Privacy Policy

Effective 26 May 2026

This Privacy Policy explains how Glassbreak ("we", "us", "our") collects, uses, stores, and protects personal information when you use our platform, website, and related services (collectively, the "Service"). It is written to address the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss FADP, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Connecticut Data Privacy Act (CTDPA), the Colorado Privacy Act (CPA), the Utah Consumer Privacy Act (UCPA), the Australian Privacy Principles under the Privacy Act 1988, and the Singapore Personal Data Protection Act (PDPA), among others.

1. Overview

Glassbreak is a break-glass emergency access platform. Secrets, contacts, and messages are encrypted on your device before transmission to our infrastructure. Glassbreak does not have the ability to decrypt your content. Privacy is foundational to how we design, build, and operate the Service.

2. Our Roles — Controller and Processor

Under GDPR, UK GDPR, and equivalent regimes, Glassbreak acts in two distinct capacities:

Controller — for the personal data we collect to operate the Service and our business (account registration data, authentication credentials, billing data, security telemetry, and support communications). We determine the purposes and means of processing this data.
Processor— for the personal data that our customers submit to the Service in the course of using it (collectively, "Customer Data", which is end-to-end encrypted and which we cannot decrypt). The customer is the controller; we process this data only on documented instructions, as set out in our Data Processing Agreement.

Equivalent role distinctions under CCPA/CPRA (business vs. service provider) and the Australian Privacy Principles (APP entity) apply.

3. Information We Collect

We collect the minimum data required to create and maintain your account, ensure security, and provide the Service:

Account information — name and email address provided during registration
Authentication data — password hash (Argon2id), MFA credentials (TOTP secrets, WebAuthn public keys, recovery code hashes), and refresh tokens
Security metadata — IP addresses, user agent strings, device identifiers, and login timestamps, recorded in audit logs for fraud detection and compliance
Organisation and team data — organisation name, team names, membership roles, and subscription details
Encrypted content — secrets, contact records, and messages stored in encrypted form that we cannot decrypt
Usage metrics — anonymous, aggregate site usage via Plausible Analytics (no personally identifiable information, no cookies)
Payment information — processed and stored by Stripe (see section 9)

4. Lawful Bases for Processing (GDPR Art. 6 / UK GDPR Art. 6)

Where GDPR or UK GDPR applies, we rely on the following lawful bases:

Performance of a contract (Art. 6(1)(b)) — to create and operate your account, deliver the Service you have asked for, and process payments.
Legitimate interests (Art. 6(1)(f)) — for security monitoring, fraud prevention, rate limiting, audit logging, and the day-to-day operation and improvement of the Service. We have assessed these interests against your rights and freedoms and consider them proportionate.
Consent (Art. 6(1)(a)) — where required, for any optional marketing communications. We do not currently send marketing emails; if that changes, we will obtain affirmative consent in advance.
Legal obligation (Art. 6(1)(c)) — for tax, accounting, anti-fraud, anti-money-laundering, and law enforcement requests.

We do not engage in solely automated decision-making with legal or similarly significant effects on data subjects (GDPR Art. 22).

5. How We Use Your Information

Create and manage user accounts, organisations, and teams
Authenticate users and manage session security (JWT tokens, refresh token rotation)
Enforce access controls and role-based permissions
Process payments and manage subscriptions via Stripe
Send service-related communications (account verification, password resets, security alerts)
Maintain audit logs for security monitoring and compliance
Detect and prevent fraud, abuse, and unauthorised access
Enforce rate limits to protect Service availability
Comply with legal obligations and enforce our Terms

We do not use Customer Data (encrypted content, contacts, or messages) to train, fine-tune, or evaluate artificial intelligence or machine learning models, and do not share Customer Data with any third party for those purposes. The zero-knowledge architecture means we could not do so even if we wished to.

6. Data Security and Encryption

Secret encryption — secrets are encrypted using AES-256 on your device before transmission. Decryption keys remain exclusively in your control.
Key protection — RSA-4096 key pairs are generated per user; private keys are encrypted at rest. Post-quantum key encapsulation (Kyber1024) provides forward security against future quantum computing threats.
Contact encryption — personal contact information (email, phone, address) is encrypted with a Content Encryption Key (CEK) per team, with blind indexes enabling search without decryption.
Message encryption — chat messages are end-to-end encrypted with per-conversation keys wrapped for each participant.
Password security — passwords are hashed using Argon2id with high memory cost parameters. We never store or transmit plaintext passwords.
Transport security — all data in transit is protected by TLS. All data at rest is encrypted at the infrastructure level.

Glassbreak staff, systems, and infrastructure providers have no access to your decrypted secrets, messages, or encrypted contact data.

7. Cloud Infrastructure and Data Residency

We operate independent verticals across multiple cloud providers so that no single provider failure can take the Service offline:

AWS — Lambda compute in us-east-1 (United States) and S3 object storage
Scaleway — Serverless Functions, Object Storage, Managed PostgreSQL, and Serverless SQL in fr-par (France / EU)
Fly.io / GCP — additional break-glass vertical (planned)
Fastly — primary multi-origin CDN with health-checked failover and DNS
Neon — serverless PostgreSQL for the AWS vertical (aws-eu-central-1, Frankfurt)

The glassbreak.cloud vertical is an EU-pure stack: no US compute, no US data transit, all state held within the EU. Customers with strict data-residency requirements (for example, under GDPR or sectoral rules) may choose to access the Service exclusively via that domain.

8. International Data Transfers

Where personal data originating in the EEA, the United Kingdom, or Switzerland is transferred to a country that has not been the subject of an adequacy decision, we rely on appropriate safeguards:

the European Commission's Standard Contractual Clauses (SCCs), Module 2 (controller-to-processor), executed with the relevant sub-processors and incorporated into our customer DPA;
the UK International Data Transfer Addendum (UK IDTA) for transfers subject to the UK GDPR;
the Swiss FADP addendum to the SCCs for transfers originating in Switzerland; and
encryption of data in transit (TLS) and at rest, as a supplementary technical measure.

9. Payment Processing

We use Stripe to process payments and manage subscriptions. Stripe collects and stores your payment information (card number, billing address) in accordance with their Privacy Policy and is PCI DSS Level 1 certified. Glassbreak stores only your Stripe customer ID and subscription ID; we never receive or store full payment card details.

10. Analytics

We use Plausible Analytics, a privacy-respecting, cookie-free, EU-hosted analytics tool, to monitor aggregate site usage. Plausible does not collect personally identifiable information, does not use cookies, and does not track users across sites. We do not use Google Analytics or similar invasive tracking tools.

11. Email Communications

Transactional emails (account verification, password resets, security alerts) are sent via Postmark. We do not currently send marketing emails; if we begin to, you will be asked for affirmative consent and given a clear unsubscribe option. We will never sell or share your email address with third parties for marketing purposes.

12. Cookies and Local Storage

Glassbreak uses only essential cookies and storage:

Session — JWT and refresh token cookies for authentication
CSRF token — anti-cross-site-request-forgery cookie set on authenticated requests
Theme preference — light/dark mode stored in localStorage

We do not deploy advertising cookies, marketing cookies, or third-party tracking cookies. Plausible Analytics operates without cookies.

13. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy or as required by law. The default retention periods are:

Account data (name, email, organisation membership) — retained until the account is deleted, then for an additional 30 days to allow restoration and reverse fraud, after which it is permanently deleted
Audit logs — 12 months by default; 24 months on Premium plans
Backups — 35 days rolling, after which the backup itself is destroyed
Billing records and invoices — 7 years, as required by applicable tax and accounting law
Encrypted content (Customer Data) — retained until the customer or team administrator deletes it, then purged from primary storage and removed from backups within the 35-day backup horizon
Rate-limit and abuse-detection data — typically expired and purged within 24 hours

14. Sub-processors

We use the following sub-processors. None has access to your decrypted secrets or encrypted content. The authoritative, current list is at /legal/sub-processors.

AWS (US) — Lambda compute, S3 storage, AWS vertical
Scaleway (EU) — Serverless Functions, Object Storage, Managed PostgreSQL, Serverless SQL, Scaleway vertical
Fly.io / GCP (US/Global) — additional break-glass compute vertical (planned)
Fastly (US/Global) — multi-origin CDN, routing, and DNS
Neon (EU — Frankfurt) — serverless PostgreSQL for the AWS vertical
Stripe (US) — payment processing
Postmark (US) — transactional email delivery
Plausible (EU) — privacy-respecting analytics
GitHub (US) — source code hosting and CI/CD
1Password — internal secrets management (Glassbreak staff)

We give at least 30 days' notice by email and on the sub-processor list before onboarding a new sub-processor or materially changing the role of an existing one.

15. Your Rights

Depending on where you are located, you may have the following rights regarding your personal data. We will respond to verifiable requests within the period required by the applicable law (typically 30 days; up to 45 days under CCPA/CPRA where extended).

EU GDPR and UK GDPR (Art. 15–22):

Access (Art. 15) — a copy of the personal data we hold about you
Rectification (Art. 16) — correction of inaccurate or incomplete data
Erasure / "right to be forgotten" (Art. 17) — subject to legal retention requirements
Restriction of processing (Art. 18)
Data portability (Art. 20) — a structured, machine-readable export
Objection (Art. 21) — including objection to processing based on legitimate interests
Rights related to automated decision-making and profiling (Art. 22) — we do not engage in such decision-making
Withdrawal of consent where processing is based on consent
Right to lodge a complaint with a supervisory authority

US state privacy laws:

CCPA / CPRA (California)— right to know, right to access, right to delete, right to correct, right to opt out of "sale" or "sharing" of personal information, right to limit use of sensitive personal information, right to non-discrimination. We do not sell personal informationand do not "share" it for cross-context behavioural advertising as defined by CPRA.
VCDPA (Virginia) — access, correction, deletion, portability, opt-out of targeted advertising, sale, and certain profiling.
CTDPA (Connecticut) — same suite of rights as VCDPA.
CPA (Colorado) — same suite of rights, including a universal opt-out mechanism where applicable.
UCPA (Utah) — access, deletion, portability, and opt-out of certain processing.

Other jurisdictions:

Australia (Privacy Act 1988 / Australian Privacy Principles) — access, correction, complaint to the Office of the Australian Information Commissioner (OAIC).
Singapore (PDPA) — access, correction, withdrawal of consent.
Switzerland (FADP) — access, correction, deletion, and equivalent rights.

To exercise any of these rights, contact us at privacy@glassbreak.io or use the data-subject request form at /legal/data-request. We may need to verify your identity before responding. We cannot provide access to your encrypted content because we do not hold the decryption keys; you can export your own decrypted content directly from the Service.

16. Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33 and UK GDPR Art. 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify affected data subjects without undue delay (GDPR Art. 34). Notifications under other regimes (including the Australian Notifiable Data Breaches scheme, Singapore PDPA, and US state breach notification laws) will be made in accordance with the applicable statutory timelines and content requirements.

Where we act as processor, we will notify the customer (controller) without undue delay after becoming aware of a breach affecting Customer Data, in accordance with our DPA.

17. Children's Privacy

Glassbreak is not directed at children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take prompt steps to delete it.

18. DPO, EU Representative, and UK Representative

Glassbreak is currently appointing a formal Data Protection Officer and statutory Article 27 representatives in the EU and the UK. In the meantime, all data protection enquiries can be directed to:

Data Protection Officer (interim contact): privacy@glassbreak.io
EU GDPR Article 27 representative (TBD): privacy@glassbreak.io
UK GDPR Article 27 representative (TBD): privacy@glassbreak.io

Named contacts will be added to this page once appointed.

19. Changes to This Policy

We may update this Privacy Policy from time to time. Materialchanges (changes that expand the categories of data collected, the purposes of processing, the sub-processor list, or that materially reduce your rights) will be communicated by email to the account's primary contact and via a prominent in-product notice at least 30 daysbefore they take effect. Non-material changes (typographical, clarifying, or required by law) may take effect on posting. The "Effective" date at the top of this page indicates when this Policy was last revised.

20. Governing Law

Governing law and dispute resolution for this Policy follow the multi-jurisdiction clauses in our Terms and Conditions. Nothing in this Policy limits your statutory rights or the jurisdiction of your local supervisory authority.

21. Contact

For questions, data requests, or complaints:
Privacy inquiries: privacy@glassbreak.io
Data-subject request form: /legal/data-request
Security: security@glassbreak.io
Complaints: complaints@glassbreak.io

If you are not satisfied with our response, you may lodge a complaint with your local supervisory authority — for example, the UK Information Commissioner's Office (ICO), the relevant EU data protection authority (e.g. CNIL in France, the Irish DPC), the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au, the Singapore Personal Data Protection Commission (PDPC), or the relevant US state attorney general.

By using Glassbreak, you agree to this Privacy Policy.

This document is provided for transparency and does not constitute legal advice.