Privacy Policy
Last updated: 2026-07-01
1. Scope and Regional Framework
This Privacy Policy applies to the Gleezor public website, Central Server, host registration, licensing, updates, remote support, remote CLI, and AI assistance features. VM disks, files, local accounts, and local AI data stored on customer on-premises Host Servers are generally controlled by the customer.
For users in Korea, this Policy is written to address the Korean Personal Information Protection Act, the Act on Consumer Protection in Electronic Commerce, and related Korean requirements, including PIPA Articles 26, 28-8, and 30.
For global users, including EEA/UK users, GDPR/UK GDPR and other mandatory local data-protection rules may apply in addition. The global legal bases, international-transfer, and data-subject rights sections apply to those users.
2. Controller and Contact
Controller: Gleezor. Representative: Woo Gyu Jang. Business registration no.: 679-07-03836. Address: 601, 6F, 106-dong, 21 Gumaro 40-gil, Dalseo-gu, Daegu, Republic of Korea.
Privacy officer: Woo Gyu Jang. Privacy requests: [email protected]. General support: [email protected]. Phone: +82-10-5959-9909. Mail-order sales registration no.: 2026-Daegu Dalseo-0854.
If a formal EEA/UK representative or DPO becomes mandatory, that information will be added to this page and the sub-processor list.
3. Purposes, Categories, and Legal Bases
Account creation and authentication: name or display name, email, password hash, organization, and Google OAuth identifiers. Legal bases: contract performance and user consent.
Licensing and host management: license_id, host_id, installation ID, software version, hashed hardware fingerprint, host status, CPU/memory/disk usage, request IP, User-Agent, and security logs. Legal bases: contract performance, security, and legitimate interests.
Customer support, remote support, and remote CLI: support messages, support history, approved remote CLI commands, limited PTY output, session recordings, and audit logs. Remote CLI and session recording are processed only with required permissions and per-session consent.
Enterprise onsite installation and maintenance: business contact details, visit schedules, device identifiers, disk/storage work records, and support history. User file contents are not viewed beyond customer authorization and work necessity.
Glezz AI (Gleezor AI) assistance: L1/L2 AI is processed locally in the customer environment. If an administrator enables L3 external LLM use and the user opts in per request or workspace, prompts, selected conversation turns, retrieved snippets, and minimal model/token metadata may be transmitted to external providers.
Billing and subscriptions: checkout session, selected plan, billing cycle, payment status, and tax/accounting records. Sensitive payment-card details are processed by payment providers and are not stored by Gleezor.
Marketing: email, organization, and marketing consent/withdrawal records. Marketing is based on optional consent and can be withdrawn at any time.
Location data: Gleezor does not collect precise personal location data such as GPS through the public website or Central service. For security, billing-region, and statistical purposes, request IP may be resolved to an approximate region such as country code, but raw IP is not retained beyond that purpose.
Cookies and analytics: login sessions, CSRF prevention, language settings, and analytics events only where consented. We do not use third-party advertising or behavioral tracking cookies.
4. On-Premises Data and Central Exceptions
Gleezor is a Converged Edge Workspace Infrastructure product. VM disks, user files, SMB share contents, local user accounts, and local AI indexes remain on the customer Host Server and are not routinely transmitted to Gleezor Central Server.
Exceptions apply when licensing, host monitoring, updates, security audits, support requests, incident analysis, remote CLI, or opt-in L3 AI features are used. In those cases, the metadata, logs, and support context described in this Policy may be transmitted to Central or relevant sub-processors.
Gleezor generally does not view or store remote-display screen, input, or audio content while relaying a session. Commands, output, recordings, and audit logs from user-approved support or CLI sessions may be retained for security, dispute handling, and compliance.
5. Sub-Processors
To provide the service, Gleezor may use Cloudflare (CDN, DDoS protection, tunnel, R2 storage), Resend (email), Google (OAuth), ip-api.com or equivalent GeoIP providers (country-code lookup), OpenAI and Anthropic (optional L3 AI), and payment providers when billing is enabled.
The purpose, data categories, location, and transfer status of each sub-processor are published at /sub-processors. Material changes to sub-processors or purposes will be notified through this page, email, or another reasonable method.
If an external partner or hardware supplier is used for Enterprise onsite work, Gleezor will disclose the processor and scope through the contract, statement of work, or this Policy before the work begins.
Gleezor requires processor terms addressing purpose limitation, security measures, sub-processing controls, incident notice, return/deletion, oversight, and liability where applicable.
6. Third-Party Sharing and International Transfers
Gleezor does not sell or rent personal data for advertising. We do not share personal data with third parties outside legal obligations, user consent, contract performance, processing/storage needed for the service, payment, security, and support.
Where international transfers occur, we disclose the recipient, country, timing/method, data categories, purpose, retention period, right to refuse where applicable, and consequences in this Policy and the sub-processor page. For Korea, transfers are managed under PIPA Article 28-8 and related safeguards.
For EEA/UK data transferred outside the EEA/UK, Gleezor relies on appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, DPAs, encryption in transit, access controls, and data minimization. External LLM providers may apply their own retention and training terms under their DPA/ZDR settings.
7. Retention and Deletion
Account information is retained until account deletion. Contract/withdrawal and payment records may be retained for 5 years, consumer complaint/dispute records for 3 years, display/advertising records for 6 months, access logs for 3 months, and tax/accounting records for legally required periods.
Host audit logs are retained for 90 days by default; performance metrics for 30 days by default; anonymized or pseudonymized raw telemetry events for 12 months by default before deletion or aggregation. Consent and withdrawal records may be retained as compliance evidence and for dispute handling.
After account deletion, records that must be retained by law are stored separately from active account data and are deleted without delay when the retention purpose ends.
When retention is no longer required, electronic records are deleted using methods designed to prevent recovery and paper records are shredded or destroyed.
8. Data Subject Rights and Children
You may request access, correction, deletion, suspension of processing, withdrawal of consent, processing-history confirmation, and data portability through [email protected] or account settings.
Korean users may exercise rights under PIPA Articles 35-39. EEA/UK users may exercise GDPR/UK GDPR rights, including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.
Gleezor accounts are intended for users aged 14 or older. If personal data of a child under 14 must be processed, Gleezor will process it only after completing legally required parental-consent procedures.
9. Security Measures
Gleezor applies access minimization, RBAC, session timeouts, progressive account lockout, HTTPS/TLS, DTLS, mTLS, Argon2 password hashing, audit logging, network firewalls, DLP masking, encrypted storage, security training, and incident-response procedures under PIPA Article 29 and GDPR Article 32.
Passwords, tokens, API keys, and similar credentials are not stored or logged in plaintext. Request, response, and error logs are masked or excluded where such credentials may appear.
Remote CLI and AI assistance features add RBAC, per-session consent, command whitelisting, sandboxing, audit logs, hash chains, and sensitive-data masking.
If Gleezor becomes aware of a personal-data breach, it operates procedures to mitigate harm and, where legally required, notify affected users and report to competent authorities within 72 hours.
10. Automated Decision-Making
Gleezor does not use personal data for solely automated decisions that produce legal or similarly significant effects on users. AI assistant outputs are advisory and are not used to automatically create, suspend, terminate, or deny billing for user accounts.
11. Remedies
Korean users may contact the Personal Information Dispute Mediation Committee, the KISA privacy infringement center, the Supreme Prosecutors Office, or the National Police Agency Cyber Bureau.
EEA/UK users may lodge a complaint with the supervisory authority in their place of residence, work, or alleged infringement.
12. Changes
This Policy is effective as of July 1, 2026. Minor wording corrections may be posted immediately. Material changes affecting collection categories, purposes, third-party sharing, international transfers, or user rights will be announced at least 30 days before taking effect by website notice or email.