Email to the address associated with your account
• In-app notification
• Banner on the Site

14.2 Continued Use

Your continued use of the Services after the updated Privacy Policy takes effect constitutes your acceptance of the changes. If you do not agree to the updated Privacy Policy, you must stop using the Services and may request account deletion.

14.3 Version History

The "Last Updated" date at the top of this Privacy Policy indicates when the most recent changes were made. We maintain a version history of significant changes, which you can request by contacting legal@glimt.dev.

15. Contact and Complaints

15.1 Privacy Inquiries

If you have questions about this Privacy Policy, our data practices, or wish to exercise your GDPR rights, contact us at:

15.2 Response Time

We will acknowledge your inquiry within 5 business days and provide a substantive response within30 days (or as otherwise required by law).

15.3 Supervisory Authority

If you are not satisfied with our response or believe we have violated your data protection rights, you have the right to lodge a complaint with the Swedish supervisory authority:

15.4 EU Online Dispute Resolution

If you are an EU consumer, you can also use the EU Online Dispute Resolution platform to submit complaints:https://ec.europa.eu/consumers/odr

16. Data Protection Officer

Under GDPR Article 37, we are not currently required to appoint a Data Protection Officer (DPO) because we do not engage in large-scale processing of sensitive data as our core activity. However, if our processing activities change or if we determine a DPO is necessary, we will appoint one and update this Privacy Policy accordingly.

For all privacy-related matters, please contact us at legal@glimt.dev.

17. Jurisdiction-Specific Information

17.1 Swedish Users

In addition to GDPR rights, Swedish users have rights under the Swedish Data Protection Act (Dataskyddslagen) and the Swedish Electronic Communications Act (Lagen om elektronisk kommunikation).

17.2 EU/EEA Users

EU and EEA users benefit from GDPR protections regardless of where they are located when using the Services. Data transfers outside the EEA are conducted in accordance with GDPR Chapter V requirements.

17.3 Users Outside the EU/EEA

If you are located outside the European Union or European Economic Area, your data will still be processed in accordance with this Privacy Policy, but you may not have the same data protection rights as EU/EEA residents. We will, however, handle your data in accordance with applicable local laws.