Legal
Privacy Policy
This policy explains what Glympt collects, why we use it, who receives it, and the choices available to you. It covers glympt.com, the Glympt dashboard and API, and the Glympt Chrome Extension.
Effective July 16, 2026
1. Controller
Gennaro Labs LLC, 7901 4th St N, #14688, St. Petersburg, Florida 33702, United States, is the controller for the personal data described here. Contact us at [email protected]. Company details are in our Imprint / Impressum. We have not appointed a data protection officer.
2. Data we process
- Account and identity: name, email, password hash, verification status, profile image, linked Google or GitHub identifiers, and settings.
- Authentication and security: session identifiers, IP address, user agent, login records, API-key prefix and hash, last API-key use, and abuse or rate-limit events.
- Billing: plan, subscription status and period, Stripe customer and subscription identifiers, invoice status, and credit-ledger entries. Stripe, not Glympt, receives complete payment-card details.
- Product data: submitted domains and URLs, CSV rows, saved searches and lists, exports, API requests, scan jobs, detections, confidence and geography signals, and support messages.
- Technical and audit records: action, actor and target identifiers, request time, route and method, request ID, IP address, user agent, response status, limited non-secret event metadata, errors, and operational logs. Audit records never intentionally contain request bodies, passwords, tokens, or secret hashes.
3. Why we process data
| Purpose | Typical data | GDPR basis |
|---|---|---|
| Provide accounts, lookups, enrichment, exports, API access, and support | Account, product, and support data | Contract; pre-contract steps (Art. 6(1)(b)) |
| Process subscriptions, invoices, and credit allowances | Account, billing, and ledger data | Contract and legal obligations (Art. 6(1)(b), (c)) |
| Secure Glympt, prevent abuse, enforce limits, and diagnose failures | IP, user agent, authentication and technical logs | Legitimate interests in security and reliability (Art. 6(1)(f)) |
| Maintain and improve the shared technographic database | Public URLs, scan results, and aggregate usage | Contract and legitimate interests (Art. 6(1)(b), (f)) |
| Send service messages and respond to requests | Email, account status, correspondence | Contract, legal obligations, and legitimate interests |
| Measure website usage with Google Analytics 4, delivered through Google Tag Manager | Page views, events, device/browser data, referrer, approximate location, and campaign data | Consent (Art. 6(1)(a) GDPR; § 25 TDDDG where applicable) |
4. Website scans and the shared database
A lookup may fetch a publicly reachable website and derive response headers, scripts, metadata, cookies set by that site, DNS/TLS information, and limited DOM or JavaScript signals. We store detections, limited evidence snippets, and hashes rather than full page copies by default. Submitted domains and scan results may enter Glympt's shared database and may remain after the submitting account is deleted.
Domain-level technical data is usually not personal data, but a URL can identify a person. Do not submit private URLs, credentials, intranet addresses, or URLs containing personal data in query strings. If a public Glympt record contains personal data or creates a safety concern, contact [email protected] with the URL. We will assess correction, restriction, removal, or de-indexing as applicable.
5. Workspaces and team access
Each account has a personal workspace. If you accept an invitation, members of that workspace may see the lists, uploads, exports, saved searches, API-key metadata, usage records, and other product activity created in that workspace according to their role. Your personal workspace, subscription, and credits remain separate. Workspace owners and admins can manage access; actions such as invitations, role changes, removals, and quota use are audit logged.
6. Chrome Extension
The extension does not passively collect browsing history and does not automatically scan pages as you browse. It reads and submits the active tab's URL only after you explicitly initiate an analysis or lookup. A user-triggered active-page scan may collect limited technical page signals needed for detection; it does not send complete page or form contents by default. The URL and detections may enter the shared database. Authentication tokens and preferences are stored in Chrome extension storage.
7. Recipients and service providers
We disclose data only as needed to operate Glympt, including to:
- Hetzner for production infrastructure and object storage;
- Stripe for checkout, subscription, fraud, tax, and payment processing;
- Google for Google sign-in when selected, Google Tag Manager, and consent-based Google Analytics 4 measurement;
- GitHub when you choose GitHub sign-in;
- our configured email-delivery provider for transactional messages;
- professional advisers, authorities, or counterparties when legally required or necessary to protect rights or complete a corporate transaction.
We do not sell personal data or share it for cross-context behavioural advertising.
8. International transfers
Gennaro Labs LLC is established in the United States, while our primary production infrastructure is located in Germany. Data may be processed in the United States, the EEA, and other countries where a provider operates. For transfers from the EEA to a country without an adequacy decision, we rely as applicable on EU Standard Contractual Clauses, supplementary safeguards, or another lawful mechanism. Ask [email protected] for information about the relevant safeguard.
9. Retention
- Account data is kept while active and then deleted or anonymised, except where needed for disputes, security, or law.
- Sessions expire automatically. The application's security audit trail is normally retained for 365 days, then automatically deleted; relevant records may be isolated and retained longer for an active incident, dispute, abuse investigation, or legal obligation.
- Billing, invoice, tax, webhook, and credit-ledger records may be kept for statutory accounting and limitation periods.
- Uploaded files and exports are removed or expire according to the stated product expiry; associated operational jobs may remain for their documented retention period.
- Public-domain scans and derived technographic records may remain until stale, superseded, removed, or no longer useful.
- Support correspondence remains while active and afterward as needed for follow-up and legal claims.
10. Cookies, Google Tag Manager, and Google Analytics 4
Glympt uses storage necessary for authentication, security, theme, interface, and extension preferences. We also use Google Tag Manager (GTM) to manage website tags and Google Analytics 4 (GA4) to understand how visitors find and use Glympt—for example, page views, navigation events, approximate location derived from network information, device and browser information, referrer information, and campaign attribution.
GTM is the delivery mechanism for configured tags; GA4 performs the analytics measurement. GA4 may use cookies or similar identifiers such as _ga and transmit measurement data to Google. Google may process data through Google Ireland Limited and affiliated entities, including Google LLC in the United States. Optional GTM tags and GA4 must remain disabled until you affirmatively allow the Analytics category. The legal basis is your consent under Article 6(1)(a) GDPR and, where applicable, § 25 TDDDG.
You may reject analytics without losing access to Glympt and may withdraw or change your choice at any time. Withdrawal stops future analytics collection on that browser but does not affect earlier lawful processing.
11. Your rights
Depending on the circumstances, you may request access, correction, deletion, restriction, or portability; object to processing based on legitimate interests; and withdraw consent without affecting earlier lawful processing. You may complain to the supervisory authority where you live, work, or believe an infringement occurred. We generally respond within one month and may verify identity. Send requests to [email protected]. Account deletion and a machine-readable account export are available in dashboard settings.
12. Security and children
We use technical and organisational safeguards designed to protect personal data, but no Internet service guarantees absolute security. Glympt is business-oriented and not directed to children under 16. Do not create an account if you are under 16.
13. Changes and contact
We may update this policy as Glympt changes. We will update the effective date and provide appropriate notice for material changes. Questions, rights requests, and site-removal requests can all be sent to [email protected].