Privacy Policy

1. Who We Are

Gleeman is operated by Umbono AB, a company registered in Sweden. We are the data controller for the personal data processed through gleeman.app.

For any privacy-related questions or requests, contact us at privacy@gleeman.app.

2. Data We Collect

We collect and process the following categories of personal data:

Category	Details
Account information	Email address, hashed password (bcrypt; we never store plaintext passwords)
Authentication tokens	OAuth identifiers from Google or Apple when you use social login
User-generated content	Uploaded assets (audio files, images), project data (soundmaps, scenes, zones)
Security and audit data	IP addresses, timestamps, and action descriptions recorded in our audit log
Payment information	Processed by Stripe; we store subscription status and payment event references but never your full card details
Usage data	Feature usage, session duration, and performance metrics (only with your consent)

3. Why We Collect It (Lawful Basis)

Under the GDPR, we process your data on the following legal bases:

• Contract performance (Article 6(1)(b)) — To create and maintain your account, store your projects and assets, and provide the Gleeman service.
• Legitimate interest (Article 6(1)(f)) — To maintain security, prevent abuse, and keep audit logs for operational integrity.
• Consent (Article 6(1)(a)) — For optional analytics and non-essential cookies. You may withdraw consent at any time.
• Legal obligation (Article 6(1)(c)) — To retain payment records as required by applicable tax and accounting laws.

4. Third-Party Services

We share data with the following third parties, each acting as a data processor or independent controller as indicated:

• Stripe — Payment processing. Stripe acts as an independent controller for payment data. See Stripe's Privacy Policy.
• Google — OAuth authentication and reCAPTCHA anti-abuse verification. See Google's Privacy Policy.
• Apple — OAuth authentication (Sign in with Apple). See Apple's Privacy Policy.
• Hosting provider — Infrastructure and data storage services within the EU.

5. Data Retention

• Account data — Retained while your account is active, plus 30 days after deletion to allow recovery and resolve any outstanding issues.
• Audit logs — Retained for 12 months, then automatically purged.
• Payment records — Retained as required by Swedish and EU tax and accounting regulations (typically 7 years).
• Uploaded assets — Deleted when you remove them or when your account is deleted.

6. Your Rights Under the GDPR

As a data subject, you have the following rights:

• Access — Request a copy of all personal data we hold about you. Use the "Export my data" feature in Settings or email us.
• Rectification — Request correction of inaccurate data.
• Erasure — Request deletion of your account and all associated data. Use the "Delete account" feature in Settings or email us.
• Data portability — Receive your data in a structured, machine-readable JSON format.
• Restriction of processing — Request that we limit how we process your data in certain circumstances.
• Objection — Object to processing based on legitimate interest.
• Withdraw consent — Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact privacy@gleeman.app or use the in-app data management tools in your account Settings. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection (IMY) at imy.se.

7. Cookies

We use the following cookies:

Cookie	Type	Purpose
gleeman_token	Essential	Authentication session (httpOnly JWT cookie)
gleeman_consent	Essential	Records your cookie consent preferences
Analytics cookies	Optional	Usage analytics — only set with your explicit consent

Essential cookies cannot be disabled as they are necessary for the service to function. Optional cookies are only placed after you give consent.

8. International Data Transfers

We process and store data within the European Union where possible. Certain third-party services (Stripe, Google, Apple) may process data outside the EU. When this occurs, transfers are protected by:

• EU adequacy decisions where applicable
• Standard Contractual Clauses (SCCs) approved by the European Commission
• The service provider's certification under applicable data protection frameworks

9. Children

Gleeman is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact privacy@gleeman.app and we will promptly delete it.

10. Security

We implement appropriate technical and organizational measures to protect your data, including:

• Passwords are hashed using bcrypt (never stored in plaintext)
• Authentication via httpOnly, secure cookies
• HTTPS encryption for all data in transit
• Access controls and audit logging for all administrative actions

11. Changes to This Policy

We may update this privacy policy from time to time. For material changes, we will notify you by email at the address associated with your account. The "Last updated" date at the top reflects the most recent revision.

12. Contact Us

If you have any questions about this privacy policy or our data practices, contact us at:

Umbono AB
Email: privacy@gleeman.app
Website: gleeman.app