Privacy Policy
Last updated: April 29, 2025
Welcome to Gloam (“Gloam”, “we”, “our”, or “us”). Gloam is an AI-powered customer relationship management (CRM) platform purpose-built for photographers and other wedding professionals. We know how important privacy is to your business and your clients, so we’ve designed every layer of our product and infrastructure with security and transparency in mind.
This Privacy Policy explains what information we collect, how we use it, your choices, and the rights you have when you sign up for or interact with any of our services at trygloam.com (the “Website”) or via our connected mobile / desktop applications (together, the “Services”).
TL;DR
We collect only what we need to run the Services, keep your account secure, and continuously improve the product. 🎉
1. Key Definitions
| Term | What it means |
|---|---|
| Account | The workspace you create when you sign up for Gloam |
| User | Anyone who uses Gloam, whether paying subscriber or on a free trial |
| Client | A contact that you—the User—store in Gloam (e.g., a couple you’re photographing) |
| Personal Data | Information that can identify an individual, such as name, email address, or payment details |
| Processing | Anything we do with Personal Data (collect, store, analyze, delete, etc.) |
| Controller | For EU/UK GDPR, this is usually you—the wedding pro—because you decide the purposes and means of processing your Clients’ data. Gloam acts as a Processor in that scenario. |
2. Data We Collect & Why
2.1 Information You Provide
| Category | Examples | Purpose |
|---|---|---|
| Account Info | Name, business name, email, phone | Create and secure your workspace |
| Billing Info | Credit-card number, billing address (handled by Stripe) | Process subscription & usage fees |
| Content | Leads, events, contracts, emails, images, etc. | Core CRM functionality |
| Support | Chat transcripts, emails | Help you troubleshoot issues |
2.2 Information We Collect Automatically
| Category | Examples | Purpose |
|---|---|---|
| Usage Data | Page views, button clicks, feature flags | Improve product & diagnostics |
| Device Data | Browser type, IP address, operating system, time-zone | Security & localization |
| Cookies & Local Storage | Auth tokens, theme preference | Keep you logged in, remember settings |
| Marketing Attribution | UTM parameters (source, medium, campaign) | Track effectiveness of marketing channels |
We collect marketing attribution data (such as which website or campaign directed you to our site) through URL parameters when you visit our website. This information is stored locally on your device and included when you submit forms on our site. We use this data to understand which marketing channels are most effective and to optimize our advertising efforts. This information is stored in our email marketing platform and associated with your email address when you join our waitlist or subscribe to our services.
2.3 Information from Integrations (Optional)
When you connect third-party services (e.g. Gmail, Stripe, Google Calendar):
• We request the minimum OAuth scopes required.
• Data stays sandboxed to your account and is used only to provide the specific feature (e.g., email syncing, invoice status).
• You can revoke access at any time from Gloam or the third-party dashboard.
3. How We Use Your Data
- Provide & maintain the Services – dashboards, automations, AI features.
- Authenticate & secure your Account (2FA, session management, abuse detection).
- Improve Gloam via analytics, A/B testing, and user feedback.
- Communicate about updates, security alerts, and marketing (opt-out any time).
- Comply with legal obligations (e.g., accounting, KYC, fraud prevention).
We never:
- Sell Personal Data.
- Use your Clients’ content to train third-party AI models.
- Look at your account data unless you give explicit support consent.
4. Legal Bases (GDPR)
We rely on one or more of the following:
• Contract – to deliver the Services you signed up for.
• Legitimate Interests – product analytics, fraud detection (balanced with your rights).
• Consent – marketing emails, integrations.
• Legal Obligation – tax & accounting records.
5. Retention
We keep Personal Data only as long as necessary:
- Account data: until you delete your account or 24 months of inactivity.
- Content inside your workspace: until you remove it or 90 days after account deletion (for recovery purposes).
- Back-ups: encrypted and purged on a 35-day rolling window.
6. Data Sharing
| Category | Recipient Type | Safeguards |
|---|---|---|
| Infrastructure | Cloud hosting & storage | Industry-standard certifications |
| Payments | Payment processors | PCI-DSS compliance |
| Email Delivery | Email service providers | SOC 2 or equivalent |
| AI Processing | AI service providers | Data encrypted in transit |
| Analytics | Analytics platforms | Aggregated & pseudonymized |
We only work with vendors who meet strict security and privacy standards. All sub-processors sign Data Processing Agreements (DPAs) with Gloam.
A current list of sub-processors is available upon request.
7. International Transfers
Your data may be processed in the United States or other regions where we or our sub-processors operate. We rely on:
- Standard Contractual Clauses (SCCs) approved by the EU Commission.
- Adequacy decisions where applicable (e.g., UK-US Data Bridge).
8. Security
• Encryption in-transit (TLS 1.3) and at-rest (AES-256).
• Role-based access controls with least-privilege principle.
• Continuous penetration testing & automated dependency scanning.
• Audit trails for every data access event.
If we discover a breach that affects you, we will notify you within 72 hours (or earlier if required by law).
9. Your Rights
Depending on your locale, you may have the right to:
- Access, correct, or delete your Personal Data.
- Port your data in a machine-readable format.
- Object to or restrict certain processing activities.
- Lodge a complaint with your local Data Protection Authority.
Submit requests via privacy@trygloam.com and we’ll respond within 30 days. 📨
10. Children’s Privacy
Gloam is not directed to children under 16. If we learn that we have collected Personal Data from a child, we will delete it immediately.
11. Links to Other Sites
Our Website may contain links to third-party sites. We are not responsible for their privacy practices. Please review their policies individually.
12. Changes to This Policy
We may update this document from time to time. We’ll notify you via email or an in-app banner and update the “Last updated” date at the top. Continued use of the Services means acceptance of the revised Policy.
13. Contact Us
Questions, concerns, or requests?
Email: hello@trygloam.com
Thanks for trusting Gloam to power your business! 🎉