1. Who we are
gleam. (“gleam”, “we”, “us”) is the data controller for personal data collected through our platform at gleam.no and related subdomains. Our contact email for data protection matters is henrik@gleam.no.
2. What data we collect
We collect the following categories of personal data:
- Account data: email address, name (if provided or obtained via Google sign-in), hashed password (for email/password accounts).
- Profile data: country, city, preferred retailers, and seller ratings.
- Transaction data: purchase and sale records, payment amounts, Stripe payment references, escrow status, dispute details, and evidence uploads.
- Card data: gift card retailer names, balances, card numbers, PINs, and verification status. Card numbers and PINs are encrypted at rest.
- Technical data: IP address (at time of consent), browser type, and device information collected automatically by our hosting provider (Vercel) and authentication provider (Supabase).
- Consent records: timestamps and IP addresses recorded when you accept our Terms of Service and Privacy Policy.
3. Why we process your data
We process your personal data for the following purposes and on the following legal bases under the GDPR and UK GDPR:
| Purpose | Legal basis |
|---|
| Creating and managing your account | Contract performance |
| Processing payments and escrow | Contract performance |
| Sending transaction and dispute notifications | Contract performance |
| Marketplace alerts for preferred retailers | Consent (you opt in via preferences) |
| Dispute resolution and fraud prevention | Legitimate interest |
| Recording consent (Terms & Privacy) | Legal obligation |
4. Who we share data with
We share personal data with the following third-party processors:
- Supabase (database and authentication) — stores account data, profile data, transaction data, and card data. Hosted in the EU.
- Stripe (payment processing) — receives payment card details, email, and transaction amounts. Stripe is certified under the EU-US Data Privacy Framework.
- Vercel (hosting) — may process IP addresses and request metadata for platform delivery and security. Vercel has Standard Contractual Clauses in place for international transfers.
- Resend (email delivery) — receives email addresses and notification content for transactional emails.
We do not sell your personal data to third parties. We do not use your data for advertising.
5. International data transfers
Some of our processors (Stripe, Vercel, Resend) may transfer data outside the EEA/UK. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or the EU-US Data Privacy Framework certification.
6. Data retention
- Account data: retained for the lifetime of your account plus 30 days after deletion.
- Transaction data: retained for 7 years to comply with accounting and tax obligations.
- Dispute evidence: retained for 2 years after dispute resolution.
- Card data: deleted when the card is removed from your wallet or the associated transaction is completed and the retention period has passed.
- Consent records: retained for the lifetime of your account plus 3 years.
7. Your rights
Under the GDPR and UK GDPR, you have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data (subject to legal retention requirements).
- Restriction — ask us to restrict processing in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, email us at henrik@gleam.no. We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority:
- Norway: Datatilsynet (datatilsynet.no)
- United Kingdom: Information Commissioner’s Office (ico.org.uk)
- Sweden: Integritetsskyddsmyndigheten, IMY (imy.se)
- Denmark: Datatilsynet (datatilsynet.dk)
- Other EU/EEA countries: Your local data protection authority. A full list is available on the European Data Protection Board website.
8. Cookies and tracking
gleam uses only essential cookies required for authentication and session management. We do not use analytics cookies, advertising cookies, or any third-party tracking scripts. No cookie consent banner is required because we do not use non-essential cookies.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including encryption at rest and in transit, row-level security policies on our database, and secure authentication via Supabase Auth. Card numbers and PINs are stored in encrypted fields with access logging.
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice. The “last updated” date at the top of this page reflects when the policy was last revised.
11. Contact
For any privacy-related questions, contact us at henrik@gleam.no.