Privacy Policy

Last updated: 7 February 2026

This Privacy Policy explains how Glór Participation Software Limited (“Glór”, “we”, “us”, or “our”) collects, uses, and protects information when you use our platform at glor.online. We are committed to protecting the privacy of both presenters (registered users) and participants (audience members who join events).

1. Who We Are

Glór Participation Software Limited is a company registered in Ireland. For individual presenters, we are the data controller for the personal data processed through our platform. When Glór is used by an institution (such as a school, university, or organisation), the institution is typically the data controller and Glór acts as a data processor, providing the service on the institution’s instruction. See Educational and Institutional Use for details.

  • Entity: Glór Participation Software Limited
  • Country: Ireland
  • Contact: hello@glor.online

2. Data We Collect

2.1 Presenter Accounts

When you create a presenter account, we collect:

  • Email address and name — via our authentication provider (Supabase Auth)
  • Subscription and billing data — processed by Stripe (we do not store credit card numbers)
  • Preferences — language selection, display settings
  • Content you create — events, polls, questions, and any uploaded media (e.g. logos)

2.2 Participants

Participants join events without creating an account. We collect:

  • Session token — a randomly generated identifier for the browser session
  • Optional nickname — only if the participant chooses to provide one
  • Anonymous flag — whether the participant opted to remain anonymous
  • Join timestamp — when the participant joined the event
  • Poll responses, Q&A questions, and upvotes — associated with the session token, not a named person

We do not collect participant email addresses, and no account is required to participate. This data-minimised design means participants — including minors in educational settings — can engage without providing personal information. Where a host enables open-text features (such as Q&A or open-ended polls), participants choose what to type; hosts are responsible for configuring events appropriately for their audience.

2.3 Automated Data

We use two privacy-focused, cookieless analytics services to understand how the platform is used:

  • Vercel Analytics — collects anonymous page view and performance metrics. No cookies, no PII, no cross-site tracking.
  • Umami — collects anonymous usage statistics. No cookies, no PII, no cross-site tracking.

Neither service can identify individual users or track them across websites.

2.4 Security and Abuse Prevention

To protect the platform and its users, we may temporarily process IP addresses and user agent strings for abuse detection and rate limiting. This data is used solely for security purposes and is not linked to user accounts or participant profiles.

3. How We Use Your Data

We use the data we collect to:

  • Provide and operate the Glór platform (events, polls, Q&A, real-time interactions)
  • Process subscriptions and billing
  • Send service-related communications (e.g. account confirmation, subscription receipts)
  • Prevent abuse, fraud, and security incidents
  • Understand usage patterns to improve the platform (via anonymous analytics only)
  • Comply with legal obligations

We do not sell your personal information. We do not use your data for advertising, profiling, or automated decision-making.

4. Legal Bases for Processing

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases:

  • Contract (Article 6(1)(b)): Processing necessary to provide the service to registered presenters — account management, event delivery, and subscription billing.
  • Legitimate interest (Article 6(1)(f)): Anonymous analytics to improve the platform, and security measures to prevent abuse. We balance these interests against your rights and freedoms.
  • Legal obligation (Article 6(1)(c)): Retaining financial records as required by Irish tax law.

We do not currently rely on consent as a legal basis, because we do not use non-essential cookies or tracking technologies.

5. Cookies and Similar Technologies

Glór uses only essential cookies that are strictly necessary for the platform to function. We do not use advertising, marketing, or tracking cookies.

CookiePurposeDuration
sb-*Supabase authentication (session management)Session / 7 days
user_localeLanguage preference30 days
user_locale_sourceHow the language preference was set30 days
event_localeParticipant route localeSession
localeLegacy locale preference30 days

Our analytics services (Vercel Analytics and Umami) are cookieless and do not set any cookies on your device.

6. Data Processors

We use the following third-party services to operate the platform. Each acts as a data processor on our behalf:

ServicePurposeLocation
SupabaseDatabase, authentication, file storage, real-time connectionsEU
StripePayment processing and subscription managementUS (EU SCCs)
VercelHosting and anonymous analyticsUS (EU SCCs)
Umami CloudAnonymous usage analyticsEU

We do not share your data with any other third parties for their own purposes.

7. International Transfers

Some of our data processors (Vercel, Stripe) are based in the United States. Where personal data is transferred outside the European Economic Area (EEA), these transfers are protected by EU Standard Contractual Clauses (SCCs) as approved by the European Commission.

8. Data Retention

We retain your data only for as long as necessary for the purposes described in this policy:

  • Presenter account data — retained while the account is active. Removed from our active systems on account deletion, which cascades to all associated events, polls, responses, and Q&A content.
  • Participant session data — retained for the lifetime of the associated event. Removed from active systems when the event or presenter account is deleted.
  • Subscription and billing records — archived (not deleted) on account deletion for financial and legal obligations. Retained for up to 7 years in accordance with Irish revenue requirements.
  • Analytics data — aggregated and anonymous. Contains no personal information to retain or delete.
  • Audit logs — retained for 90 days, then automatically purged.

Residual copies of deleted data may persist temporarily in automated backups, which expire on their normal rotation schedule. We may maintain an internal retention schedule with more granular detail. This summary reflects our commitments to you.

9. Security Measures

We take reasonable technical and organisational measures designed to protect your data, including:

  • Encryption of data in transit (TLS) and at rest
  • Row-level security (RLS) policies in our database to enforce access controls
  • Role-based access restrictions for administrative functions
  • Regular review of security practices and processor agreements

While we aim to protect your personal data to a high standard, no method of electronic transmission or storage is completely without risk. We cannot guarantee absolute security, but we are committed to maintaining and improving our protections.

10. Your Rights

Under the GDPR (Articles 15–22), you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate or incomplete data
  • Erasure — request deletion of your data (see Account Deletion below)
  • Restriction — request that we limit how we process your data
  • Portability — request your data in a structured, commonly used format
  • Objection — object to processing based on legitimate interest

To exercise any of these rights, contact us at hello@glor.online. We will respond within 30 days as required by the GDPR.

You also have the right to lodge a complaint with your local data protection authority. In Ireland, this is the Data Protection Commission.

11. Account Deletion

Presenters can permanently delete their account at any time from Settings. This action is irreversible and will delete all user data as described in the Data Retention section above, including all events, polls, participant responses, and Q&A content. Archived subscription records are retained per our retention policy for financial and legal obligations.

12. Educational and Institutional Use

Glór is designed to work well in educational environments such as schools, universities, and training programmes. When an institution uses Glór:

  • Data controller and processor roles: The institution is typically the data controller (it decides why and how the data is processed), and Glór acts as a data processor, providing the platform on the institution’s instruction.
  • No student accounts: Participants do not need to create accounts, provide email addresses, or otherwise identify themselves. Participation is anonymous or pseudonymous by default.
  • Session data: Participant session tokens are randomly generated and are not linked to any personal identity. They exist for the duration of the event session.
  • Open-text responses: Where the host enables open-text features (Q&A, open-ended polls), participants choose what to submit. Hosts should configure events appropriately for their audience and are responsible for moderating content.
  • Retention and deletion: Participant data is retained in our active systems only for the lifetime of the associated event and is removed when the host deletes the event or their account. Hosts control when this happens. Residual copies may persist temporarily in automated backups, which expire on their normal rotation schedule.
  • Analytics: Our analytics services (Vercel Analytics and Umami) are cookieless, anonymous, and cannot identify individual participants.

Institutions that require a formal data processing agreement should contact us at hello@glor.online.

13. Children

Glór is not marketed to or directed at children as a consumer product. We do not knowingly collect personal information from children under 16 outside of an institutional context.

In educational settings, minors may participate in events under the supervision and responsibility of their institution. Because participation does not require an account, email, or personal information, the data collected from participants is minimal and anonymous or pseudonymous by design. The institution is responsible for obtaining any parental or guardian consent required by applicable law.

If you believe a child has provided us with personal data outside of an institutional context, please contact us and we will take steps to delete that information.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page indicates when it was last revised. For material changes, we will notify registered users by email at least 14 days before the changes take effect. Until our email notification system is operational, we will update the date prominently on this page. Continued use of the service after the notice period constitutes acceptance of the updated policy.

15. Contact

For any questions about this Privacy Policy or how we handle your data, please contact us: