Privacy Policy

Last updated: May 2026

1. Introduction

Glidy ("we", "us", "our") provides an AI-powered web application for ServiceNow developers, available at glidy-ai.com. This Privacy Policy describes how Glidy processes personal data in connection with the service, in accordance with the EU General Data Protection Regulation (GDPR), the ePrivacy Directive, and other applicable data protection laws.

The data controller is Glidy, operated as a sole proprietorship. For privacy enquiries, data subject requests, or any matter covered by this policy, contact [email protected].

Glidy has not appointed a Data Protection Officer. The operation does not engage in large-scale processing of special categories of data within the meaning of GDPR Article 37.

2. Data We Collect

Account and authentication data

When you create an account, Glidy stores your email address, a randomly generated user identifier, and authentication session tokens. If you sign in with Google, Glidy receives the email address associated with the Google account; no other Google profile data is retained.

Credentials you provide

To use Glidy with your own LLM provider and ServiceNow instance, you enter:

  • LLM provider API keys (for example, Anthropic, OpenAI, OpenRouter)
  • ServiceNow instance URL, username, and password (or equivalent credential)

These credentials are encrypted application-side using AES-256-GCM before they are written to storage, and are decrypted ephemerally for the duration of a single request. Plaintext credentials are not written to disk or to application logs. The encryption keys are held by Glidy and are not accessible to the user.

Conversation history

Your chat sessions and the messages within them are stored in a managed cloud-hosted PostgreSQL database operated by a third-party provider. Access is restricted by row-level security so that each account can read and write only its own conversations. The data is encrypted in transit using TLS 1.2 or higher, and at rest using the provider's standard AES-256 disk-level encryption. Glidy does not apply additional application-side encryption to conversation content; this is the same posture taken by comparable hosted AI products. Glidy does not offer end-to-end or zero-knowledge encryption: authorised operators with database access can, in principle, read conversation content, though access is limited to investigating specific incidents or fulfilling user requests.

Conversation content can include text you send, model responses, tool call arguments and outputs, and any ServiceNow data the agent fetches and quotes back into the conversation. You can export or delete individual conversations, or all conversations, from the Settings page at any time. Conversations that have been inactive for more than 24 months are automatically deleted by a scheduled job; this retention period is intended to keep the service useful as a working memory while satisfying the data-minimisation principle under GDPR Art. 5(1)(e).

Pseudonymous usage analytics

Glidy records pseudonymous events linked to your user identifier for operational purposes:

  • Request and tool-invocation counts
  • Model name and approximate token counts per request
  • Daily per-user aggregates of token usage
  • Error events, without any personal data in the error payload

These records do not include prompt or response text. You can disable analytics collection from the Settings page.

Technical request data

Our hosting providers log standard request metadata such as IP address, user agent, request path, and response status. This data is used for security monitoring and to diagnose service issues.

3. Data We Do Not Collect

  • Glidy does not retain a separate copy of records fetched from your ServiceNow instance. ServiceNow responses are processed in memory to construct an answer; any content that the model quotes back is preserved only as part of the conversation history described in Section 2.
  • Glidy does not store your LLM or ServiceNow credentials in plaintext on the server or in your browser.
  • Glidy does not use advertising, marketing, or cross-site tracking cookies, and does not sell or share personal data with advertising networks.
  • Glidy does not collect special categories of personal data (GDPR Art. 9) and asks that you do not enter such data into prompts.

4. Legal Basis for Processing (GDPR Art. 6)

  • Performance of a contract (Art. 6(1)(b)): Account creation, authentication, storage of credentials you provide, and storage of conversation history are necessary to deliver the service you have signed up for.
  • Legitimate interests (Art. 6(1)(f)): Pseudonymous usage analytics, security logging, and abuse detection are processed on the basis of our legitimate interest in maintaining a stable and secure service. The interests, rights, and freedoms of users have been considered; analytics can be disabled in Settings and security logs are minimised.
  • Consent (Art. 6(1)(a)): Non-essential cookies are set only after you accept them in the cookie banner. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation (Art. 6(1)(c)): Where applicable, we may retain limited records to comply with statutory obligations (for example, tax or fraud-prevention duties).

5. Subprocessors

Glidy relies on third-party providers to deliver the service. Each subprocessor is bound by a written data processing agreement that reflects the requirements of GDPR Art. 28. At a category level, Glidy uses:

  • A managed authentication and database platform for account, credential metadata, conversation, and analytics storage
  • Application hosting providers for the frontend web application and the backend API
  • LLM providers, which receive the prompts and conversation context required to generate model responses, called using the API key you have configured in your account (the "bring your own key" model)
  • Transactional email delivery for account-related messages such as password resets and security notices

An up-to-date list of the specific providers, the data they receive, and their hosting regions is maintained in our subprocessor register. The current list is available on request from [email protected]. Glidy will give reasonable advance notice of material changes to the subprocessor list so that you can object before the change takes effect.

LLM providers and your prompts:when you send a message, the prompt and the relevant conversation context are transmitted to the LLM provider whose API key you have configured. That provider acts as an independent controller or processor under its own terms; we are not in a position to alter their data handling. Review your chosen provider's privacy notice before submitting sensitive content.

6. Data Retention

Data categoryRetention period
Account data (email, user identifier)Until you delete your account
Encrypted credentialsUntil you remove them or delete your account
Conversation historyUntil you delete the conversation or your account, or 24 months of inactivity, whichever comes first
Pseudonymous analytics events90 days, then automatically purged
Hosting and security logsUp to 30 days, then rotated

When you delete your account, account, credential, conversation, and user-linked analytics records are removed from the production database within 30 days. Backups taken before deletion are retained for up to a further 30 days before being overwritten in the normal backup cycle.

7. Your Rights

If your personal data is processed by Glidy, you have the following rights under the GDPR:

  • Access (Art. 15):request a copy of the personal data Glidy holds about you. Use "Export My Data" in Settings, or email the address below.
  • Rectification (Art. 16): ask Glidy to correct inaccurate or incomplete data.
  • Erasure (Art. 17):delete your account and the personal data linked to it. Use "Delete Account" in Settings.
  • Restriction (Art. 18): ask Glidy to limit processing in certain circumstances, for example while a rectification request is reviewed.
  • Portability (Art. 20): receive your data in a structured, commonly used, machine-readable format. The export feature in Settings produces a JSON file.
  • Objection (Art. 21): object to processing based on legitimate interests, including pseudonymous analytics. You can disable analytics directly in Settings.
  • Withdrawal of consent (Art. 7(3)): withdraw cookie or other consent at any time. Withdrawal does not affect the lawfulness of processing carried out beforehand.
  • Decisions based solely on automated processing (Art. 22): Glidy does not make decisions producing legal or similarly significant effects about you on a solely automated basis.
  • Complaint to a supervisory authority (Art. 77): lodge a complaint with the data protection authority in your country of habitual residence, place of work, or the place of the alleged infringement. A directory is available at edpb.europa.eu.

To exercise any right that is not available as a self-service action in Settings, email [email protected]. Glidy will respond within one month of receipt of the request, extendable by a further two months for complex requests in accordance with Art. 12(3). Glidy may ask you to confirm the email address associated with your account before acting on a request.

8. International Transfers and Data Residency

Glidy and its subprocessors are predominantly located outside the European Economic Area, including in the United States. As a result, personal data processed in connection with the service is transferred to, and processed in, third countries within the meaning of GDPR Chapter V.

Such transfers are protected by one or more of the following safeguards:

  • Adequacy decisions of the European Commission, where applicable
  • The EU-US Data Privacy Framework, for certified US-based subprocessors
  • The European Commission's Standard Contractual Clauses, supplemented by appropriate technical and organisational measures, where adequacy or DPF certification does not apply

The current hosting region of each subprocessor is listed in the subprocessor register referenced in Section 5. A copy of the relevant transfer safeguards is available on request.

9. Cookies

Glidy uses only essential authentication cookies and a small number of functional cookies for non-essential UI preferences, which are set only after consent. Tracking and advertising cookies are not used. For a complete list, see the Cookie Policy.

10. Security, Children, Changes, and Contact

Security measures

All connections between you, our application, and our subprocessors use TLS 1.2 or higher. User-provided credentials are encrypted with AES-256-GCM before storage. Conversation and account data sit in a managed database with row-level security and provider-managed at-rest encryption. Access to production systems is restricted to authorised maintainers, authenticated with multi-factor authentication.

Children

The service is intended for professional use and is not directed at children under 16. Glidy does not knowingly collect personal data from children. If you believe a child has created an account, contact [email protected] and the account will be removed.

Third-party content in prompts

When you submit prompts that include personal data about identifiable third parties (for example, ServiceNow records about employees, customers, or end users), you act as controller of that data and are responsible for ensuring that you have a lawful basis to process it. Glidy processes such data only as your processor to deliver the response.

Changes to this policy

Glidy may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be notified to registered users by email or through an in-app notice with reasonable advance notice before they take effect.

Contact

For privacy enquiries, data subject requests, or any other matter relating to this policy, contact [email protected].